Create a gist now

Instantly share code, notes, and snippets.

@joepie91 /
Last active Feb 25, 2018

What would you like to do?
Don't use VPN services.

Don't use VPN services.

No, seriously, don't. You're probably reading this because you've asked what VPN service to use, and this is the answer.

Note: The content in this post does not apply to using VPN for their intended purpose; that is, as a virtual private (internal) network. It only applies to using it as a glorified proxy, which is what every third-party "VPN provider" does.

(A Russian translation of this article can be found here, contributed by Timur Demin.)

Why not?

Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.

But my provider doesn't log!

There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs.

And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble. The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over.

But a provider would lose business if they did that!

I'll believe that when HideMyAss goes out of business. They gave up their users years ago, and this was widely publicized. The reality is that most of their customers will either not care or not even be aware of it.

But I pay anonymously, using Bitcoin/PaysafeCard/Cash/drugs!

Doesn't matter. You're still connecting to their service from your own IP, and they can log that.

But I want more security!

VPNs don't provide security. They are just a glorified proxy.

But I want more privacy!

VPNs don't provide privacy, with a few exceptions (detailed below). They are just a proxy. If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server).

But I want more encryption!

Use SSL/TLS and HTTPS (for centralized services), or end-to-end encryption (for social or P2P applications). VPNs can't magically encrypt your traffic - it's simply not technically possible. If the endpoint expects plaintext, there is nothing you can do about that.

When using a VPN, the only encrypted part of the connection is from you to the VPN provider. From the VPN provider onwards, it is the same as it would have been without a VPN. And remember, the VPN provider can see and mess with all your traffic.

But I want to confuse trackers by sharing an IP address!

Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of CGNAT and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore.

Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a fingerprinting profile. A VPN cannot prevent this.

So when should I use a VPN?

There are roughly two usecases where you might want to use a VPN:

  1. You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.
  2. You want to hide your IP from a very specific set of non-government-sanctioned adversaries - for example, circumventing a ban in a chatroom or preventing anti-piracy scareletters.

In the second case, you'd probably just want a regular proxy specifically for that traffic - sending all of your traffic over a VPN provider (like is the default with almost every VPN client) will still result in the provider being able to snoop on and mess with your traffic.

However, in practice, just don't use a VPN provider at all, even for these cases.

So, then... what?

If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own. I will not recommend any specific providers (diversity is good!), but there are plenty of cheap ones to be found on LowEndBox.

But how is that any better than a VPN service?

A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be.

So why do VPN services exist? Surely they must serve some purpose?

Because it's easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup. You can make every promise in the world, because nobody can verify them. You don't even have to know what you're doing, because again, nobody can verify what you say. It is 100% snake-oil.

So yes, VPN services do serve a purpose - it's just one that benefits the provider, not you.

The post is fine but the headline is wrong. Especially since you clearly state valid use-cases for a VPN. So, yes, there are reasons to use a VPN. (Another use-case, probably covered in 2) is access to country-restricted services like netflix, bbc, etc). You just should never rely on a VPN to guarantee your anonymity.

nv-vn commented Dec 1, 2015

You just should never rely on a VPN to guarantee your anonymity

same goes for Tor or any other privacy service. you should always take as many measures as possible to prevent yourself from being tracked if you want to guarantee anonymity.


joepie91 commented Dec 1, 2015

@DynamicShitposter420 You're welcome to contribute to the discussion in a constructive manner (whether agreeing or not), but if all you're going to do is attacking me and trolling, then you can go elsewhere.

The post is fine but the headline is wrong. Especially since you clearly state valid use-cases for a VPN.

Yes, and this is intentional. My experience is that, whenever any claim is made of a VPN being even remotely usable for some usecases, people immediately assume that that includes theirs. This way, people need to read and understand the actual content of the article (and its described limitations and valid usecases) before drawing a conclusion.

Additionally, the concerns for "VPN services" remain applicable. You should still self-host your VPN.

I disagree, if the use-case is avoiding DMCA letters and alike. It's way too complicated to set it up in a way so it is not tied to your name. The vast majority of torrenters lack the ability to set up a VPS (let alone make sure it's anonymous) and run VPN servers securely. A VPN provider is the better solution.


joepie91 commented Dec 2, 2015

If you are not capable of obtaining a VPS anonymously, you are also not capable of obtaining a VPN anonymously, so this does not make a difference. It also still does not address the privacy concerns. If you just want to torrent and use a different service as a pincushion, then what you want is a proxy, not a VPN.

How does it matter that you're not able to obtain a VPN anonymously (we are talking about IP-address I suppose)? Your point in the original is that you're never anonymous to the VPN (which is why you shouldn't trust them). However, they don't pass on data to DMCA litigation companies (unless we are talking about HMA and alike who clearly state in their ToS that they log & pass on data).

As for proxies, how are they more secure? Also, please tell me where I get a 1Gbit proxy with unlimited traffic and ideally port forwarding, I'd definitely be using that.

Ok, but if you use TOR and VPN?

johwest commented Jan 11, 2016

A better solution is pay voor use from usenet and torrents ,so that your no longer afraid for trouble.
Now cost VPN money.

How does using your own VPS help? It's still easy for someone to trace the IP to your VPS and then to you.

I think the take-away here is not not fool yourself into thinking that VPN is some sort of short-cut for Tor. In other words, don't fool yourself into thinking you're anonymous, and for the love of everything good and holy, don't think that your VPN will go to jail for your activities.

However, I use VPN services all the time (for example, There are times when either:

  • I am behind a restrictive firewall, such as at a public library or a church.
  • I need to get into an internal network with other clients, such as my browser.

And I don't buy the argument that your IP address is not a valuable asset to trackers and ad companies. Some website owners block Tor, because they cannot get honest GeoIP lookups out of a client when the request comes out af a Tor exit relay. In fact, the whole point of Tor is to obfuscate your source IP address, while remaining encrypted between the Tor client and the relays.

However, as mentioned, don't have any false ideas about your security or anonymity when using VPN services. Understand the tech and your risks using the tech. That applies for anything, not just VPN and Tor.

1n1r2 commented Jul 16, 2016

VPN services have been bothering me since forever. This is the first article I have found to address my concerns.

Yes: VPN builds a secure tunnel
No: It does not protect my private communication
It's a giant keylogger on the net that I have given permission to steal my keystrokes.

It merely funnels the secure keystrokes through a proxy that can log them.

I think I'm safer logging in directly to secure connections ( https: ) to a specific site.

Talk me down, please. Why should I trust any single portal ( even if they do have multiple
connection sites ) to monitor my internet traffic ? Oh sure, it might be preferable in an
insecure environment like an airport terminal or coffee shop.

I trusted my employer's VPN while I was working, but I'm retired now.

Still looking for more articles or discussion to address my paranoia.

This makes absolutely no sense.

Do not use HideMyAss, Expat Shield, Hotspot Shield because they datamine/keep logs.

Do not use ProXPN, at 300kbp for free, you are going to limit your speeds to around 31KBs/s. Not only that but they do not use a open source client and the level of security is not confirmed to be completely secure.

VPNReactor is confirmed to have logs, but you are welcome to use it. They have a 30 minute time limit, then you have to wait another 30 minutes.

Do not use TOR or Ultrasurf, Although some software take advantage of it, these tools are meant for threatened bloggers, anonymous free speech and whistleblowing, not so you can download the latest Justin Bieber album.

Personally, I prefer to run my own VPN for $10/$15 a year using a cheap 128MB VPS from either Prometeus [the best] or Ramnode. You can also use it for other such as running a very small seedbox or web seed, or a tiny bittorrent tracker. The problem with this is that if you use legitimate details, the VPN could be traced back to you, but that's the same with VPNs that use a dedicated IP address who will cut you off, but using a shared IP address could mean a couple of software conflicts.

I wish more input would comes in on that nice thread..
I totally agree with
But then again, VPS provider such as DO or Linode does have your IP address and Logs. which is enought for any warrant to fuck you up.

Rich700000000000 commented Sep 20, 2016

You're still connecting to their service from your own IP, and they can log that.

two paragraphs later:

Your IP address is a largely irrelevant metric in modern tracking systems.


If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own. I will not recommend any specific providers (diversity is good!), but there are plenty of cheap ones to be found on LowEndBox.

Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be.

  1. So let me get this straight: VPNs aren't anonymous, so I should give my credit card to Digitalocean instead?
  2. Statistically speaking, it is more likely that a VPS provider will give you up if a cop so much as glances in their direction, where as a reputable VPN company will at least attempt to push back.
  3. Most all VPS providers are anti-p2p, which is what most people use a vpn for.
  4. Go on, find me a VPS with unlimited bandwidth, forever. I'll be waiting.

I think your main problem is that you're mixing up threat models. If I wanted total anonymity, I'd have a laptop with the usb ports hot-glued shut in an anti-EMP bag under my bed, running Tails off of a flash drive, only connect to wifi stolen from the neighbors with a yagi antenna two meters across, use tor AND run my own tor relay so that they couldn't determine the origin of the traffic.

But I don't want to do that. I want to read FanFiction without being judged by the sysadmins at Comcast. Which is why I have a VPN.

Also, you are NOT going to stand there and tell me that EVERY VPN SERVICE IN EXISTACE is a honeypot. That's not a safe assumption, that's stallman-meets-alexjones paranoid. Do you know how much that would cost? How complex that would be?
There have been court cases:

And all they could do was shrug their shoulders.

Also, ever heard of a Warrant Canary?

TLDR: FUD 0/10, FUD with rice 0.01/10

Con7e commented Nov 30, 2016

I agree with @Rich700000000000 .

The question here is: who can you trust more, your ISP or your VPN provider? Your ISP must not be trusted by default (especially now in the UK), hence a decent VPN provider is your best bet, the "lesser of the two evils".

gwigz commented Dec 1, 2016

What about plausible deniability, with a shared IP?

jameshadley commented Dec 30, 2016

I'm glad you're shining a light on public ignorance around VPN/proxy services but I don't agree that VPN services are useless. Most large/popular sites now use/require TLS and it is often the case that the visitor would prefer that the VPN provider were able to see the packet headers than their own ISP.

Why? Your own ISP have a lot of other information about you and, especially in the UK, are relied upon to supply the Government with personal information. It is less likely that a VPN provider would immediately divulge metadata to a government to which it does not answer - and it has less personal information about its customers than the residential/commercial ISP.

Sure, setting up your own is better in some ways. In others, it's not. For example, a commercial VPN will share IPs so it's harder to correlate packets leaving your home/office connection with packets arriving somewhere else. That said, for most people, the overwhelming feeling is expedience. When you have a full time job, a family and so on, a commercial VPN means one less thing to worry about.

Actually, I would not be surprised if several of the large, well-known, well-funded US-based VPN services are honeypots. But of course, there is plenty of choice and a bit of research can go a long way.

Never had a vpn and I've been sharing files for a long time, never had a summons from the MPAA or any other agency, never set foot in a court. Logically these snoop agencies can't monitor everyone's activity, it would cost a fortune. The cases where people have been taken to court for file sharing are few and far between in the UK where I live, I feel many of these VPN services are sold on a fear factor. UK ISP's will surrender your personal details if threatend with a court summons, proving that you were the person responsible for sharing the file is the difficult part.

tsjnachos117 commented Jan 5, 2017

I do agree with many of the points made in this article. However, I'm not so sure it's a good idea to reject VPN services altogether. Rather, it seems to me like a better solution is to use VPN services with caution.

There are advantages to using a VPN over a proxy. For one thing, since VPN providers usually have their own websites, it's usually not too hard to find a privacy policy (although, as pointed out in the article, verifying that the provider is doing what said policy says is nearly-impossible). Whenever I search for a proxy, I'm usually greeted with a webpage, which in turn is just a list of IP addresses and ports (presumably from third party servers). Tracking down each address to find anything resembling a privacy policy is far too complicated for many users. On top of which, there might not be any such policy to find, so it's really had to know what's being logged, and what isn't.

Most VPN providers like to brag about the encryption they use. Although it can be hard to know for sure what encryption is actually being used (many providers like to say "advanced" or "military grade" without really specifying which encryption method is actually being used), that's still better than many proxies, which might not be using any encryption at all. (PS: avoid using old protocols like PPTP. PPTP is particularly bad, since it only supports a few encryption techniques, all of which have become outdated. I generally recommend OpenVPN.)

Also, since proxies don't route everything (only apps configured to use said proxies), there's no guarantee your browser's extensions (Java, Silverlight, Flash, etc.), which are often run in separate executable processes, will also be routed. If they are not routed, you can generally expect said extension to leak your IP address. On top of which, many browsers will leak the users' public IP address, even if you don't have any such addons installed. For example, Firefox is prone to WebRTC leaks, and DNS leaks. If you are using a VPN, Firefox will only leak your VPN provider's IP address, NOT your actual IP address (or, at least that's my experience on Ubuntu, when NetworkManager is set to create a virtual "tun" device).

Of course, hiding your IP address is only the first step in protecting your privacy. Hardening your browser is equally important. If you use a browser that supports a large number of addons (Mozilla Firefox, Google Chrome, Chromium, etc), you'll find plenty of privacy-enhancing addons like Privacy Badger, NoScript, HTTPS Everywhere (or as I like to call it, "HTTPS wherever possible, including pages that offer HTTPS, but for some reason refuse to use it by default". Doesn't exactly roll off the tongue, does it?), uBlock Origin, DecentralEyes (Firefox only), and a boatload of others. Setting your user agent to whatever the most popular OS is (probably Windows 7 at the time of this writing) can help you blend into the crowd. It's also a good idea to get a canvas-blocking addons to prevent canvas fingerprinting. Last but not least, make sure to wipe your browsing info regularly. This is especially true for cookies, offline/HTML storage, and LSOs (aka "Flash Cookies"), as this information could easily be used to identify you.

As a final note, I'd like to mention the fact that all the privacy protection in the world won't mean a thing if you don't use said protection wisely. The TOR project, which aims to provide privacy through encrypted proxy-like relays (which, in turn, can be hosted by anyone who's willing to donate some of their bandwidth), has a very good list of DOs and DONTs, which can easily be applied to VPNs as well. Essentially, you compromise your privacy protections by identifying yourself (typically by clicking the "login" button) to a website, especially privacy-invading sites like Google and Facebook.

How about Open Source & Decentralized VPN? What do you think - would it help solve at least part of the problem?

arkbg1 commented Jan 25, 2017

Could you recommend any proxies? I'm asking for a friend.

Trauma7 commented Feb 15, 2017

He is absolutely correct! I am speaking from experience. From being betrayed by over a dozen of them. From the highest to lowest priced and recognizable free ones. If you are being stalked or tracked, an employee in an internet service provider ( any one they find you connecting to ) can and will betray you with the name of the VPN you are using. Then they move on to the VPN to betray you, with either two types of paper if you know what i mean. Do not listen to the lies! All VPN's have the ability, can and to monitor your connection to them.

Trauma7 commented Feb 15, 2017

The last should read; can and will monitor your connection to them. Even to the point of knowing the mac address of your device when you try to log on with a ISP unbeknownst to them.

k0nsl commented Mar 3, 2017

LOL, @nukeop.

Let's not forget to mention about how VPNs beg you so hard to pay them
It's very rare to find a free VPN
Every free VPN contains MB at the end all want you to pay money.
Seriously is there other way to stay secured?


ghost commented Apr 5, 2017

I always thought the concept of a "VPN provider" was a bit of an oxymoron. I'd argue the most commonly intended implementation of a VPN is to bridge two private (trusted) networks over an insecure network, as opposed to knowingly letting some guy MITM all your traffic.

farinspace commented May 5, 2017

Excellent read, highly recommend that anyone who stumbles upon this page, go back and wade through the comments:


Your computer communicates i many ways you likely are not even aware of, email checking in the background, twitter checking, auto Facebook heart beat, apple server heart beat, iCloud pinging, browser logged into different services, etc. etc .. connecting with a VPN at a software level or even at a router level still exposes these communications on the same "line" you think is private. You likely need an entirely new device, purpose based, not associated with your identity ... and also consider from which network you establish a connection from (e.g. your ISP).

Additionally keep in mind that timestamps and IP addresses will both likely lead to the tracking down of accounts that are associated with your VPN or VPS leading to your identity.

As @jameshadley mentioned, many of these so-called secure VPNs could very well be honeypots.

As @joepie91 mentioned if you are not able to obtain a VPN, VPS anonymously there exists enough data to trace back to your identity.

I disagree, if the use-case is avoiding DMCA letters and alike.

This has been my use-case as well. I've also found it useful to access pages otherwise restricted by country, such as streaming South Park from their official page. Not interested in security or anonymity.

I was considering a VPN service because I generally tether my pc to my phone and use my phone's unlimited data since the ISP's in my area suck so much donkey ass. I ran my unrestricted tethering data out then just used an app to tether it and prevent the bandwidth restriction from affecting me. Since the network congestion on my phone is basically non-existent my speed is pretty good compared to what I got from landline ISPs even after exceeding the monthly limit and being given lower priority. However, I'd very much like to avoid any unnecessary questions regarding my usage (lots of pc gaming). Would a VPN service help with that?

I would usually agree with you but there are many good services out there, you just need to know which one to choose from the myriad of providers, many are bad, many keep logs of what you are doing, but there a few of them that are quite reliable. Some even offer free trials for you to test their software before purchasing anything, i would advise you to look into some lists of the best vpn services in 2017 .

You all should check out Mysterium an opensource and decentralized VPN This definitely could solve the problem. It's equally built on a block chain technology @nukeop

blhyip518 commented May 30, 2017

I find many reviews at google seach results.How much credibility do you think as they talk? such as this one.
Best VPN Services of 2017 – Top VPN in the World

You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM)

This is now increasingly becoming a problem where ISPs are being handed the power to do whatever they like with their customers' metadata. If you're in the position of having no choice but to use an ISP that has this power and you're in doubt as to whether your usage data is being sold, monitored or you're being traffic shaped due to what the ISP believes you're doing, this strengthens the case for using a VPN.

Legislation is moving to make ISPs hostile to their own customers and for the moment use of VPNs are not criminalized, but who knows how long this will be the case.

purchase a VPS and set up your own

This statement is a "stop, wait" moment because this is subject to exactly the same argument and consideration as But my provider doesn't log! and There is no way for you to verify that. Unless you own an entire data center and own all the tin and edge devices that the VPS depends on, there's no way to know if the VPS provider is retaining network logs or not. This presents exactly the same problem you have if you use a public VPN service - how can you fully trust the VPS host provider?

This gist is biased towards positing arguments against end users using VPN services and the issues in that area. However there's a whole other scenario that this gist doesn't touch upon at all: consider a business that is co-located with two branches that are connected via VPN technology for sharing sensitive business data between the offices. The business might use a regular ISP with static IPs either end or a private WAN circuit provided via some telecoms provider.

Clearly there's no commercial VPN service in play here in this B2B scenario, the VPN servers is / are hosted within the business on private hardware, the VPN technology in use will be a flavor of exactly the same VPN technology used by all commercial VPN service providers and in this case we have true end to end tunnel encryption. In this scenario it's 100% incorrect to make a sweeping generalization statement of "do not use a VPN" because this type of setup works and can be trusted.

Where does that leave us? For personal user use where encrypted tunneled traffic leaves the VPN and exits onto the internet I agree that the implementation and use of any VPN involves a certain amount of trust. Whether you use a public commercial service or you host your own VPN server on a remote VPS makes no difference to this fact. Whatever the type of VPN, the weak link is the part you don't have full control of - the part just after where the traffic leaves the tunnel and becomes regular non-tunneled / non encrypted traffic. In other words if you must use a VPN for general internet use, choose carefully before you put your trust in any provider.

For the record, for my own personal use case I lean towards a self hosted VPN as being the best option.

Personally, I am using Express VPN for last two years and I have never experienced any kind of problem till now. The only Trusted VPN service I would like to recommend. Express VPN providing me with best promising service. It is better to go safe and go for trusted VPN service and provide strong encryption rather than to wasting money on not so good VPN Service Providers.

szepeviktor commented Jun 17, 2017

I lease a $3 VPS and use PuTTY as a SOCKS proxy. Firefox is set to use it.


  • continuous connection - don't have to wait for TCP to build up
  • datacenter networking and DNS resolvers
  • IPv6 access
  • fixed IP address


Yes: VPN builds a secure tunnel
No: It does not protect my private communication
It's a giant keylogger on the net that I have given permission to steal my keystrokes.
It merely funnels the secure keystrokes through a proxy that can log them.

While this is true for proxies (HTTP[S] proxies) because they have to "break" TLS encryption by design, it's not true for VPN software that configures a routing set on your PC to route all traffic over the VPN provider's servers. This happens on another OSI level than classic proxying, so with a VPN connection your traffic to the site you're logging into (Apple ID, Microsoft Account, whatever) is still end-to-end encrypted. You can validate this by looking at the TLS certificate when you're visiting the website.

muzikman commented Jul 12, 2017

How do I avoid the automated emails after I download torrents that are being watched? That's the only reason I wanted to use a VPN. I don't want to get busted downloading torrents directly.

I have been doing a lot of research on VPN's the past month. I tried a few out for free. Tried to trick some services to see if it worked and it did. I read some interesting information from PIA about DNS Leaking, etc..... Yes, of course they will tell you want you want to hear. It's a business.

If a VPN isn't what I am looking for to download torrents safely, is there anything that will?

Also - Is it true that ISPs will throttle your bandwidth based on the source/content? If so, wouldn't a VPN prevent this?


f1r4s commented Aug 6, 2017

Personally, i would love to be a bot in this fucking world and be one of Fast-flux network!

I think if Fast-flux techniques lead us to be using it as our proxy we will be in safe place... !

How Do you trust your vps server provider,.
And What's more how about the ISP for your vps server provider.

kamilla commented Aug 21, 2017

The post is interesting and does raise many valuable points and issues, but I still agree on more with touya-akira, atoponce, Rich700000000000 and other well reasoned arguments.

I wasn't so interested in my privacy before. I always thought that I wasn't doing anything that I wouldn't mind anyone to know. And if I did do something that I wanted to keep in private, I used TOR and other countermeasures to hide my online actions. I never thought that those anti-piracy letters that were already been sent in the US could be threat at all here in Finland. And as you can guess, I was wrong. Anti-piracy-letter-blackmailers landed in Finland about 2-3 years ago in big way. Lawsuits began to appear and even then I thought that those charges would never hold. I was wrong again. I was stunned to see the Finnish District Court gave a verdict where the defendant was sentenced as guilty and ordered to pay enormous amounts of compensation. (800 euros / one TV episode that he was downloading (or missclicked, the sentence based on still capture and no proofs of complete downloads or even sharing 1 byte were made at all)). Just few weeks after that I got my first blackmail-letter from Hedman & Partners (the legal battle is still ongoing).

After the incident I started to search VPN providers and found very promising one, NordVPN (this is not a commercial! make your own decisions!), that at least promised to not log anything and offered other nice features, so I decided to try that. Now it's been almost 2 years without a single blackmail-letter. My friends with no VPN have got those letters and few of them even have had to pay the amount in court decision (or they didn't want to start a big legal battle against evil blackmailing companies, in which they couldn't be sure to have won here in Finland). So yes, VPN has done a great job for me and I keep trusting them way more than I would for example my ISP, that initially was the one who gave thousands and thousands of IP addresses and personal information to blackmailing companies like Hedman Partners. Thank god it was decided now year ago, that it is illegal to hand over thousands of IPs and identified data based only on IP address logs on the wiretapping-tool (that itself did and does share way more data than any individual as they have to join to torrent swarm to get any data).

I definitely trust more to my VPN than I trust for my government for example. And what comes to VPS and other self hosted systems, why on the earth would you trust them more to not give your private information than VPN provider that allows anonymous registration and payments? And even if you could get VPS anonymously. The glorified proxy as you see the VPN as, offers more security because of its shared IP. And at least I haven't read any story about VPN company (at least here in Europe) that would have given its customers personal data and connection logs (if they even exist) to government officials or blackmailing companies. There are also some legal battles concerning the logging and they have all dried out to see that there were no logs, as others have already mentioned.

Of course VPN is not a magic tool to hide you or anything. You need to know what it is and what are you doing with it. Same goes for TOR and other privacy offering services. They are next to nothing when used incorrectly. But not all VPN:s are evil, even if some of the free ones are. (Who even uses free VPN and thinks that they are not trying to exploit you? I know, money is not a guarantee to make service better, but still)

g33klord commented Sep 8, 2017

Here by VPN you mean "third party VPN service provider". What if I have set up my own VPN servers. With projects like Algo ( It has become very easy to setup your own VPN server.

I don't want my ISP to see what I am browsing.

tdemin commented Sep 10, 2017

@g33klord the article mentions this as a preferred way to do things if you still have to use a VPN. So, the article has got you covered. 😉

Nice article. I assume that there's really no such thing as anonymity on the world wide web. That being said i do use a vpn so that i stop getting those warnings from my isp.

I disagree. Using a VPN is safe especially when you use free wi-fi in public places and can be easily hacked. Here is an article which explains how VPN works

I use OpenVPN for several years, but now I think softether is the best encrypted VPN protocol, here is a post discuss about it,
And set up a VPN by yourself on vps is easy, but i dont want to take my time to do it :)

notjoe commented Sep 30, 2017

Hey there,

VPNs are probably even worse than your ISP assuming you're not using a trusted VPN. Think about it for a minute. Your ISP has less to gain by stealing your packetz than a rogue VPN Provider.

I complete disagree with this article because after reading this article I become a lifetime user of VPN.

nf3 commented Nov 9, 2017

I wrote an article in this same vein on what are the important criteria in choosing (or not choosing a VPN as this original gist would recommend). My article address many of the points that this gist touch upon.

And like many of the commentors, I agree and recommend that TOR plus a VPN is the the current best privacy practice in order to shield yourself from 3rd party eyes.

nukeop commented Nov 11, 2017

Article sponsored by the NSA

moti-safer commented Dec 3, 2017

Just to protect your WIFI connection is a good enough reason why to use a VPN,
about the logs - it's company interest that users will be private, secured and happy.

Klinsen commented Dec 10, 2017

For me, a VPN is an important tool. In my country there are always restrictions to sensitive content which isn't all the time sensitive. If you want freedom on the net then a VPN is for you. on the other hand, it can even protect you from Hackers Yeah hackers

emilyanncr commented Dec 11, 2017

There's quite a few analytical inaccuracies in this article but my primary issue is the statement that all VPN providers log traffic. That is simply not true. Recently, IP Vanish, Private Internet Access and other VPNs have suspended operations in Russia because Russian laws conflict with their no-log policy. In a case in March of last year, the FBI subpoenaed Private Internet Access for their logs and PIA refused stating:
“Our company was subpoenaed by the FBI for user activity logs relating to this matter,” London Trust Media Executive Chairman Andrew Lee informs TorrentFreak.

“After scrutinizing the validity of the subpoena and confirming it, we restated as we always do the content of our privacy policy and then we notified the agent that we do not log any user activity. The agent confirmed his understanding of our company’s policy and position and then pursued alternative leads.

“This report makes it clear that PIA does not log user activity and we continue to stand by our commitment to our users.” (

Bomper commented Dec 19, 2017

This article started well, but got a lot of junk and spam comments. Gists don't send notifications, so @joepie91 never came back in 2+ years.

Anyways, the most reliable source (recommended by the EFF) for comparing VPN services is From there you can look up VPNs that don't log, are located outside major surveillance jurisdictions ("5 eyes"), have good business ethics etc. is one of the best. It accepts Bitcoin and the first three hours are free. Their support is quite remarkable - I got a reply to the only issue I had with them in under an hour. You don't have to use their app - you can use the standard OpenVPN service that works on Mac, Windows and Linux, so there's no way to get malware from Mullvad.

pablospe commented Jan 2, 2018

The mysterium network (a decentralized VPN) has been mentioned. I was wondering your opinion about this, and if this could be a solution to the current VPN problems mentioned here; namely, the need to trust in VPS or VPN providers.

Garbage article, stupid and wrong 'arguments'. VPN is still better than nothing, choosing the right one is a key. The server location doesn't matter if the encryption is strong enough so that no one can look into it, even if there forced to give user data away they would only see giberish, that's a fact.

There wong myths and rumours but there only a handful of people which really understanding what it really takes to harden your VPN service against attacks, so it's at the end a matter of how fast your provider fixes known holes (because you can't aware of every possible attack).

frazras commented Feb 7, 2018

@joepie91 would the perfect VPN be a service that offers preconfigured VPNs on your own secured VPS with an encrypted hard disk?

BTW, I use a private VPN server which can be setup on aws in a few minutes

No logging on server side guaranteed. AWS could monitor but I do not think of that as an issue for my use cases.

Better yet, seek out reasonable advice from those proven to be invested in our privacy:

Saying that VPN providers log all traffic is a big assumption! First, It’s impossible to log trillions of GBs daily. Second, your traffic is supposed to go through a secure tunnel between you and your provider. Third, it’s easy to know if your provider decrypts your traffic: simply view SSL certificate of the website that you are visiting and see if your VPN provider replaces it with its own. If SSL certificate is issued to the website that you are visiting then you are safe. Some providers offer a second layer of encryption and in this case they need to work as MITM. If you own an iPhone an App called Inspect can help you to view SSL certificates. Regarding ISPs, they have no interest to decrypt your traffic unless a big brother asks them to do so! ISPs still have interest in some metadata that FCC allow them to collect and sell. So the decision to use VPN or not depends on what you want to achieve and what are your risks to be victim of spying or stalking!

You forgot to add one crucial point about VPN. Where the server is located (country). Meaning the law prosecution triggers more in some countries and less in another.

And... how is home VPN same as VPN in country XYZ? my VPN is always my VPN address. VPN provider elsewhere adds at least one layer aka. another ip. And where is your data retention time mentioned? You're missing some big points in your article.

However, its written in a way people should consider using own brain before buying a VPN service.

If I'm providing VPN Services. Am I in any danger? For example government wants info about some customers and I don't want to provide it.

@chef-kock if they (police) start their search in the destination, they will have the content you were looking for. All they will require from your vpn provider is where this connection come from and not its content. And this is the only data the a vpn or a vps provider could log and handle. Any way, there are good cases to use a vps and vpn providers, like living in countries that free speach is forbidden, so I would like to provide an alternative to commercial vpn. Its the Streisand project that automate the configuration of a number of tool to surf anonymously:
Again, it should not be used to access private contents or for hacking because it would be wrong and it would give the police an excuse to go after you and your IP in the vps provider than in your ISP.

Would strongly recommend this for setting up your own vpn, super easy to use:

Security advice that 99.9% of Internet users can’t implement is garbage information.

It's easier to hack into your neighbors WiFi do what you got to do and get out :*

If it makes no difference then why not? You are always on a known-hostile network (i.e. EVERY NETWORK). VPN is a misnomer - it is not truly 100% private. However, most paid for services are good enough to bypass ISP. You could set up your own, extend your network slightly to bypass your ISP, appear in different locales, is easy enough, on a cheap cloud provider. If you do implement VPN make sure you route DNS through your VPN. If you want absolute nation-state proof privacy - it can't really be had that easily as even TOR is pretty well mapped now. You're gonna need a bigger boat.

This is just bullshit. ProtonVPN is very secure and should be used. Others like Hotspotshield and Betternet should not be used.
here you can see very trusted VPNS in good countries.
This Post is OLD! Stop trusting this useless shit. Some VPNs can provide 90% Anonymity.

ttlequals0 commented Feb 14, 2018

Shameless plug, but there is a reason why I made this

I can make disposable VPN endpoints anywhere in the world.

I pay as I need no monthly subscription.

You always will have a fresh endpoint, making it unlikely to compromised without you knowing.

This is not meant to be used for illegal activities but more of a way to protect your self on hostile networks.

There is a lack of anonymity because you have an AWS account tied to credit card.

There is an inherent trust in AWS. They probably log and most likely don't monitor traffic

Pushergene commented Feb 15, 2018


Payment Method is not so important... Because your payment won't be written in the Logs. If the Service is Trustworthy, your payment informations won't be compromised. Its just about what VPN-Service you are paying for. It's important where the VPN is based at. They have to respect the Laws, so it means they can't just say they cannot see what you are doing while using the VPN. And in some countries there's no data retention law. US VPN's should not be used.

ISP's react to requests for data informations from lawyers when it's about filesharing. Good VPN's ignore requests from lawyers because theres no court order.
Some Countries dont have Data Retention laws and are outside US and EU. For example ExpressVPN, NordVPN,, Perfect-Privacy, ProtonVPN are in good countries.

rather ill-considered. the advice to set up your own proxy / host your own VPN trades a lot of things away just to make sure you are not being logged by a VPN service. Your cost is probably more, reliability probably less, and your traffic may be much more readily identifiable as 'you' because instead of sharing an address with other customers, it’s … just you. Take into account the reasons someone may want a VPN.

Those people in the comments linking to their own articles/websites trying to bring in few visitors/customers are pathetic.

megawattz commented Feb 16, 2018

I would only direct certain traffic through a VPN, not everthing. Dedicate one browser to be the VPN browser.

Why? Because IP Address is not the only identifying data you are sending. Cookies, E-Tags and other methods can identify you uniquely and VPNs don't block any of that. Also a VPN will direct ALL traffic, not just browser traffic. Who knows what your apps are transmitting? If you send ANY identifying data thought the VPN then the attacker can associate THAT data with your non-identifying data by assuming the same TCP addresses showing indentifying data are yours. Also ONLY use HTTPS websites, never HTTP. A VPN does not decrypt your HTTPS connection. i.e. you cannot be attacked by a man-in-the-middle. (Unless the NSA has co-opted all digital certificates which is actually a distinct possibility)

Dedicate one browser as the private browser, that and only that uses the VPN. Opera has a built in VPN. Also always use the incognito or privacy mode also. This deletes cookies after your session so you can only be identified as "this person" for your session, and no longer. Set the browser to NOT retain 3rd party cookies to reduce tracking in general.

Now, all your vanilla traffic you use your normal, open browser. "Look NSA, I'm just a solid citizen, taking my vaccines, watching CNN and voting for Hillary". But for stuff that has any degree of controversy, use the private VPN dedicated browser. "Look Chief, this isn't our guy. This is Mr. Brain Dead American zombie wanker. He's not into anything weird". (wink wink, nudge nudge, say no more)

I do not know how or why but my personal experience has shown me that using vpn is LESS secure then not using vpn. I started using vpn about a month ago and things have been worse, not better, in relation to privacy.

This is a bunch of crap. You make valid points but you forget that without a VPN you still have to trust the ISP that you are using. Even when you build your own VPN, there are so many drawbacks that come with that. Limited locations, limited app support, network experience and so many other things that are required to do it right which the 99% consumers has no awareness off.

Basically, your VPN provider becomes your ISP. Your write up assumes every VPN provider is malicious. This couldn't be further from the truth and while you can't verify what they do with your encryption keys and data, you HAVE to trust some entity...and I would much rather trust a VPN company versus an ISP who 1000% is going to track me and resell my data and browsing activity.

Your reference of a glorified proxy is terrible too. A proxy uses no encryption which is exactly what differentiates it from a VPN. Regardless of who has access to this encryption (you, your ISP, or your VPN provider), a VPN offers a lot more benefits than a "glorified proxy."

"Don't drive cars because they kill people.."

Great read (comments included). Much appreciated.

wenell commented Feb 22, 2018

Well, I don't think all VPNs are log users activities. I thought there is no need to use VPN after the read user's reviews. I really feel that I should need to use VPN. I use VPN all the time and on all devices like Laptop and Smartphone, etc. without VPN I feel like unsafe because I pay the bills via credit card while using public wifi. I don't think all VPN provider log users activities because they claim that they do not log users activities and I think I am using log less VPN. I don't know if they record activities, but we can trust them there no other way.

dmzpkts commented Feb 23, 2018

They finally let you out of jail Sven????

This "article" was written by a person who had his IRC server rooted, and compromised all of the users across his network. The group responsible released over a million lines of chatlogs. Joepie found them and apparently thought that echoing the word "cocks" into the file would delete the rest...


See for yourselves.

" Towards the end of this dump, we just stopped taking backups and left tail -f
running. joepie97 found the hook, just a little too late (a million PMs in
the PM log alone). He then ran: "echo 'cocks' > ._IRCD". Interestingly,
neither Stanford, nor Gentoo developers, nor the EFF list "echo 'cocks'>file"
as a secure deletion method. As such, we proceeded to take the latest copy
directly off the HDD (sed cocks). Check out the Files section for the
chanlogs & PM logs. "

Sven Slootweg is no one to listen to when it comes to security.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment