Do you need a VPN?

Grew up in China (moved to Australia since early 2008) where GFW is in place and getting overwhelmingly powerful, I&#x27;ve been through multiple stages to cross the `great wall`, SSH Dynamic Forwarding, PPTP, OpenVPN and now IPsec (strongSwan). The GFW has evolved so much (capable of massive scale MITM attack, DNS spoofing, traffic sniffing etc. you&#x27;ll be amazed how capable the GFW is - of course courtesy of the team behind it) that it makes increasingly more difficult for people to access the real Internet.<p>I&#x27;ve ditched PPTP (not safe any more) and shifted to IPsec (IKEv2 + RSA with X509, IKEv1 + PSK + XAUTH) as it is being used by a lot of MNCs - can&#x27;t killall. The GFW has developed technique to detect OpenVPN well and it is easily blocked so I don&#x27;t use it at all. Over the past few years many home brewed protocols emerge - e.g. shadowsocks and variants and many others (I&#x27;ve never used any of them).<p>The best thing to do with VPN is that to understand the basics of the VPN solution of choice, try to install and configure from scratch on VPS and use that as your main protection (encapsulation) while using public Wi-Fi or untrusted network. There&#x27;s been many good discussions on how to do this on HN.<p>NOTE: I am maintaining around 10 strongSwan powered IPsec VPN and 2 OpenVPN to help family members and close friends to access the real Internet (have to keep a low-profile though). Funny though, my networking skills evolved with GFW.

When evaluating a VPN service for trustworthiness, I always look at what their webpage loads in terms of tracking scripts.<p>Basically, if you offer me the service to protect my IP address and don&#x27;t even have the decency to let me inform myself about your offering without handing over my IP address to Google et al., then I&#x27;m not using your service.<p>Unfortunately, VPN providers collectively don&#x27;t seem to be aware of this presentation layer, so it&#x27;s neigh impossible to find one which doesn&#x27;t violate privacy here.<p>So far, I&#x27;ve found exactly two: azirevpn.com and airvpn.org<p>They load in Piwik, which I&#x27;m okay with.<p>These two providers also check a lot of other boxes for me, but yeah, it&#x27;s still just two providers after hours of research, so if anyone knows any other VPN providers with privacy-respecting webpages, please do tell.

I always ask this on the VPN threads here, and don&#x27;t feel like I get a solid answer (I&#x27;m not particularly well-versed on the topic so I&#x27;m genuinely curious and would love to be corrected).<p>If I go to Bob&#x27;s website on my computer without any VPN, and Bob wants to find me, all he would need to do is get my IP, call my ISP with a warrant, and then get my information.<p>If I go to Bob&#x27;s website while logged in with a VPN, and Bob wants to find me, he first sees that he&#x27;s getting tons of hits from this IP because thousands of users are sharing this same VPN. So then he uses some kind of fingerprint to figure out my unique user sessions. Then he calls the VPN company, and asks them to associate the IP and specific browser sessions with me. In that case a) the VPN really does store logs even though they advertise they don&#x27;t, so they&#x27;re able to associate me with my activity, or b) they really don&#x27;t store logs and have no idea which one of its thousands of users logged into his website with that IP.<p>It seems in the latter case, even with a malicious VPN, it&#x27;s one additional (maybe trivial step) to associate me. But it&#x27;s still better than just using your own ISP. Isn&#x27;t that why people use VPNs to avoid DMCA letters from their ISP?<p>So what is the downside to using a VPN if you&#x27;re aware that they aren&#x27;t foolproof vs not using a VPN at all?<p>If you roll your own VPN on AWS or the like, don&#x27;t you lose the benefit of sharing the VPN with thousands of users? Wouldn&#x27;t it be easier for Bob to call AWS with a warrant and get your account info than mess with some offshore VPN provider?

I wish that we had arrived at a different term for third-party VPN proxy services. I use VPN connectivity to my home network whenever I am on the road so that my traffic is encrypted over-the-air (Wifi) regardless of its protocol or destination. When I read, &quot;Do you need a VPN?&quot; I think &quot;I love having a personal VPN to my home network that I use from everywhere. You might love it too!&quot; I am evangelical about creating and using a personal virtual private network—that is, a &quot;VPN&quot; in the more traditional sense of the term.<p>And then I realize the question is actually about third-party VPN proxy services, which seem to be a substantially different use-case.<p>It&#x27;s just a shame that the term &quot;VPN&quot; has become so ambiguous.

Every time this sort of question comes up, I reflexively link people to this page: <a href="https:&#x2F;&#x2F;gist.github.com&#x2F;joepie91&#x2F;5a9909939e6ce7d09e29" rel="nofollow">https:&#x2F;&#x2F;gist.github.com&#x2F;joepie91&#x2F;5a9909939e6ce7d09e29</a><p>Most of the time what people think they need a VPN for, a VPN won&#x27;t actually help them much. They have a narrow use-case in privacy contexts, in which case you&#x27;re better off using Tor.

I don&#x27;t know why anyone advocates using a VPN provider when it&#x27;s so trivial to set up your own VPN now.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;trailofbits&#x2F;algo" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;trailofbits&#x2F;algo</a> <a href="https:&#x2F;&#x2F;github.com&#x2F;Angristan&#x2F;OpenVPN-install" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;Angristan&#x2F;OpenVPN-install</a><p>Either of these options, depending on your preferences (protip: use Algo, unless you&#x27;re in a place that blocks IPSEC VPNs...It&#x27;s cheap enough to have both available). This at least covers the basics of what they&#x27;re talking about being snooped in the post. Then you don&#x27;t have to worry about trusting the VPN provider (but you do have to worry about trusting your cloud provider).<p>If your threat model is different, you might want to be in a pool of users, but you can use the same service and solve this problem socially...

There sorely needs to be a corollary to net-neutrality, where websites cannot discriminate users based on the choice of their ISP&#x2F;vpn&#x2F;tor&#x2F;vps&#x2F;cloud-provider. I find it absurd that websites are even allowed to display a banner with phrasing like, &quot;We detect that you are using a vpn. Disable it to view this site.&quot; Netflix, the champion of net neutrality, is the biggest offender in this area.

Nitpick: Bitcoin, being a system where the history of all transactions is publicly available, is hardly an &quot;anonymous&quot; system. It is an additional level of separation from other forms of payment tagged with your credentials, and you can achieve anonymity if using it carefully, but it can&#x27;t be treated by an anonymous option by default.

Great link from the EFF describing tor and https [0] click on the grey &#x27;tor&#x27; and &#x27;https&#x27; links to see what information is collected where and what can be viewed.<p>surprised this article does not mention tor? or has tor been abandoned as a tool for privacy?<p>[0] <a href="https:&#x2F;&#x2F;www.eff.org&#x2F;pages&#x2F;tor-and-https" rel="nofollow">https:&#x2F;&#x2F;www.eff.org&#x2F;pages&#x2F;tor-and-https</a>

I&#x27;m on Verizon so I don&#x27;t get to choose if I need one. I have to use one on my phone at least.<p>They are still useful for lumping your traffic in with others for copyright infringement. Torrent clients offer the files for sharing while downloading.<p>They are still useful for some simple geo evasion as well.<p>They aren&#x27;t a solution for every security issue at all. Tor is generally better to run from open wifi from a tails USB rather than from a VPN.<p>Also, many VPNs actually log things they can provide to the FBI even though they lie and say they don&#x27;t. They can get a NSL and end up having to without being able to tell you that they did. Sometimes a NSL canary is used, but not always.

I&#x27;ve set up my own VPN using Streisand [<a href="https:&#x2F;&#x2F;github.com&#x2F;StreisandEffect&#x2F;streisand" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;StreisandEffect&#x2F;streisand</a>] &amp; Google Compute Engine (Micro Instance). When you create an account on Google&#x27;s Cloud, you get $300 (or used to at least). This instance type is big enough to handle the few devices I connect to it, fairly speedily too.

I&#x27;m surprised no one has mentioned Streisand, an open-source project that takes most (not all) of the effort out of setting up low-cost individual VPNs for yourself and your friends and family on a number of popular cloud services:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;StreisandEffect&#x2F;streisand" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;StreisandEffect&#x2F;streisand</a><p>It takes a little bit of technical know-how (or bravery) to get started, but the setup process is dead-simple and you end up with a completely personal VPN with dozens of options that can work around a number of different situations. Best of all, it&#x27;s entirely under your control. You can tear it down and start from scratch, or move to a new location or cloud provider easily. The docs are clear and easy to understand, and it&#x27;s constantly being improved. It&#x27;s a pretty remarkable project.

I spend 40 bucks or so on a Raspberry Pi, then installed these:<p><a href="http:&#x2F;&#x2F;www.pivpn.io&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.pivpn.io&#x2F;</a> <a href="https:&#x2F;&#x2F;pi-hole.net&#x2F;" rel="nofollow">https:&#x2F;&#x2F;pi-hole.net&#x2F;</a><p>Insanely easy to get running: plugged it in to my home router, and now I do all my remote browsing from my home network. I HIGHLY recommend it. I know it doesn&#x27;t help with privacy, since you&#x27;re using your home network, but I&#x27;m currently more concerned with WiFi hacks, pineapples, and the like.

Duckduckgo recently included &quot;How to Choose a Good VPN&quot; in their privacy newsletter - <a href="https:&#x2F;&#x2F;spreadprivacy.com&#x2F;how-to-choose-a-vpn&#x2F;" rel="nofollow">https:&#x2F;&#x2F;spreadprivacy.com&#x2F;how-to-choose-a-vpn&#x2F;</a>

I wish a trustworthy organization with a history of privacy advocacy, like EFF or Mozilla, would create a subscription VPN service. I&#x27;d sign up immediately and their reputation would command a significant price premium.

I&#x27;d hand cash to Mozilla if THEY provided a VPN service.<p>Or if Amazon provides one I&#x27;d use that for sure.

I don&#x27;t look to it as a foolproof solution, but I do see it as a way to make things a little bit harder for someone that&#x27;s trying to track me.<p>The arguments here often sound similar to &quot;experts&quot; that complain about 2 factor auth: Sure, it&#x27;s not perfect and there are better solutions in some cases, but it&#x27;s still better than nothing for a lot of people.

I typically don&#x27;t trust VPN providers, so I set up my own on AWS with this CloudFormation script. [0] It is almost effortless, takes 10 minutes and I can spin it up or spin it down without paying for a subscription, only AWS metered costs.<p>EDIT: another poster mentioned Algo [1]. This method requires a high degree of savvy and entails a higher level of difficulty, but looks much more configurable.<p>[0] <a href="https:&#x2F;&#x2F;www.webdigi.co.uk&#x2F;blog&#x2F;2015&#x2F;how-to-setup-your-own-private-secure-free-vpn-on-the-amazon-aws-cloud-in-10-minutes" rel="nofollow">https:&#x2F;&#x2F;www.webdigi.co.uk&#x2F;blog&#x2F;2015&#x2F;how-to-setup-your-own-pr...</a><p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;trailofbits&#x2F;algo" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;trailofbits&#x2F;algo</a>

Another issue to look for in selecting a VPN is leaks, where network packets travel through the &#x27;hostile&#x27; interface and not the VPN. Leaks can happen many ways, if I understand correctly (I did some reading on it recently but not my own research):<p>* Many VPNs use &quot;split-tunneling&#x27;: To save bandwidth, they route https traffic through the hostile network interface<p>* Some don&#x27;t route other protocols via the VPN, for example, IPv6 and even DNS are sometimes excluded.<p>* If the VPN connection drops<p>* When the VPN connection is out of sync with the device&#x27;s network connection (e.g., after the computer boots and before the VPN starts, or after the VPN is disconnected and before the computer shuts down).

This is a plug for my stuff, but a relevant plug nonetheless:<p>If you think you need a VPN, you probably need a good VPN protocol to go with it. Rather than using outdated legacy cruft like OpenVPN or IPsec, you might like WireGuard:<p><a href="https:&#x2F;&#x2F;www.wireguard.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.wireguard.com&#x2F;</a><p>It&#x27;s still in the early days, but the protocol is formally verified, the overall design has received academic review, the Linux implementation is maturing quite rapidly, and we&#x27;ll soon have Mac and Windows clients available. Part of the WireGuard Protocol uses the Noise Protocol Framework from Trevor Perrin, of Signal Protocol fame.

useful resource on selecting a VPN provider: <a href="https:&#x2F;&#x2F;thatoneprivacysite.net&#x2F;vpn-section&#x2F;" rel="nofollow">https:&#x2F;&#x2F;thatoneprivacysite.net&#x2F;vpn-section&#x2F;</a>

I always wonder about ProtonVPN (the ProtonMail people).<p>It&#x27;s Swiss based so I assume there would be a decent amount of round trip latency, but for sheer privacy it seems like a solid company that goes the extra mile by locating itself for legal purposes.<p><a href="https:&#x2F;&#x2F;protonvpn.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;protonvpn.com&#x2F;</a>

All the &quot;you don&#x27;t get privacy from a VPN&quot; talk misses the variable of <i>who you want privacy from</i>. If you don&#x27;t care about e2e privacy, but want a simple way, without using Tor, to keep websites from knowing your real IP, then VPNs are great.

Does anyone have a preference on what server the VPN connects to? For example, I&#x27;m using AirVPN, and you can select specific countries that you would like to allow the VPN to use. From there it just goes out and connects to the &quot;recommended&quot; server.<p>If I don&#x27;t make any preference, it will connect me to a server in Canada. It&#x27;s very fast, but a bit annoying because now I get all the Canadian search results in Google.<p>Is there any downside to using a VPN server in the same state or country that you are in?<p>BTW, I have been using AirVPN for a few days and really like it. Super minimal UI (which I like) and gets the job done. Also, I like that they accept BitCoin as payment if you so choose.

I started using BlackVPN about a month ago because the highly personalized ads all around the web got extremely unnerving. Having accounts with FB&#x2F;AMZN type services means they&#x27;ll never go away completely, but it&#x27;s better than nothing.<p>I&#x27;m curious if anyone has any commentary on other providers worth looking into. BVPN is based in Hong Kong which has a strong history of pro-privacy AFAIK, and they claim to not even have the technical ability to keep logs of relevant info. Either way, I think I&#x27;d rather have some random Hong Kong company have my semi-anonymized info rather than my ISP.

I recommend nordvpn. I have been using it for a while now with great success. It&#x27;s easy, fast, and private. They don&#x27;t log and their hq is in Panama, so it&#x27;s much harder to to get info out of them.

This is a sales page, not a objective discussion.<p>(a) There&#x27;s not much you can do with VPN that you can&#x27;t do with SSH (actually I can&#x27;t think of anything). And SSH is much more configurable.<p>(b) To avoid tracking of your browsing it is not a smart idea to pipe all your browsing through the servers of one VPN provider. A smart way would be to split up browsing streams, not to combine them.<p>I&#x27;m very sceptical about Mozilla writing such an ad page and trying to sell it as a reasonable technical blog post.

I guess the future is a ten-pack of cheap netbooks, a linux live CD, and free public wi-fi.<p>Access the internet, then smash the entire thing and throw it away and repeat.

When I travel to asia (manila), I notice not so much that there is a GFW type firewall preventing the connections, but rather that alot of web sites are just firewalling all of APNIC netblocks. So many web sites, in fact, that the quickest solution for me is to setup squid proxy on an IP in the US and generally everything works flawless after that.

I didn&#x27;t read the article but I want to say that the solution is not VPNs. We can end up being like North Korea where VPNs are forbidden. The solution is to have educated voters who do not vote to showmens like Erdoğan or Trump. <a href="https:&#x2F;&#x2F;youtu.be&#x2F;fLJBzhcSWTk" rel="nofollow">https:&#x2F;&#x2F;youtu.be&#x2F;fLJBzhcSWTk</a>

Learned recently: Opera includes a VPN for free.

Has anyone else had success with SoftEther? [0] I&#x27;ve used it for a VPS-based VPN but would like to know if it is GFW capable. Have been impressed with the code of that project.<p>[0]: <a href="https:&#x2F;&#x2F;www.softether.org" rel="nofollow">https:&#x2F;&#x2F;www.softether.org</a>

For those looking to self-host, <a href="https:&#x2F;&#x2F;cloudron.io&#x2F;store&#x2F;io.cloudron.openvpn.html" rel="nofollow">https:&#x2F;&#x2F;cloudron.io&#x2F;store&#x2F;io.cloudron.openvpn.html</a> works great. I have used algo in the past and that works well too.

Some citations and good feedback on exact details with potential caveats in using various providers.<p><a href="https:&#x2F;&#x2F;gist.github.com&#x2F;kennwhite&#x2F;1f3bc4d889b02b35d8aa" rel="nofollow">https:&#x2F;&#x2F;gist.github.com&#x2F;kennwhite&#x2F;1f3bc4d889b02b35d8aa</a>

Yes. It&#x27;s not a panacea, but why not if you can DIY in less than five minutes for $5&#x2F;month? <a href="https:&#x2F;&#x2F;github.com&#x2F;jenh&#x2F;sevenminutevpn" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jenh&#x2F;sevenminutevpn</a>

Yes you need a VPN, no you shouldn’t trust anyone with it. Run your own. It’s easy and less expensive.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;StreisandEffect&#x2F;streisand" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;StreisandEffect&#x2F;streisand</a>

If you are in China, please read this article. <a href="https:&#x2F;&#x2F;eikochow.gitbooks.io&#x2F;vpn&#x2F;content&#x2F;" rel="nofollow">https:&#x2F;&#x2F;eikochow.gitbooks.io&#x2F;vpn&#x2F;content&#x2F;</a>

I urge people to fight this politically as well. We know from China that most technologies can be blocked or legislated against. If you want a future with more freedom and privacy, fight this politically.

If you’re after ultimate privacy and security, look for a service that accepts payment from anonymous services like Bitcoin.<p>Bitcoin can be tracked, use zcash? . Can&#x27;t believe mozilla got this wrong.

If you work for a company, organization, agency or nation state which drives people to use VPNs, please think for a minute about what you do and what you could do for users in the future.<p>Thank you.

Are we going back into time where we can draw parallels between internet access through an online portal like AOL and now when we are accessing our internet through a VPN?

Anyone knows a good OpenVPN client for Android? I have used both OpenVPN Connect and OpenVPN for Android but both get disconnected at random times, leaving me exposed.

Does it worth it to create your own VPN with OpenVPN? I mean, if I do that, would be better than a good VPN service? Considering security, features, etc...?

You know what should be easier? Being able to just run a docker image on a VPS like DO and instantly have a DIY VPN server that you can spin up on demand.

How about WPA2&#x2F;KRACK?<p>While the standard VPN pro&#x2F;cons apply, if you have unpatched or unpatchable hardware it seems like a fairly compelling reason right now.

Ad Networks use multiple mechanisms to identify you: cookies, browser fingerprinting. Hiding behind a VPN will not make you invisible.

<a href="https:&#x2F;&#x2F;privateinternetaccess.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;privateinternetaccess.com&#x2F;</a>

Be careful, Mozilla. When you blog about VPN&#x27;s <i>as Mozilla</i>, you write from a position of authority. VPN&#x27;s are a notoriously minefield of shady providers and false promises. You do not want to recommend CyberGhost to your followers, the find out in six months when they show up in a court order that, oops, CyberGhost actually logs a ton of stuff that can be subpoenaed.<p>Exercise caution. Do your research.

What happens when ISPs decide you need a &quot;business&quot; subscription plan to use a VPN?

Is there any way in which a VPN is superior to Tor, except possibly speed?

It would be great if Mozilla ran a VPN service. :)

Yes, I need it my email:1187503962@qq.com

Thank god this isn&#x27;t one of websites that just says NO in 144pt font.

Does anyone know of a way to scrape the web anonymously?

Yes, I need it

Im in china at the moment using expressvpn (been using it for a year by now) and since about two weeks only three server locations work well (Hong Kong, Tokyo, Los Angeles). Some others work off an on. Before that most locations worked and some of them, Taiwan for example, used to be very fast. Its still usable for streaming and surfing but I&#x27;m afraid the end is near. I think sometime in the future one will have to go with shadow socks and or similar protocols&#x2F;solutions but until then expressvpn is quite convenient (mobile client, router with expressvpn client).

Is this another candidate for Betteridge&#x27;s law [0]?<p>[0] <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Betteridge%27s_law_of_headlines" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Betteridge%27s_law_of_headline...</a>