Show HN: Responding to NSA spying with a simple consumer VPN service

I'm sure there are many legit VPN provider out of there, which really care about the user and provide some hardware/bandwidth, but most are oversold services (barely scam) with very high price for what they offer. I think the solution is a self-made VPN out of a VPS. VPS nowadays are really cheap, and you can get awesome deals with some very serious providers. Also, you can easily get one outside the USA, for (in my opinion at least) increased security.

For anyone interessed, https://github.com/Nyr/openvpn-install makes installing OpenVPN a breeze. For VPS deals, http://www.lowendbox.com/ and http://vpsboard.com/.

You might look at https://torrentfreak.com/which-vpn-providers-really-take-ano...

I've been using one of these, bought with Bitcoin, via Coinbase, set up with a Hushmail account, for a while now. It works great. Bandwidth is diminished somewhat, but not enough to be a problem for normal browsing or other totally legal activities.

edit: I'm tired, just noticed you linked to essentially the same TF article I did. Anyway, the service I've been using works with Tomato and DD-WRT (on some routers), is affordable, and is on of the recommended services for taking privacy seriously. They don't guarantee bandwidth, but in practice, there hasn't been a problem so far.

> I just installed DD-WRT on my router to use OpenVPN client on the router, the bandwidth speed drops to a level that makes the setup totally useless.

A fair amount of that has to do with how little CPU is available on your router device, I suspect no manufacturer will support a device that can do a lot of crypto and still be in the consumer price range.

That said, I could ship you a device right now that'll do 100Mbps of encrypted traffic all day long, but it doesn't have wifi and its about $500...

What kind of performance are you looking for, and what traffic mix?

Testing various consumer routers with VPN for performance is on my todo list. I know the WRT54GL is probably fairly antiquated at this point, but I have some newer DD-WRT supported routers like the WNDR3700 to try.

Did you try IVPN? http://www.ivpn.net/

I've just purchased an Asus RT-N66U to run an OpenVPN client so that I can encrypt the traffic from all computers, and as I don't do file-sharing I've focused on choosing a provider obsessed by privacy rather than piracy. IVPN looks like it, but I haven't yet tried it so don't yet know how it will perform.

Has anyone set up a Raspberry Pi as a router?

There's an official OpenVPN client on iOS now in the App Store that will accept a standard .ovpn profile.

These "issues" are critical in thwarting PRISM. More security snake oil.

It's not the whole solution, but the vast majority of NSA spying is passive "over the wire" stuff. We know they do that, pervasively, and even more, we know foreign countries do that (and filtering, and in some cases lots of fun tampering) on connections (e.g. Great Firewall of China). NSA has been doing passive intercept since inception in the 1940s.

PRISM is somewhat ambiguous -- maybe it's a huge secret program where they get blanket access to big sites directly, maybe it's just a UI layer for managing subpoena or warrant results.

Protecting your metadata is one thing where a VPN works pretty well. There are still some more advanced attacks (looking at the encrypted traffic flows on lightly loaded links, you can infer what site/activity one is doing, even without decrypting, unless you pad all communications).

It's not clear that this is what's happening. Especially since the companies have vehemently denied such allegations.

Yes, we love Tor, and are looking at ways to help Tor and make Tor more robust and easier to use as well.

It would be ironic if the NSA fiasco ended up accomplishing half of the NSA's mission (protecting domestic networks) by getting everyone to improve security and encrypt-by-default, at the cost of making the NSA's SIGINT mission vastly more difficult.

What's the difference between you and eg. http://unblockvpn.com/ who offer easy VPN access for less than $5 a month?

Or how is your product easier to use?

This exchange may provide some insight... https://news.ycombinator.com/item?id=5914546

Yeah, we're actually working on a couple of things which will largely solve the trust problem (which is a bigger thing than just VPN service); stay tuned.

For now I'd like to think we're more trustworthy than a large/general purpose company because we have a lot less to lose in fighting (and much more to gain).

Our goal for the privacy service is to collect as little as possible. (the corp service is totally separate tech and infrastructure and has user-configurable logging). We're trying to figure out what the absolute minimum is. We're also looking at Bitcoin and other forms of payment.

For a $5-10/mo VPN, we're probably going to handle most problems by "open a new account, here's a service credit", so we don't actually need to debug much. We have a vested interest in collecting the minimum information possible so there's no point in subpoenaing it from us.

There are already plenty of equally viable options for cheaper. I hear good things about https://www.privateinternetaccess.com/pages/client-support/ , and it is about 1/3rd the price.

Honestly if you're happy with your VPN provider right now, it's probably not worth switching yet. We try to do the baseline VPN service as well as possible (performance, support, etc.), but it's not that different from other providers, so please consider us if you're not happy with the current provider, but otherwise you're probably just as well served with whatever you're using now, for now.

We're working on some things which will make it compelling to switch. We put it up now because a lot of people don't have VPNs today -- so hopefully adding another provider convinces some additional people they could use a VPN.

So, since you sound like a somewhat higher end user:

1) What platforms do you care about? Do you mainly need service from one fixed location, or from home/office network plus mobile?

2) How close does it need to get to the endpoints? We have 4 exit nodes right now; we'd probably need ~50+ to be very close to most services. There's still a portion which is "in the clear" (although, use https...), but it becomes very impractical for NSA or especially others to passively tap all those locations (since they wouldn't be IXes necessarily, and intra-colo links don't get routed through buildings like ATT 611 Folsom St.

We do logging on our web server, obviously the support ticket system, our mail server, coupon code redemption, etc. Billing with Stripe -- presumably they keep records for a long time. We don't see your CC, but are notified of payment, etc. (which is why Bitcoin is very attractive to add, and maybe other systems.)

The privacy VPN itself currently does zero logging. The best practices seem to be either zero logging or very short retention logging. We'll commit to one of those (but most likely zero logging) soon (working on a very clear and plain language ToS). All the stuff we'd handle with logging is instead done by going out to top-500 sites (or anything reported to us as not working), rather than monitoring use.

We don't currently do "anonymization" so web browsing can be an issue. We're looking at that with some kind of opt-in proxy.

We're adding other, more anonymous payment options, which is probably the best solution.

US-West, US-Central, US-East, UK right now. Adding some more in Europe and Asia ASAP.

A (current and historical) performance monitor, uptime monitor is a great idea.

Good news, I actually put latency/loss monitoring into our internal support system last night, so I'll probably be exposing some data from it next week.

We currently monitor 60+ sites from the Alexa Top 500 for load time and loss so we can use the data for capacity planning and fault isolation.

At least the text next to it does, but will fix -- the traditional error is "blog header links back to blog vs. corp site" which we've solved for now (by not having a blog).

UDP will give you better performance. TCP will work better in pathologically bad network conditions (either some kind of firewall, or some specific kinds of network loss).

The issue is that "TCP in TCP" can lead to weird interactions where you delay one packet, wait for retransmit, etc., and essentially a single packet lost can eat up a second or two.

In general I'd always try UDP, and if it doesn't work, fall back to TCP.

They're equivalent security -- it's just network performance.

I assume you know what a handshake is, right? A TCP connection requires a handshake and is evidently a much more reliable and safe connection. A UDP connection doesn't require a handshake. This means that you never know if your data has reached its destination or not and due to this is much less reliable. Skype uses a UDP connection, and at times it is evident that it does when video resolution drops, etc.