I appreciated that Wirecutter's review of VPN services began with investigating which ones had contracted for 3rd party security reviews. This presciently excluded many providers that were all about marketing, like NordVPN. I think this is the best approach rather than the litany of mostly useless criteria that's cataloged on ThatOnePrivacySite. You want to extract out the high signal, and "will my VPN service get hacked and all my traffic get leaked?" should probably be your first question when choosing a service.
Full disclosure, I'm the author of AlgoVPN, a set of scripts for hosting your own VPN rather than using a 3rd party service, and was interviewed by Wirecutter for their article. You should use Algo if you're at all capable of doing so: https://github.com/trailofbits/algo
In terms of privacy, isn't running your own VPN pointless?
I mean, it is basically just changing your IP and putting an additional hop in. You aren't mixing with other's traffic, making it very easy to fingerprint you.
I guess this is all dependent on someone's threat model, but I am not really sure if there is any benefit of running your own VPN besides being slightly more sure your VPN provider or someone who hacked your VPN provider isn't watching you.
It provides you protection on a hostile local network, such as a hotel or a restaurant. Like you said, it does not achieve the anonymity level a public VPN would.
> I mean, it is basically just changing your IP and putting an additional hop in. You aren't mixing with other's traffic, making it very easy to fingerprint you.
If that IP is in Russia, on a cheap supplier that has hundreds of similar VPS sitting behind a NAT, I wish em luck in fingerprinting you. Or extracting logs for that matter.
Let me add to the chorus of praise for Algo. As a journalist working around the Middle East it at least gets me out of the local censored internets and isn't blocked like all of the popular VPN services.
It seems like the thing that someone could roll into an iOS or android app for even easier deployment.
It's tough to create an Algo app without inserting Trail of Bits between you and your VPN server somehow. I want to eventually create an app, but my requirement is that the end result is trustless and I never see any of your keys. Maybe in 2020!
Have you tried Psiphon? It's one of the few free ones I trust (I know the guys in the team very well) and is built with the journalist threat model in mind
That's fantastic, but in terms of threat model, you're still trusting AWS/DO/GCE/Azure/whatever. My hope with a good VPN service is that they'll run their own servers in a data center, so they're slightly less subject to audit than something running on AWS.
Right, you're always trusting someone. If you don't use a VPN (or Tor or I2P) you're trusting your ISP. If you use a VPN service, you're trusting it. If you run your own VPN on a VPS or server, you're trusting the provider.
Also, you can't trust what a VPN service says about where their servers are, how they're manages, and so on.
So you need to distribute trust. [Please see my other recent comment about how to do that.]
You can also take the antagonistic approach. Use a VPN service from the North-Korean government. They will surely spy on you and try to attack your network. But they also won't share data with any form of law enforcement that could reach you.
Probably a really bad idea, but the principle is clear. If you want to minimize legislative reach, take a service from the other side of the planet. Maybe not Australia.
And using nested VPN chains, you can pick appropriately.
For the first (entry) VPN, I use one that's innocuous and popular for streaming etc. For the middle ones, I pick ones that are either apparently honest or do business from jurisdictions that won't likely cooperate with my country's. And for the last (exit) VPN, I pick another that's innocuous, with IPs that don't often get blacklisted.
Access the internet via an anonymous SIM card (tethering), then use TOR to access your VPN (paid in Bitcoins, money order or whatever). This gives you a decent level of anonymity, if need be.
There are some VPN services run on dodgy VPS, but apart from that I'd wager almost everyone either rents or colocates physical servers. A terabyte of outbound traffic is around $170 on AWS but around $5 at a regular data center.
You can get good security arrangements if you colocate in sufficient volume (locked rooms etc). That's where reading security reviews is useful.
protonvpn has its own servers in a former swiss army bunker. these are only a few of the many, but they offer routing to other servers through their swiss center which they market as "secure core".
I am capable of running something like AlgoVPN, but more importantly I'm interested in having disguising traffic: getting "lost in the crowd". In your view, what is the best to accomplish that?
Thanks for the Algo tools! Do you know of any cloud service that doesn't get blocked by popular services (e.g. Netflix)? It seems Netflix, et al, know DO, AWS's IPs and block traffic coming from those servers.
> OpenVPN does not have out-of-the-box client support on any major desktop or mobile operating system. This introduces user experience issues and requires the user to update and maintain the software themselves. OpenVPN depends on the security of TLS, both the protocol and its implementations, and we simply trust the server less due to past security incidents.
This sounds great! Can I ask you an obvious question, which is why should we trust you and your code / created service? I'm constructively positive on an answer to this.
As far as I recall the answer is that it’s open source from top to bottom.
Not that it’s relevant to trust in algo, but I also recall some very acrimonious exchanges on hn previously when discussing algo, based on trailofbits’s support of USA govt spying. I cannot what the accusations are though, so if anyone who knows more could help me out that’d be great.
I’ve been using servers spun up by this for two years now. Worth it for the dns blocking abilities alone. Made phone browsing tolerable again. Thanks!!
If you're using a VPN only to block ads, consider https://blokada.org (Android) or DnsCloak (iOS) [0]. Both these open-source apps run a local-only (no servers) split-VPNs (tunnel port 53 traffic to remote DNS resolvers). Whilst Blokada NXDOMAINs ads and trackers using on-device blacklists, DnsCloak can forward queries to any DnsCrypt or DoH resolver (for ad-blocking purposes, one could use AdGuard [1]).
If you want to point Android/iOS to a custom DoH/DoT resolver, https://getintra.org (Android) does DoH whilst Nebulo (iOS and Android) [2] does DoT. Setting up DoH/DoT resolvers (say, using NLNet's Unbound) might be cheaper than a full fledged VPN?
You don't need to download an app to use Algo on iOS! It creates an Apple profile that installs an IKEv2 VPN. Algo _also_ creates a WireGuard profile which does require an app. It's your choice which one to use.
https://thewirecutter.com/reviews/best-vpn-service/#how-we-p...
Full disclosure, I'm the author of AlgoVPN, a set of scripts for hosting your own VPN rather than using a 3rd party service, and was interviewed by Wirecutter for their article. You should use Algo if you're at all capable of doing so: https://github.com/trailofbits/algo