Can't trust any VPN these days

I would say that the title is misleading. The author set up their own VPN, but didn't delve into what the config options they used actually do until they ran into problems. Everything else follows from that.

Clicking the link, it bought this was going to be about the issue identified in Mullvad discussed here; <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=41856883">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=41856883</a> but this isn&#x27;t even a bug or about trust.<p>A VPN (in this context) is hardly a VPN if it doesn&#x27;t traffic dns requests, and it&#x27;s probably the false advertising by the &quot;you need a vpn to securely access the internet&quot; companies that misinformed OP what <i>type</i> of VPN they were setting up.<p>The title should be more like &quot;can&#x27;t trust not reading the manual these days&quot;, or &quot;can&#x27;t trust sane defaults&quot;

While there is some useful info in the post, the title is hugely misleading. The author tried one (single) VPN solution which they set up themselves, without full understanding of the things or even reading documentation upfront (although &quot;it&#x27;s right there under the DNS section&quot;). It feels more like &quot;I was unable to correctly setup VPN even using the very detailed instructions, but I can&#x27;t blame myself, can I?&quot;

Has nothing to do with VPN or OpenVPN (almost). “You can’t trust” “Linux” in this case. Its network stack is still not mouse-friendly in general and requires some thought.<p>Quoting key points from TFA:<p>- (DNS leak happens)<p>- The DNS changes are not automatically applied by the OpenVPN client on Linux.<p>- You need to configure up and down scripts for managing the DNS updates.<p>- The recommended script is update-resolv-conf, which modifies DNS settings when the VPN connects and restores them upon disconnection.<p>- That script consists of a bunch of arcane bash commands that I don&#x27;t understand.<p>Iow, OpenVPN decided to not mess with system scripting.<p><i>For Linux, the OpenVPN client can receive DNS host information from the server, but the client expects an external command to act on this information. No such commands are configured by default. They must be specified with the up and down options. There are a few alternatives for what scripts to use, but none are officially recognised by OpenVPN, so in order for any of them to work, script-security must be set to 2. The down-root plugin can be used instead of the down option if running as an unprivileged user.</i><p>Otoh, it could at least signal that somehow in the ui&#x2F;cli. Does it not? I’m pretty sure there’s no dns leaks on my kubuntu boxes with ovpn profiles, but can’t test right now. If so, it’s probably an even narrower Arch + network manager problem.

Clickbait title, author didn&#x27;t use a VPN provider, used own OpenVPN solution and didn&#x27;t configure things correctly.

Maybe a bit off-topic, but genuine curiosity - why would anyone go for OpenVPN these days, when there is Wireguard available?<p>It makes sense if UDP is blocked, but in this case OP is clearly using UDP for OpenVPN.

The tragedy here is that expectations differ.<p>I would expect my laptop to use my local DNS server if the VPN is up. My local DNS server is the one I have on my home network. The rest of my traffic, I would expect to go through the VPN tunnel.<p>Problem of course is that VPNs <i>used to be</i> expert-level stuff. This kind of &quot;avoid government blocks&quot; use of VPN wasn&#x27;t even common when I started fiddling with OpenVPN around 2001&#x2F;2002.

Extremely misleading and vague title. Also, the author should seriously consider using wireguard. It&#x27;s way faster than OpenVPN

You can trust it if you configure it correctly.

Great write up! Do you have any plans to create your own Arch Linux installer that bundles all your steps together so other users in your situation might be able to have a simpler time getting all the mechanics operating if they&#x27;re Linux users but not as skilled as you?

bog-standard ssh server + bitvise local client = VPN<p>1) enable port forwarding in your sshd config (implies you can&#x27;t just do this on a server which you don&#x27;t admin and which has this disabled)<p>2) point bitvise&#x27;s socks5 proxy server feature at the ssh server<p>3) point anything that needs to be tunneled at the bitvise client&#x27;s port (default 1080) e.g. firefox &gt; about:preferences &gt; Network Settings (at bottom) &gt; Manual proxy configuration &gt; SOCKS v5 (enter details and your password if you set it up in bitvise) &gt; also check &quot;Proxy DNS when using SOCKS v5&quot; at bottom<p>4) voila, packets leave and return via the ssh server&#x27;s public IP.<p>5) For stubborn apps, check their config files, or use tsocks

What if the the author simply used 1.1.1.1 &#x2F; 8.8.8.8 &#x2F; any other public DNS outside of their country for all traffic? It&#x27;s an easier solution (yeah, with some drawbacks)

Run your own exit node for tailscale or zerotier somewhere

Nice writeup.<p>I&#x27;m wondering though. If the block is on DNS level, isn&#x27;t it easier and cheaper to use dns-over-https or dot instead?

I have honestly never trusted VPN providers in any shape or form. I had a university professor back in the early 2010&#x27;s who said something very accurate: &quot;Proprietary services providing anonymity provide everything but anonymity&quot;. I&#x27;m far more comfortable running a vps somewhere when I need to. And even then, VPN is kind of an exception since I hate fiddling with the setup(as easy as it may be). For most of my usage, an SSH tunnel as a socks proxy does it all and when I&#x27;m done, kill the vps and move on.

These days?

Just use wireguard.