So who is this article aimed at? If you intend to torrent, you're not going to roll your own on a VPS that is going to forward DMCA notices right back to you. DO and AWS are not cool with operating as high-transfer seedboxes and will be fairly expensive. If you're trying to remain hidden from a nation-state level actor you're obviously not going to use a VPS, but you also have bigger problems than HideMyAss accidentally leaking your ipv6 address. If you're like most people and don't want to pay $$$ a month for a VPS but want to torrent a bit, you just want a straight up regular VPN recommendation which they never provide. "Choosing a VPN is hard", yeah no shit, that's why I was hoping you would provide some value by doing the work for me.
I was in the market recently and ended up going with iVPN for $100/year. Their "18 questions to ask your vpn provider" [1] page is basically a more practical version of this article. Not that I am going to use it, but they also have guides showing you how to created nested and branched chains of tor/pfsense vm clients across countries, if you really did want to hide traffic from a nation state. If putting your trust into a VPN is the issue it's much easier to trust someone that links directly to security forums and openvpn documentation.
So what's the best way to browse anonymously these days? Is it running a hypervised OS (some hardened GNU Linux/BSD Unix variant?) with a randomly changed LAN MAC upon every boot, connected to a VPN operating outside US with OpenVPN & 4k PK (e.g. in Romania), browsing using TorBrowser with NoScript and WebGL turned off? Or even two VPNs at the same time, one in the base OS, the other in the hypervised one?
Drive to a state you don't live in, boot Tails from CD-ROM, connect to a hacked VPN account through someone else's wifi, then run everything through Tor. Then make sure you're using default browser configuration and resolution as not to be foiled a la panopticlick. Even then I wouldn't be so sure you're anonymous.
If you're running a hypervised OS and don't want to run another OpenVPN program within it, make sure that the settings of the program (e.g. VirtualBox) don't treat the hypervised VM as a separate machine. Some people might not realize that the VM can actually establish a connection directly to the router, thus escaping the OpenVPN tunnel.
You can browse with Tor but most sites (including this one and Twitter) won't let you sign up/post with Tor. Very dubious practice by the site operators IMO.
One big advantage of using a popular VPN is shared endpoints. Your traffic is mixed in with hundreds of thousands (if not millions) of other users.
Using your own VPS means you are easier targeted, tracked (on layer 3) and located -- since your VPS likely has a dedicated IP and you probably have a non-anonymized account with the provider. You're still relying on your VPS provider to not monitor outbound connections as you are on the VPN provider.
This all depends on who you consider your adversaries to be.
I've been using a VPS as a gateway to the internet for the last 2-3 years (switching providers a few times during this period).
What I gain:
1) I pay bitcoin, and don't use my real name. So the IP (albeit static) isn't liked to me _directly_.
2) This both protects me from low tier adversaries * , and "annoying" stuff that's considered normal-practice (like geolocation).
3) My connection upstream is always encrypted. I don't care what network I use, what country I'm in, etc.
4) I use torrents a lot, and overall this setup is _much_ faster than doing it from your home connection (or shared VPN). I download an HD movie in under 2 minutes, and then stream it directly from the VPS.
* - The low tear adversaries I consider defeated by this approach:
1) Bots (sometimes people) who file "semi-automatic" DMCA complaints against me (usually for the torrents). I get these every once in a while through the VPS provider - and ignore them. If I get banned, I either create a new fake account or move to a new provider.
2) "Non-privileged people" who know my external IP and want to tie it to a real world identity. For example, a "malicious" site admin that is interested in me for some reason.
3) Any (realistic) _dragnet_ surveillance implemented by any local authorities. These can't affect me. Of course I'm obviously getting flagged for doing this. However, this brings me to my main point:
What this can't stand against:
1) Any "real" investigation into my identity. By a powerful corporation / low tier intelligence outfit / law enforcement. And that's fine! Since I'm not really doing anything illegal (or illegal enough for actual people to care about).
2) And in general, this doesn't stand a chance against any active adversary that targets me directly. But neither can you, or anyone else.
And this is a good thing! By doing what I'm doing, I now have a "reasonable expectation of privacy". If anyone wants to investigate me, it is perfectly fine. They'll have to spend some man-hours on it though. Just like old times!
Maybe if you're a black hat firing up a brand new computer from a cafe while you left your phone at home. For the rest of us that just want to, say, watch the US Presidential debates from another country going through our own VPS is far better than relying on some possibly skeezy third party VPN. Personally I use HideMyAss when I'm travelling to countries I don't trust or when I'm on wifi networks that I fear may be monitored, but I'd rather spin up a Digital Ocean box if setting up my own VPN were as easy.
The article recommends 'Streisand' [1]. According to their GitHub page their VPN is resistant to DPI.
>Distinct services and multiple daemons provide an enormous amount of flexibility. If one connection method gets blocked there are numerous options available, most of which are resistant to Deep Packet Inspection.
I don't know too much about networking, but didn't realise it was possible? How can they do that? What protocol/service can bypass this? The network security team at work challenged me to see if I could bypass their WSA, so would like to give it a try.
Something I consider but most articles do not: jurisdiction. I want and use a VPN in Sweden for a reason. I wouldn't go anywhere near any VPN with even a tiny US footprint. Similarly, I wouldn't use a VPN in my home country. Location location location.
It really boils down to trust, honestly. What VPN you wind up going with greatly depends on the ethics, availability, and reliability of the provider, among other things. Sure, you can always run your own, but that is still ultimately going over someone else's network at some point during transit, plus you still have to be able to trust their ethics and consider any potential disallowed content. From a reliability/availability standpoint you'd be better off getting a VPN service, just have to do some thorough research and/or peruse the great list maintained on thatoneprivacysite.net
1. "You must trust the VPN." This is true, but you must trust something (your cafe, your ISP, your computer). In fact the entire article really hinges on this point -- the VPN provider could, if it were malicious (or compelled to by a government) log every aspect of your traffic, or even insert malware. However, so could your home ISP or your coffee shop.
In particular I found this statement very bizarre: "VPN services require that you trust them, which is a property that anonymity systems do not have." This is true in a vacuum. In the real world, unless you're running your own hardware with software you have written yourself from scratch (on a system which you monitor continuously), you are trusting a huge amount of stuff even with the best anonymity system. The point is knowing what you are trusting, rather than trusting it implicitly.
Essentially the point of the article seems to be to point out that VPN providers may be (there are a lot of hedge words) untrustworthy. The only actual example given of an untrustworthy VPN provider is a free one which re-sold its users' bandwidth (point 8).
Real-world examples are important, because reputation is important -- at some point it is very likely that you will end up trusting someone, even if you are being very careful.
2. "Some VPNs don't permit peer-to-peer sharing and/or log such sharing". You must rely on reputation, which is not a great option. However, no alternatives are presented for someone who wants to torrent copyrighted or illegal works (TOR is heavily FUDded in the article). You certainly wouldn't roll your own VPN for this -- see below.
3. "VPNs don't protect very much against ad tracking". This is true, but I mean VPNs don't make your teeth much whiter either.
4. "A dodgy VPN could log all your data". This is the same as point 1.
5. Preshared keys. OpenVPN with server certificate checking would seem to address this.
6. "Your VPN provider might log your data". This is the same as point 1.
7. "Leakage". It's useful to inform people about this. However, once informed, it is quite simple to use one of many online services to verify that no information is leaked.
8. "Snake oil" and in particular a free VPN which sold its users' bandwidth. Fairly obviously, be aware that if you are using a free product the company will attempt to monetise you in some way.
The suggestion to set up your own VPN seems to be presented as a way to improve privacy. This is very strange particularly since no threat model is presented, and the common one (mass surveillance) gets much worse with a personal VPN.
Firstly, shared hosting providers such as DigitalOcean, AWS, OVH and so on are presented. There is no particular reason to suspect that these are more or less trustworthy than any given VPN provider. In particular, shared hosting in the US will certainly be subject to the monitoring whims of the US government.
Secondly, using such a DIY solution will associate all your traffic, and only your traffic, with a single outgoing IP address, easily traceable to you (since you're paying for it). Compare this with any shared-endpoint VPN, where your traffic is combined with that coming from many other users, and the owner of the IP address is a VPN company. In the former situation nobody would even need to inform the hosting company -- they could just monitor its traffic (though as discussed in point 1 they certainly could contact the hosting company if necessary). In the latter situation, the VPN company would need to be involved. At this point a certain amount of process is required. If your threat model is mass surveillance rather than targeted monitoring, then the shared VPN provider certainly seems like an improvement over a roll-your-own solution. "The best place to hide an incriminating letter is in a letter rack!" -- Edgar Allen Poe.
Thirdly, with a DIY solution you are implicitly claiming that you are better at hardening a system and staying on top of security patches than is the VPN provider you were considering going with. This isn't necessarily true.
If you are just concerned about opportunistic data collection from your coffee shop, then a personal VPN would help. But it's quite limited, and significantly simpler solutions like HTTPS Everywhere would get you 90-100% of the way there.
If you are specifically concerned about an entity with the resources of a government monitoring specifically you, none of the options presented will be any use.
[+] [-] extr|9 years ago|reply
I was in the market recently and ended up going with iVPN for $100/year. Their "18 questions to ask your vpn provider" [1] page is basically a more practical version of this article. Not that I am going to use it, but they also have guides showing you how to created nested and branched chains of tor/pfsense vm clients across countries, if you really did want to hide traffic from a nation state. If putting your trust into a VPN is the issue it's much easier to trust someone that links directly to security forums and openvpn documentation.
[1] https://www.ivpn.net/privacy-guides/18-questions-to-ask-your...
[+] [-] ryanlol|9 years ago|reply
Why not?
>DO and AWS are not cool with operating as high-transfer seedboxes and will be fairly expensive
DO and AWS are certainly the last providers you'd want to use for anything high-transfer. Why would you even consider them over, say, OVH?
[+] [-] thaumasiotes|9 years ago|reply
I've done this very thing. I wasn't trying to avoid DMCA notices; I was working around the great firewall of China, which blocks torrents normally.
[+] [-] bitL|9 years ago|reply
[+] [-] jrcii|9 years ago|reply
[+] [-] sigjuice|9 years ago|reply
[+] [-] kobayashi|9 years ago|reply
Hope that was clear.
[+] [-] andywood|9 years ago|reply
https://tails.boum.org/doc/about/warning/index.en.html
[+] [-] exstudent2|9 years ago|reply
[+] [-] h4waii|9 years ago|reply
Using your own VPS means you are easier targeted, tracked (on layer 3) and located -- since your VPS likely has a dedicated IP and you probably have a non-anonymized account with the provider. You're still relying on your VPS provider to not monitor outbound connections as you are on the VPN provider.
[+] [-] keyme|9 years ago|reply
I've been using a VPS as a gateway to the internet for the last 2-3 years (switching providers a few times during this period).
What I gain:
1) I pay bitcoin, and don't use my real name. So the IP (albeit static) isn't liked to me _directly_.
2) This both protects me from low tier adversaries * , and "annoying" stuff that's considered normal-practice (like geolocation).
3) My connection upstream is always encrypted. I don't care what network I use, what country I'm in, etc.
4) I use torrents a lot, and overall this setup is _much_ faster than doing it from your home connection (or shared VPN). I download an HD movie in under 2 minutes, and then stream it directly from the VPS.
* - The low tear adversaries I consider defeated by this approach:
1) Bots (sometimes people) who file "semi-automatic" DMCA complaints against me (usually for the torrents). I get these every once in a while through the VPS provider - and ignore them. If I get banned, I either create a new fake account or move to a new provider.
2) "Non-privileged people" who know my external IP and want to tie it to a real world identity. For example, a "malicious" site admin that is interested in me for some reason.
3) Any (realistic) _dragnet_ surveillance implemented by any local authorities. These can't affect me. Of course I'm obviously getting flagged for doing this. However, this brings me to my main point:
What this can't stand against:
1) Any "real" investigation into my identity. By a powerful corporation / low tier intelligence outfit / law enforcement. And that's fine! Since I'm not really doing anything illegal (or illegal enough for actual people to care about).
2) And in general, this doesn't stand a chance against any active adversary that targets me directly. But neither can you, or anyone else.
And this is a good thing! By doing what I'm doing, I now have a "reasonable expectation of privacy". If anyone wants to investigate me, it is perfectly fine. They'll have to spend some man-hours on it though. Just like old times!
[+] [-] 3pt14159|9 years ago|reply
[+] [-] TearsInTheRain|9 years ago|reply
[+] [-] hackuser|9 years ago|reply
Tor uses a current version of Firefox and automatically updates it.
[+] [-] mazsa|9 years ago|reply
[+] [-] LeoPanthera|9 years ago|reply
He also has a subreddit:
https://www.reddit.com/r/vpnreviews/
[+] [-] 7ewis|9 years ago|reply
>Distinct services and multiple daemons provide an enormous amount of flexibility. If one connection method gets blocked there are numerous options available, most of which are resistant to Deep Packet Inspection.
I don't know too much about networking, but didn't realise it was possible? How can they do that? What protocol/service can bypass this? The network security team at work challenged me to see if I could bypass their WSA, so would like to give it a try.
[1]: https://github.com/jlund/streisand
[+] [-] sandworm101|9 years ago|reply
[+] [-] 2bitencryption|9 years ago|reply
[+] [-] homero|9 years ago|reply
[+] [-] phn|9 years ago|reply
[+] [-] jamesmontour|9 years ago|reply
Edit: words.
[+] [-] mrrsm|9 years ago|reply
[+] [-] falcolas|9 years ago|reply
Getting around such blocks (such as with a SSL tunnel) is possible, but requires more than just a default install.
Also, setting up anything other than OpenVPN is a real pain in the arse. Even OpenVPN required a fair bit of Googling to make it fully functional.
[+] [-] wyager|9 years ago|reply
[+] [-] United857|9 years ago|reply
[+] [-] wzdd|9 years ago|reply
1. "You must trust the VPN." This is true, but you must trust something (your cafe, your ISP, your computer). In fact the entire article really hinges on this point -- the VPN provider could, if it were malicious (or compelled to by a government) log every aspect of your traffic, or even insert malware. However, so could your home ISP or your coffee shop.
In particular I found this statement very bizarre: "VPN services require that you trust them, which is a property that anonymity systems do not have." This is true in a vacuum. In the real world, unless you're running your own hardware with software you have written yourself from scratch (on a system which you monitor continuously), you are trusting a huge amount of stuff even with the best anonymity system. The point is knowing what you are trusting, rather than trusting it implicitly.
Essentially the point of the article seems to be to point out that VPN providers may be (there are a lot of hedge words) untrustworthy. The only actual example given of an untrustworthy VPN provider is a free one which re-sold its users' bandwidth (point 8).
Real-world examples are important, because reputation is important -- at some point it is very likely that you will end up trusting someone, even if you are being very careful.
2. "Some VPNs don't permit peer-to-peer sharing and/or log such sharing". You must rely on reputation, which is not a great option. However, no alternatives are presented for someone who wants to torrent copyrighted or illegal works (TOR is heavily FUDded in the article). You certainly wouldn't roll your own VPN for this -- see below.
3. "VPNs don't protect very much against ad tracking". This is true, but I mean VPNs don't make your teeth much whiter either.
4. "A dodgy VPN could log all your data". This is the same as point 1.
5. Preshared keys. OpenVPN with server certificate checking would seem to address this.
6. "Your VPN provider might log your data". This is the same as point 1.
7. "Leakage". It's useful to inform people about this. However, once informed, it is quite simple to use one of many online services to verify that no information is leaked.
8. "Snake oil" and in particular a free VPN which sold its users' bandwidth. Fairly obviously, be aware that if you are using a free product the company will attempt to monetise you in some way.
The suggestion to set up your own VPN seems to be presented as a way to improve privacy. This is very strange particularly since no threat model is presented, and the common one (mass surveillance) gets much worse with a personal VPN.
Firstly, shared hosting providers such as DigitalOcean, AWS, OVH and so on are presented. There is no particular reason to suspect that these are more or less trustworthy than any given VPN provider. In particular, shared hosting in the US will certainly be subject to the monitoring whims of the US government.
Secondly, using such a DIY solution will associate all your traffic, and only your traffic, with a single outgoing IP address, easily traceable to you (since you're paying for it). Compare this with any shared-endpoint VPN, where your traffic is combined with that coming from many other users, and the owner of the IP address is a VPN company. In the former situation nobody would even need to inform the hosting company -- they could just monitor its traffic (though as discussed in point 1 they certainly could contact the hosting company if necessary). In the latter situation, the VPN company would need to be involved. At this point a certain amount of process is required. If your threat model is mass surveillance rather than targeted monitoring, then the shared VPN provider certainly seems like an improvement over a roll-your-own solution. "The best place to hide an incriminating letter is in a letter rack!" -- Edgar Allen Poe.
Thirdly, with a DIY solution you are implicitly claiming that you are better at hardening a system and staying on top of security patches than is the VPN provider you were considering going with. This isn't necessarily true.
If you are just concerned about opportunistic data collection from your coffee shop, then a personal VPN would help. But it's quite limited, and significantly simpler solutions like HTTPS Everywhere would get you 90-100% of the way there.
If you are specifically concerned about an entity with the resources of a government monitoring specifically you, none of the options presented will be any use.
[+] [-] kobayashi|9 years ago|reply
https://thatoneprivacysite.net
[+] [-] ck2|9 years ago|reply
not private but free and always available
[+] [-] alwillis|9 years ago|reply
[+] [-] 7ewis|9 years ago|reply
Is it for web traffic only? So no torrents? Any logging? Speed?