VPN

Nothing to hide, but nothing to show you either.
Jump to navigation Jump to search

Virtual private network (VPN) is technology to protect your data while in transit over the internet and prevent your ISP, government or other third parties from intercepting it while in transit.
While VPNs have their place in the privacy toolkit, VPN's benefits are often and commonly oversold by the VPN companies as well as content creators who are paid to promote them.



Value of VPNs vs HTTP over TLS/SSL[edit | edit source]

Most of the benefits of VPN are also provided by the ubiquitous TLS/SSL; that is, the secure site 'lock'.

VPN advocates often make claims that VPNs protect you with 'military grade encryption' or that they make you 'anonymous' or 'untraceable'. While those claims contain a grain of truth, they often rise to the level of misdirection and lying by omission.

In reality, vast majority[1] of websites you use every day are protecting you using military grade encryption because military grade encryption is commonplace and accessible by anyone. This technology is called Transport Layer Security (TLS), formerly SSL, but you may probably know it as the little padlock in your web browser.

TLS support has to be properly implemented by the website, but when this is done, it gives the user most of the benefit that using a VPN would. As long as your browser is up to date and it is not reporting any errors, your connection to the website is end to end encrypted. This means that:

  • No third party controlling or sharing the network, such as your room-mate or your ISP, can see the contents of the traffic going between you and the website.
  • Nobody can modify the content of the website.

Importantly, there are some differences. When using just HTTPS over TLS:

  • Your network provider, such as ISP, can see which website you're connected to, which is useful metadata for them. Exception to this is if you're using encrypted SNI, which is not currently common.
  • Your network provider can block or otherwise prevent you from accessing a certain site. This is something that VPN providers can also do, but usually have no interest in doing.
  • Your DNS traffic is usually not protected, which may make it possible for your network provider to redirect you in unexpected ways.
  • The target website itself can see your approximate location via IP address-based geolocation and prevent you from seeing content they normally show. This is commonly done by content providers such as Netflix or YouTube.

However, neither VPN nor HTTPS protect you from:

  • Website analytics
  • Profile tracking such as Facebook's shadow profiles
  • Metadata that your browser shares about you, such as User Agent
  • Data you release, whether willingly or inadvertently.

Thus, while VPNs can offer a somewhat heightened privacy, they are not a silver bullet and often come at a cost such as reduction in internet speed or actual monetary cost, not to mention the problem of 'trust transfer'.

Common VPN protocols[edit | edit source]

If you choose to go with a VPN, you may be faced with a choice of which protocol to use. Protocols are basically a language that the client (your device) and the provider's server speak among themselves. There are many choices, but only two are recommended for general use.

This section will also look at couple options that are very VPN-like, but aren't actually technically VPNs.

OpenVPN[edit | edit source]

Ovpntech logo-s REVISED.png

OpenVPN is an open source VPN protocol published under the terms of w:GNU General Public License. It is the defacto industry standard for VPN, particularly in non-corporate settings. It is considered secure as long as the server settings are wisely chosen.

Website: https://openvpn.net/
Client download: https://openvpn.net/download-open-vpn/
(your provider may offer a custom client, in which case you may use that instead)
Source code: https://github.com/OpenVPN/openvpn

Wireguard[edit | edit source]

Logo of WireGuard.svg

WireGuard is a free and open source VPN protocol published under the terms of GNU General Public License v2. It is the new kid on the block, but it has been very positively received by the security experts. Its codebase is significantly smaller than OpenVPN, which means that there is less space for bugs and issues to hide in. Although it is not very commonly available, where it is available it should be preferred over any other option.

Website: https://www.wireguard.com/
Client download: https://www.wireguard.com/install/
(your provider may offer a custom client, in which case you may use that instead)
Source code: https://git.zx2c4.com/wireguard-linux/

Acceptable but not preferable protocols[edit | edit source]

The following protocols are acceptable if your VPN provider does not offer OpenVPN or Wireguard, but because these protocols are not open source they are not encouraged.

L2TP/IPSec[edit | edit source]

L2TP/IPsec is actually two protocols in one: L2TP is an evolved form of PPTP (mentioned below) to establish the connection while the IPSec protocol does the actual encryption. IPSec uses AES-256, which is one of the strongest existing encryption protocols. However, that means slower speeds. The protocol is built into most desktop and mobile operating systems which makes it easy to implement, however it is also easily blocked as it can only use a single port - UDP 500. Additionally, Edward Snowden and John Gilmore both claim that the NSA has deliberately weakened the protocol.

IKEv2/IPSec[edit | edit source]

IKEv2, like L2TP, is not actually the encryption protocol but rather the connection protocol used to create the VPN tunnel. IKEv2 is one of the fastest protocols currently available, and it is specifically designed for mobile devices. IKEv2 will ensure that your device maintains a VPN tunnel when switching to and from WiFi and cellular data. However, because it relies on IPSec, it has all the same troubles as L2TP, namely the potential of being compromised.

Obsolete protocols[edit | edit source]

Below protocols are obsolete and should not be used unless they're the only option. In this case, they should not be relied upon for security or privacy critical uses.

PPTP[edit | edit source]

Point-to-Point Tunneling Protocol is an obsolete and insecure VPN protocol, commonly used on Windows. It should be eschewed unless it is the only option.

VPN-like options[edit | edit source]

These technologies are not technically VPNs, but they perform a similar role to VPN, particularly when it comes to bypassing censorship.

TOR[edit | edit source]

Shadowsocks[edit | edit source]

Bypassing censorship, geo-restrictions and content piracy[edit | edit source]

VPNs allow you to cloak the source of your request, that is, your IP address and by extension your approximate location. This has few common uses which are adjacent to privacy.

Bypassing censorship[edit | edit source]

Internet censorship and surveillance by country (2018)
Legend
Purple pervasive
Pink substantial
Yellow selective
Green little or no

In case your government or provider block certain sites due to what they deem to be objectionable content, you can use VPN to bypass such 'internet filters' and access the content anyway.
This is commonly the case in countries that enforce laws based on religious ideas about 'morality'[2]

Other common reasons for such restrictions are 'national security' grounds, copyright enforcement, tax enforcement and protection of children from adult content.

By utilising VPN, a user may bypass technical enforcement measures which seek to force compliance, usually implemented by their ISP based on a court order.

Bypassing geo-restrictions[edit | edit source]

The most common use for VPNs.

Much of the content produced is licensed under geographic-based licensing agreements, where one part of the world is allowed to have access to a particular piece of content, while others are not.
Those can be bypassed by using a VPN service which has a server in the target country who's content you want to access. If you're trying to watch, for example, UK content, connecting to a UK based VPN sever will make it seem like your connection comes from UK.

Therefore, if you're hoping to use your VPN for this, make sure you select a service which has a server in the country who's content you're interested in.
There are couple things to keep in mind:

  • Bypassing geo-restrictions is usually breach of the terms of service, but it is not usually against the law in most places. It is, however, uncommon to have your account banned or your subscription cancelled.
  • Content providers are often actively blocking or hindering users who use VPN[3], but those efforts are not always entirely successful.

Content piracy[edit | edit source]

This site does not actively condone or condemn online piracy. Nothing on this page should be construed as legal advice, and content below is provided for educational purposes only. It is up to each individual to consider and balance legal and moral implications of content piracy.

Another common use for VPNs is content piracy. In many jurisdictions copyright rightsholders or their legal representatives monitor online flow of content piracy and try to track down the pirates by requesting information about the pirates from the ISPs, most often to try to scare pirates into compliance by legally questionable scare letters which may contain damage claims or cease and desist requests. In rare cases, ISPs may even have a three strikes policy which may result in the internet connection being cancelled after certain number of alleged infringements.

VPNs can be used to mask your IP address and foil rightsholder's efforts as virtually all VPN providers will refuse to cooperate with such requests.
VPN users who pirate commonly select servers which are outside of their own jurisdiction and in a jurisdiction which will not cooperate with their own jurisdiction. Some providers may also block peer to peer content, but that is quite rare.

Established VPN providers vs 'rolling your own' VPN[edit | edit source]

One of the perennial arguments when it comes to VPN use is whether an individual should sign up for a reputable VPN provider or roll your own VPN via (usually) an existing VPS provider.

The correct answer is, of course a definite 'it depends'.

Rolling your own VPN usually means signing up for a VPS, installing the server software such as OpenVPN and connecting to it instead of a dedicated VPN provider. Let's look at some pros and cons:

Pros[edit | edit source]

  • you do not share your IP with anyone
    • You are unlikely suffer from consequences of service abuse by others. For example, you will face fewer captchas, you are less likely to come under suspicion by online services wanting to send you warnings of account breach or even blocking you, if you use the VPN to access geo-restricted content VPN's IP address is less likely to attract attention
  • there is far less incentive for employees or government to snoop on you
    • if the service provider is unaware that you are using VPN, they are less likely to look into your traffic
    • if the government is targeting another VPN user you're sharing your IP with you're more likely to get caught up in that
    • if you're bypassing privacy hostile filtering, your own service is less likely to be banned
  • you have more control
    • you can use any VPN technology you want, over any port, using any encryption standard you want
  • you can be more sure regarding what logs are kept
    • in most cases you have to accept no-logs policy claim on faith, if you roll your own VPN you control some of the logs

Cons[edit | edit source]

  • you do not share your IP with anyone
    • when you share your IP with somebody, assuming your provider actually does not keep logs, there is quite some ambiguity on to whom a particular connection belongs. If a website sees hundreds of requests coming from the same IP, it can infer much less about any individual user as they may find it hard to pinpoint any one individual user. When you have your own IP, all the data generated by it is yours. You cannot get lost in a crowd.
  • there is far more opportunity for employees or government to snoop on you
    • in addition to all normal methods which could be used to snoop on you, some new snooping avenues open themselves. An adversary could simply buy a VPS on same physical hardware as your VPS and use speculative execution attacks such as Meltdown or Spectre. Or they could use another VM escape and now they have access to the machine that hosts your VPN.
    • with cooperation of the provider, who has no particular commitment to your privacy, they could easily image the VM regularly
  • you have more responsibility
    • you're responsible for all the security and privacy configuration of your server. Unless you're a seasoned Linux admin, setting up a secure server that retains no logs is not a trivial matter
  • you can not be sure what logs are kept
    • the VPS provider could keep their own logs, which you have no control over

Verdict[edit | edit source]

It seems obvious that this decision is a minefield of double choices. Generally speaking:

If your primary VPN use is bypassing geo-restrictions in a particular country, and privacy is not really your main objective, the benefits of not sharing your IP with others might be enough to swing you in the direction of rolling your own VPN.
If you opt to go this way, look into Streisand.

If you actually are hoping to resist snooping from capable adversary, and you do not have the technical knowledge to manage a Linux server, go with a reputable VPN service.

External resources[edit | edit source]

YouTube[edit | edit source]

This Video Is Sponsored By ███ VPN by Tom Scott - A sober look at how VPN promotion can be misleading.
Stop using VPNs for privacy. - Another tech YouTuber with a realistic outlook regarding VPNs.
Should You Make Your Own VPN? - Linus Tech Tip's 'roll your own' VPN guide.

Articles[edit | edit source]

Don't use VPN services. - Does what it says on the tin.

Footnotes[edit source]

  1. At the time this was written, about 80% of websites use at least some type of TLS/SSL based encryption. Source
  2. For example, Saudi Arabia, among others.
  3. 'Netflix Is Less Annoying to VPN Users Now, But Some Titles Are ‘Hidden’' by Torrentfreak