Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Don't use VPN services.

Don't use VPN services.

No, seriously, don't. You're probably reading this because you've asked what VPN service to use, and this is the answer.

Note: The content in this post does not apply to using VPN for their intended purpose; that is, as a virtual private (internal) network. It only applies to using it as a glorified proxy, which is what every third-party "VPN provider" does.

  • A Russian translation of this article can be found here, contributed by Timur Demin.
  • A Turkish translation can be found here, contributed by agyild.
  • There's also this article about VPN services, which is honestly better written (and has more cat pictures!) than my article.

Why not?

Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.

But my provider doesn't log!

There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs.

And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble. The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over.

But a provider would lose business if they did that!

I'll believe that when HideMyAss goes out of business. They gave up their users years ago, and this was widely publicized. The reality is that most of their customers will either not care or not even be aware of it.

But I pay anonymously, using Bitcoin/PaysafeCard/Cash/drugs!

Doesn't matter. You're still connecting to their service from your own IP, and they can log that.

But I want more security!

VPNs don't provide security. They are just a glorified proxy.

But I want more privacy!

VPNs don't provide privacy, with a few exceptions (detailed below). They are just a proxy. If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server).

But I want more encryption!

Use SSL/TLS and HTTPS (for centralized services), or end-to-end encryption (for social or P2P applications). VPNs can't magically encrypt your traffic - it's simply not technically possible. If the endpoint expects plaintext, there is nothing you can do about that.

When using a VPN, the only encrypted part of the connection is from you to the VPN provider. From the VPN provider onwards, it is the same as it would have been without a VPN. And remember, the VPN provider can see and mess with all your traffic.

But I want to confuse trackers by sharing an IP address!

Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of CGNAT and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore.

Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a fingerprinting profile. A VPN cannot prevent this.

So when should I use a VPN?

There are roughly two usecases where you might want to use a VPN:

  1. You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.
  2. You want to hide your IP from a very specific set of non-government-sanctioned adversaries - for example, circumventing a ban in a chatroom or preventing anti-piracy scareletters.

In the second case, you'd probably just want a regular proxy specifically for that traffic - sending all of your traffic over a VPN provider (like is the default with almost every VPN client) will still result in the provider being able to snoop on and mess with your traffic.

However, in practice, just don't use a VPN provider at all, even for these cases.

So, then... what?

If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own (either using something like Streisand or manually - I recommend using Wireguard). I will not recommend any specific providers (diversity is good!), but there are plenty of cheap ones to be found on LowEndTalk.

But how is that any better than a VPN service?

A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be.

So why do VPN services exist? Surely they must serve some purpose?

Because it's easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup. You can make every promise in the world, because nobody can verify them. You don't even have to know what you're doing, because again, nobody can verify what you say. It is 100% snake-oil.

So yes, VPN services do serve a purpose - it's just one that benefits the provider, not you.


This post is licensed under the WTFPL or CC0, at your choice. You may distribute, use, modify, translate, and license it in any way.


Before you comment: Be aware that any non-constructive comments will be removed. This includes advertising for VPN providers (yes, even when you phrase the marketing claims like a question), trolling, harassment, insults towards other people, claims that have already been addressed in the article, and so on.

If your comment isn't a genuine question or a concrete counterargument supported by evidence, it probably doesn't belong here.

@130rne
Copy link

130rne commented Feb 22, 2022

@lydia307 Use Nord. They had a fire at one of their centers and recovered from it with no downtime. Or use Proton, their email is encrypted and they have decent speed, I'm on a free tier for basic stuff and have no complaints. Both Nord and Proton claim to be no log and Proton is extremely privacy focused as a whole. They're much better than a lot of the other ones out there. Tl;dr- don't use panda. There are better ones.

Definitely look into the 5 eyes/9 eyes/whatever. I didn't know it was a thing but for sure, a no log policy is only as good as the government that regulates the company. If they're mandated to track people, there's nothing you can do about it. I look for companies with a good track record and who have servers physically located in countries I prefer. A VPN is just a tool, know the limitations and use it appropriately.

@LokiFawkes
Copy link

LokiFawkes commented Feb 24, 2022

@130rne They're also famous for lying about not logging. Proton removed their no-logs policy from their mail service because it turned out they are still beholden to a government, which has forced them to collect logs on an activist. Nord is owned by a datamining company, and NordVPN users have gotten caught. Not to say these aren't useful to bypass geofilters or a nationstate firewall, but don't take their no-logs policies at face value, let alone advertise them without at least making them pay you for it.
(Edit: Earlier the whole message wasn't showing)
Okay now that the whole message is showing for me, most of what I said above still applies, but uh... Just thought I'd add this on to acknowledge that my response was a bit redundant.

@130rne
Copy link

130rne commented Feb 25, 2022

@LokiFawkes 👍 Impossible to exist in other countries without playing by their rules. Notice I said "claim to be" and "better than a lot of others" lol. Better doesn't necessarily mean good. It is what it is.

Lydia wanted something more stable and I expect Nord and Proton are a lot more stable than others. Also Surfshark from what I've seen. You can't trust anyone 100% so for me it's more about just getting the damn thing to work. Even outside of logging, there are only a few that I would use. A lot of them are a pain in the ass and have slow speeds and disconnects etc. Even Proton gave me issues on my desktop, on my phone it's been fine.

@LokiFawkes
Copy link

LokiFawkes commented Mar 6, 2022

Everybody ignore @jakylala until someone with power can delete that post. It’s an ad and a phishing scam. The link is a fake storefront and will steal your card info. Report isn’t working.

@130rne
Copy link

130rne commented Mar 6, 2022

netlify.app 😂 gtfoh

@marsmonitor
Copy link

marsmonitor commented Mar 9, 2022

@130rne They're also famous for lying about not logging. Proton removed their no-logs policy from their mail service because it turned out they are still beholden to a government, which has forced them to collect logs on an activist. Nord is owned by a datamining company, and NordVPN users have gotten caught. Not to say these aren't useful to bypass geofilters or a nationstate firewall, but don't take their no-logs policies at face value, let alone advertise them without at least making them pay you for it. (Edit: Earlier the whole message wasn't showing) Okay now that the whole message is showing for me, most of what I said above still applies, but uh... Just thought I'd add this on to acknowledge that my response was a bit redundant.

Is Tutamail a more private option?

@130rne
Copy link

130rne commented Mar 9, 2022

Is Tutamail a more private option?

No clue. They're end to end encrypted? Proton mail is. What we're talking about is the originating IP, it's required for receiving any kind of data from the server. If you're only sending data out, the source IP doesn't matter. Even with VPNs the service needs to know your public IP address which means it has records of your IP and the server you connect to. Nothing can get around that. Encrypted is more private, yes, they don't see the data itself. But it's like a home mailing address, the post office needs to know where to send the mail.

@atoponce
Copy link

atoponce commented Mar 24, 2022

As a counterargument to this Gist by @joepie91, Consumer Reports published a report on popular VPN service providers (PDF, 48 pages). Covers security, privacy, and other issues such as logging and transparency reports. If people are going to use VPN service providers, such as at a coffee shop or other untrusted network, understanding how to grade a VPN service provider can be important. This PDF does that. Their final recommendation for users is:

Of the 16 VPNs we analyzed, Mullvad, PIA, IVPN, and Mozilla VPN (which runs on Mullvad’s servers)—in that order—were among the highest ranked in both privacy and security. However, PIA has never had a public third-party security audit. Additionally, in our opinion, only IVPN, Mozilla VPN, and Mullvad—along with one other VPN (TunnelBear)—accurately represent their services and technology without any broad, sweeping, or potentially misleading statements.

This report was presented at ShmooCon 2022 by Yael Grauer. Accompanies the following posts by Consumer Reports:

@LokiFawkes
Copy link

LokiFawkes commented Mar 24, 2022

@atoponce If you're using a VPN because you don't trust a network you joined, maybe host your own VPN instead. People using VPN services are usually trying to hide entirely or to get around geofilters. The ones trying to prevent being snooped on in unsafe networks are better off using a self-hosted VPN, which will not only hide their traffic from the rest of the coffee shop (which was already encrypted in this day and age), but can also allow them access to network resources they have at home.
As some of your links have mentioned, there really is no need for a VPN service anymore for privacy or to prevent MITM attacks.

@atoponce
Copy link

atoponce commented Mar 24, 2022

@LokiFawkes Hosting a VPN isn't a good general recommendation for most people. It works for system administrator types, if they stay on top of patching known vulnerabilities of the VPN software and the system it's running on.

@LokiFawkes
Copy link

LokiFawkes commented Mar 28, 2022

@rafaelmazzer Pretty sure this has been brought up already and the posts advertising it have already been deleted in the past. No need to bring it back up, it's a scam. Just another goofy "tor alternative" that still owns your traffic when you connect.

@atoponce
Copy link

atoponce commented May 3, 2022

India is now requiring all VPN service providers operating in India to store customer logs for 5 years or more. This includes:

  • Validated customer names, physical address, email address and phone numbers.
  • The reason each customer is using the service, the dates they use it and their "ownership pattern."
  • The IP address and email address used by a customer to register for the service, along with a registration time-stamp.
  • All IP addresses issued to a customer by the VPN, and a list of IP address being used by its customer base generally.

https://www.cnet.com/news/privacy/india-orders-vpn-companies-to-collect-and-hand-over-user-data/

@MayMeow
Copy link

MayMeow commented May 6, 2022

Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.

Most webpages are now using SSL. Doesn't you need to install CA Certificate (of VPN provider) in Trusted certificates to approach MITM? Otherwise you will be noticed (each browser will notify you) you getting certificate which was signed by untrusted CAs. And you should never accept any untrusted connection. (or stop using this vpn provider). in this case tehy can log IP addresses but they cant se what you are doing there. (very simply said)

Some countires doing that but they concerning you to install their Root certificate.

@h1z1
Copy link

h1z1 commented May 10, 2022

@LokiFawkes @joepie91 sorry, I'm just a gullible zoomer then. But please explain me how they would steal your private information if all the data is encrypted and users do not have an account? Please enlighten my gullible ass, cause I clearly need some education here. Please note that I am not trying to confront you guys. I respect your opinions and would love to learn more about privacy and better solutions!

From what I read on their legal T&C (If they are lying about that they would have to be pretty ballsy to be saying all this and then not respecting your privacy...) :

It isn't technically a lie - THEY aren't (though if you read their own text you'll find they do). What their partners do or more likely, what the networks around them do are entirely different things. They somewhat acknowledge it too.

Think of it like literally living in a glass house. You have four walls, a roof, a door and likely a key with a lock. But you live in a glass house, anyone around you can see in. That is the state of most VPNs / hosting.

Think of security implementations themselves as somewhat like driving a car. You have tinted windows, may even be an armored truck. Point is there's enough information about the vehicle itself to infer who you are because the vehicle has to be registered. The company name will likely be on it. Where you were picked up, dropped off, times, etc. That is enough information to profile YOU.

The armor in the vehicle is no more at fault then the math behind encryption. Problem is how they're implemented. The armor could in fact be aluminum just as the random key bits could be predicable. Both are technically accurate.

@LokiFawkes
Copy link

LokiFawkes commented May 17, 2022

Dude's a troll, don't feed him. He's just here to make the rest of the privacy-minded folk look like tinfoil hats.
I'll save you the trouble of waiting for his answer that'll make frogs gay. A half-wave 2.4ghz antenna would be 6.25cm, a quarter wave 3.125cm, nanoparticles wouldn't be able to put out a 2.4ghz signal far enough to penetrate your skin no matter how beefy the amp is, let alone if the particles are there by their lonesome.

@HeyJoplin
Copy link

HeyJoplin commented Jun 1, 2022

@qwikag

I like the way you challenge this post :)

Nevertheless, this post says "Don't use VPN services". Focus on the "services" thing. You can check the section "So, then... what?" and there's some info about setting up your own VPS. Setting up a VPS nowadays is easy even for non-tech users, and you can destroy it (or just power off) when you don't need it anymore, saving some money.

Regarding the "so we were all vulnerable" comment, maybe going a bit off-topic here, but: think on metadata. Metadata kills (not kidding, www.justsecurity.org/10311/michael-hayden-kill-people-based-metadata ). Tunneling our traffic won't help if we keep using the wrong OS, apps or protocols.

@LokiFawkes
Copy link

LokiFawkes commented Jun 7, 2022

@qwikag I think you mean what if joepie put this article here to do that?
Well, he wouldn't gain much from you being on the clearnet. You already have a firewall on each device and your Internet gateway. You already are using encryption for just about everything, to the point a man in the middle can't hijack your traffic. At this point, hijacking your traffic has to be done at endpoints. Now, a VPN can do that by being an endpoint for one protocol from itself to you, and an endpoint for another protocol from itself to your destination.
It can also correlate your traffic even if it's not defeating your encryption. The possibilities are endless.

Making a VPN client open source doesn't mean the VPN service doesn't have secret sauce on its end, and if they release the source code to their server software, you can't exactly trust that's actually what's running on their servers and not just a cleaned up version for show. Ultimately it's the service that matters, and you can't verify they're not doing anything nefarious, even if you could verify the machine code on both sides. You can, however, verify that they are, or to be more precise, that they're legally required to, violate your privacy. PIA is based out of the US. Intercept laws require a method to monitor traffic in a way similar to wiretapping a phone. For digital services, this includes a requirement of short term logging at all times in case a user is labeled a person of interest, and long term logging once a user IS a person of interest. But that's minimum. Usually, in order to avoid punishment for not being thorough enough, companies will log perpetually. If they don't, their section 230 could be challenged, and they could be held responsible for enabling you.

@CoopTRUE
Copy link

CoopTRUE commented Jun 24, 2022

> connects to vpn so big tech can't see what I'm doing
> logs into Facebook

@LokiFawkes
Copy link

LokiFawkes commented Jul 9, 2022

@gofukrself Enjoy your report for, let's see here, harassment, spam, threats of violence, and a bad attempt at phishing.
Also unlike you, I'm a user with a real name and proper 2FA.

@danielsalama2
Copy link

danielsalama2 commented Jul 16, 2022

thanks for sharing

@LokiFawkes
Copy link

LokiFawkes commented Jul 26, 2022

Nord is not owned by Tesonet.

Pretty sure you're the only one here mentioning Tesonet until now. NordVPN is, or should I say was (My use of present tense was outdated), owned by Tefincom SA, which used to be proudly displayed on their site despite being a known datamining company and having ties to Tesonet. NordVPN, later NordSec, was co-founded by Tesonet co-founder Tom Okman. Literally all roads lead to datamining. Again, VPN services are not privacy services.
The fact you so lazily made that argument without any research shows you're just here to post hot takes and shill for scams, so further engagement has been deemed unnecessary.

@LokiFawkes
Copy link

LokiFawkes commented Jul 26, 2022

@eqn-group Better question. Why are you?

@eqn-group
Copy link

eqn-group commented Jul 26, 2022

@LokiFawkes
Copy link

LokiFawkes commented Jul 30, 2022

@mahigill414 And that's why so many so-called VPNs use a proprietary client. Instead of installing the cert to your system, the cert's installed with the app and recognized while the app is installed and running. This is why, if I'm going to use a VPN for anything, I'm using OpenVPN. For OpenVPN, the only cert you might need is to validate the server identity. For proprietary, they can package a replacement root certificate with the program.
Also, would a mod kindly delete this? She's advertising her whore sites with all those bitly links.

@LokiFawkes
Copy link

LokiFawkes commented Aug 13, 2022

@noorkaur66 Oh great. More whore site ads.

@LokiFawkes
Copy link

LokiFawkes commented Aug 14, 2022

Seeing as we're no longer getting any constructive discourse, if it's possible to freeze this gist, I highly recommend it. It's just whore ads now.

@joepie91
Copy link
Author

joepie91 commented Aug 25, 2022

Seeing as we're no longer getting any constructive discourse, if it's possible to freeze this gist

Unfortunately, it's not. I already reached out to Github about this a while ago. Would've closed comments a long time ago otherwise.

@BrodyDoggo
Copy link

BrodyDoggo commented Sep 3, 2022

What would be the difference between a vpn and a proxy?
You said a vpn is a "glorified proxy", I'm just curious as to what the difference is and learning more about vpns and proxies. just seems interesting to me.

@LokiFawkes
Copy link

LokiFawkes commented Sep 4, 2022

@BrodyDoggo
I can explain this.
The purpose of a VPN is to provide a tunneled connection into a private network. It's like a proxy, except you can traverse firewalls and connect to devices over any port or protocol through it. In a proper VPN, you even get your own IP address in the private network.
However, this is not how clearnet VPN services like NordVPN or ExpressVPN work. Even when they use real VPN protocols, they're just putting you into a NAT network and hiding you behind one IP address, their IP address. Essentially, the same as a proxy. They can control what ports you get to use, what protocols you get to use. Essentially, the same as a proxy. At best, with no restrictions on ports and protocols, you'd be looking at something called a SOCKS proxy.
In many actual VPN setups, you might even set your virtual network adapter that's connected to the VPN, as a SOCKS proxy to prevent direct access to the clearnet.
But these VPN services you see out there range from web proxies to SOCKS proxies, advertised as being more private than a proxy, and often come with proprietary apps that strip SSL so they can collect and sell your browsing habits.
They even advertise this SSL-stripping function as virus protection, when in reality, their VPN cannot protect you from viruses even by stripping SSL (though if they're honest they can try), but it can make them money by collecting data.
By stripping SSL, typically by replacing your root certificate so your browsing happens in an encrypted form that they can read but outsiders still can't, they not only can get your browsing habits beyond just IP addresses and DNS requests, but they can also harvest metadata AND the payload of the connection, including passwords and other personally identifying information that would have otherwise been transmitted without a man in the middle.
So really the difference between a VPN and a proxy is the P in VPN - private. If it doesn't provide a tunnel to a private network, it's not a VPN, regardless of what protocol it uses or what its name is.
VPN - Virtual connection to private resources like company servers
Also a VPN - Virtual connection to your company or home's private network, doubling as a proxy for the clearnet
Not a VPN - A tunnel to a web proxy, branded as a VPN, meant to look like you're browsing from the server you connected to rather than from where you are

If you still want to call these VPNs, the distinction would then be between Virtual Private Networks and Virtual Public Networks.

@ivanjx
Copy link

ivanjx commented Sep 20, 2022

not a single word about censorship

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment