I had this idea last night of creating a transparent and completely open source vpn service. It would have all the source code available to review online for the backend, vpn box configuration, audit log of reboots, signed binaries, reproducible builds, etc. It would run as transparently as possible. It also opens up the platform to be steered by customer needs via issue tracking, PRs, etc.<p>How interested would you be in such a service? Would you be willing to pay a slight premium over blackbox VPN services?
I have been looking at commercial VPNs for a while, and the problem with them all is that it's impossible to know which ones (if any) are trustworthy.<p>If you started such a service that could provide ongoing, real assurances as to trustworthiness, I would pay a premium for that. I'm not sure what that would look like, but your list is an excellent start.<p>I would say, though, that being open source -- while awesome -- doesn't really help in this regard, since you can't realistically prove that the code you're running on your servers is the same code that you're publishing. Signed binaries and reproducible builds don't help with this too much, I think.<p>But that's no different than any other service that someone else is running, so that's not a serious problem.
I think you are on to something with the customers steering the platform.<p>I want to use a VPN if I am joining a network that I don't necessarily trust(guest wifi, coffee shop, etc.) I want to use a VPN so my ISP can't sell my browsing history to advertisers. I don't really care about if the VPN provider logs my traffic to make sure no one is abusing the service. I don't even care that much if someone subpoenas my traffic as long as I find out about it.<p>I wonder if a coop model would be a good fit? It would weed out all of the people who want to use it to hide their torrent traffic, etc. It would be very difficult to acquire the VPN just for the data, as each of the users are the owners. Everyone would have a right to know about subpoenas because they are part owners in the organization.
No.<p>Why would I trust some random third-party with this? Especially given that presumably customers of such a service might have some reason to secure their traffic, the value of subverting it is relatively high.<p>I can run a VPN on a $5/month virtual machine, dedicated to my personal use, without needing to trust the operator of the VPN service OR raising the value of subversion by concentrating private traffic.
I had a similar thought, but stumbled when thinking about how you could actually assure users you didn’t log stuff. Once you answer that question, you might have a product. Right now, there is simply no way to prove to a user that the server is only running one process, and it’s only using the open source build(maybe hashing the build, not sure).
So, basically host OpenVPN or WireGuard? What advantage do you offer over doing it myself, e.g. with a VPS @ $5/month? <i>That</i> is the type of customer that cares about open source and whatnot in a VPN, so you need to provide some benefit beyond what you get by doing it yourself.
Are you talking about a shared overlay network with its own services and working end-to-end connectivity between nodes, or just piping internet traffic egress/ingress to some other isp rather than my native one?<p>I think the former one would be cool.