Skip to content

Instantly share code, notes, and snippets.

@joepie91
Last active October 11, 2024 03:28
Show Gist options
  • Save joepie91/5a9909939e6ce7d09e29 to your computer and use it in GitHub Desktop.
Save joepie91/5a9909939e6ce7d09e29 to your computer and use it in GitHub Desktop.
Don't use VPN services.

Don't use VPN services.

No, seriously, don't. You're probably reading this because you've asked what VPN service to use, and this is the answer.

Note: The content in this post does not apply to using VPN for their intended purpose; that is, as a virtual private (internal) network. It only applies to using it as a glorified proxy, which is what every third-party "VPN provider" does.

  • A Russian translation of this article can be found here, contributed by Timur Demin.
  • A Turkish translation can be found here, contributed by agyild.
  • There's also this article about VPN services, which is honestly better written (and has more cat pictures!) than my article.

Why not?

Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.

But my provider doesn't log!

There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs.

And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble. The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over.

But a provider would lose business if they did that!

I'll believe that when HideMyAss goes out of business. They gave up their users years ago, and this was widely publicized. The reality is that most of their customers will either not care or not even be aware of it.

But I pay anonymously, using Bitcoin/PaysafeCard/Cash/drugs!

Doesn't matter. You're still connecting to their service from your own IP, and they can log that.

But I want more security!

VPNs don't provide security. They are just a glorified proxy.

But I want more privacy!

VPNs don't provide privacy, with a few exceptions (detailed below). They are just a proxy. If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server).

But I want more encryption!

Use SSL/TLS and HTTPS (for centralized services), or end-to-end encryption (for social or P2P applications). VPNs can't magically encrypt your traffic - it's simply not technically possible. If the endpoint expects plaintext, there is nothing you can do about that.

When using a VPN, the only encrypted part of the connection is from you to the VPN provider. From the VPN provider onwards, it is the same as it would have been without a VPN. And remember, the VPN provider can see and mess with all your traffic.

But I want to confuse trackers by sharing an IP address!

Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of CGNAT and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore.

Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a fingerprinting profile. A VPN cannot prevent this.

So when should I use a VPN?

There are roughly two usecases where you might want to use a VPN:

  1. You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.
  2. You want to hide your IP from a very specific set of non-government-sanctioned adversaries - for example, circumventing a ban in a chatroom or preventing anti-piracy scareletters.

In the second case, you'd probably just want a regular proxy specifically for that traffic - sending all of your traffic over a VPN provider (like is the default with almost every VPN client) will still result in the provider being able to snoop on and mess with your traffic.

However, in practice, just don't use a VPN provider at all, even for these cases.

So, then... what?

If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own (either using something like Streisand or manually - I recommend using Wireguard). I will not recommend any specific providers (diversity is good!), but there are plenty of cheap ones to be found on LowEndTalk.

But how is that any better than a VPN service?

A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be.

So why do VPN services exist? Surely they must serve some purpose?

Because it's easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup. You can make every promise in the world, because nobody can verify them. You don't even have to know what you're doing, because again, nobody can verify what you say. It is 100% snake-oil.

So yes, VPN services do serve a purpose - it's just one that benefits the provider, not you.


This post is licensed under the WTFPL or CC0, at your choice. You may distribute, use, modify, translate, and license it in any way.


Before you comment: Be aware that any non-constructive comments will be removed. This includes advertising for VPN providers (yes, even when you phrase the marketing claims like a question), trolling, harassment, insults towards other people, claims that have already been addressed in the article, and so on.

If your comment isn't a genuine question or a concrete counterargument supported by evidence, it probably doesn't belong here.

@GenericRsPlayer
Copy link

GenericRsPlayer commented May 26, 2023

@nukeop commented on this gist.
Yes I already know that americans are brainwashed, obnoxious, and clueless. No need to drive the point home buddy

Wow you just continue to be oblivious too! You're not superior to anyone. Just as I am not superior to you. Clearly I have more common sense. But you just keep making fun of people; on a place where it won't go away. And where your future comments could be looked at as "doesn't cooperate well with others"

I'm not here to troll you. I'm just going to continue to hold up a mirror untill you've decided you've had enough.

Btw. Hope your having a wonderful day. God loves you brother.

@GenericRsPlayer
Copy link

I accept your concession.

I hope things get better for you

@Amiralgaby
Copy link

is there a French fork of this file please?

@2gn
Copy link

2gn commented May 26, 2023

VPNs will hide what you do from ISPs, at least.

@Finoderi
Copy link

It seems most people don't know anything about proxy servers, but VPN concept was popularized by YouTubers. And the 'glorified proxy' part is just ignored as something vague and inexplicit.

@LokiFawkes
Copy link

@2gn Not really. ISPs buy data from data brokers, which own almost all if not all the "vpn" services (which again are just proxies that maybe, MAYBE use a protocol meant for actual VPNs). Literally all they're good for is getting around geofilters and not a damn thing else.

@dxgldotorg
Copy link

dxgldotorg commented May 27, 2023

It seems most people don't know anything about proxy servers, but VPN concept was popularized by YouTubers. And the 'glorified proxy' part is just ignored as something vague and inexplicit.

Actually it is in more recent years that VPN companies have approached YouTubers with sponsorship deals.

@Finoderi
Copy link

From Nigeria with love.

@LokiFawkes
Copy link

We got another shill: @vpnsguru

@LokiFawkes
Copy link

Aaaand @nukeop steps back in the shill ring.

@LokiFawkes
Copy link

Keep shilling, you only have your reputation to lose... If that.

@LokiFawkes
Copy link

Talking to yourself? Cause you're the only mad one here.

@dxgldotorg
Copy link

Install Sponsorblock: https://sponsor.ajay.app/ Why would anyone watch videos with sponsor segments?

This doesn't address the issue, it sweeps it under the rug.

@Finoderi
Copy link

The article is rather short but you still failed to read it till the end. Well done.

@Finoderi
Copy link

Sunshine, you fail to understand the difference between using VPN in general and using VPN SERVICE. I highlighted the important word for you, but there is not much hope it'll make any difference.

I use both VPN and proxy all the time, but I set it up myself on a small VPS.

@Finoderi
Copy link

I don't know what it supposed to mean. I deleted my Reddit account back in 2020 when Americans were caught up in BLM hysteria. Reddit admins always have been completely fucked in the head but at that moment they've outdone themselves.

@LokiFawkes
Copy link

@phr34k0 Assuming you're not talking out your ass (you are), it begs the question, why chain when you can just use Tor or I2P

@MarcusRichardson
Copy link

hello

@T0asti3
Copy link

T0asti3 commented Jul 12, 2023

@phr34k0 Assuming you're not talking out your ass (you are), it begs the question, why chain when you can just use Tor or I2P

@LokiFawkes Dude ever heard about entry and exits nodes? try selling yo momma on TOR and watch CIA bust down your door. Nodes can be watched or controlled. This happens all the time. TOR routing is secure but not to the exit nodes.

@Finoderi
Copy link

It's always fascinating to see the discussion of true professionals.

@LokiFawkes
Copy link

@T0asti3 Firstly, if you're going through exit nodes, you're as insecure as if you're using a proxy service. NordVPN ain't gonna protect you any more than a malicious exit node, even if you've chained three NordVPNs.
Second, with Tor and I2P, you don't have to pay anyone or reveal your identity to anyone to use onion routing. There are very few proxies that might behave hands-off and that let you gain service without revealing yourself. And the ones, or really one, I'm speaking of, doesn't like to be chained.
And even the one I spoke of, still wouldn't recommend for privacy so much as obscurity for basic IP filters.
If you want privacy through an overlay network, you need that overlay network to not be owned by any third party. Tor and I2P for example, completely decentralized, at least in terms of design. I2P is better at staying that way, but less accessible, while Tor gained popularity by connecting to exit nodes by default to let you access the clearnet through Tor.
The endgame is you shouldn't have to exit the overlay network through anything you can't trust.
Some people actually use I2P with an outproxy into Tor instead of using Tor or I2P directly to the clearnet. Some people go as far as setting up a Tor outproxy on I2P using a server they got pseudonymously and use that as their outproxy wherever they go.
Try to sell your mom on Tor, you've just revealed yourself. Try to sell people who don't exist on Tor, you've got yourself a worthwhile scam.

@vanderplancke
Copy link

I can confirm beyond any doubt that vpns do not work. They do not mask your identity. You are just throwing money away using them. If you really want to not be tracked don't conduct activity that would get you on the radar.

@vanderplancke
Copy link

Yes listen to the shill throwing slurs. Speaking from experience with federal police no VPNs do not work. But hey gotta respect the hustle to get kickbacks from trying to convince people to sign up.

@RivenSkaye
Copy link

VPNs are very much useful for "when should I" argument 2.
My ISP would frequently squeeze traffic to known public trackers, which hasn't been an issue ever since I started using glorified proxies. And it also helps circumvent blocks on certain sites, which is precisely what I need it for.

As such, a third point to note is "when you need access to services or resources that you can't reach through your current network or ISP."

@dxgldotorg
Copy link

Sunshine, you fail to understand the difference between using VPN in general and using VPN SERVICE. I highlighted the important word for you, but there is not much hope it'll make any difference.

I use both VPN and proxy all the time, but I set it up myself on a small VPS.

For me, my VPN lives inside my router and gives me remote access to my connected devices.

@LokiFawkes
Copy link

For me, my VPN lives inside my router and gives me remote access to my connected devices.

And this is what I like to call, an actual VPN.

@M-u-m-p-i-t-z
Copy link

M-u-m-p-i-t-z commented Jul 31, 2023

Some questions:

But I want to confuse trackers by sharing an IP address!

Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of [CGNAT](https://en.wikipedia.org/wiki/Carrier-grade_NAT) and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore.

Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a [fingerprinting profile](https://panopticlick.eff.org/). A VPN cannot prevent this.

Just suppose my ISP doesn't use CGNAT but I keep my IP for weeks, and my browser doesn't allow fingerprinting because only fake data is sent. If I visit different websites without VPN, the fingerprint is always different but I have the same IP, what sense does that make, you can not track easier?
If I use a VPN and / or proxies, I get a different IP every day that I share with thousands of other people and always have a different fingerprint. What should not work in this practice?

When using a VPN, the only encrypted part of the connection is from you to the VPN provider. From the VPN provider onwards, it is the same as it would have been without a VPN. And remember, the VPN provider can see and mess with all your traffic.

Yes, but how can an outsider see which of the thousands of users is accessing which websites? The data streams that go in cannot be assigned to the decrypted streams that go out. Thus, you have 1000 defendants when someone fucks up.
Before the question is answered again with "But the VPN provider knows everything", please read my last question.
The VPN provider can know everything, but does not have to.

Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.

The ISP does that too and sells the data and you can't always choose the ISP. A VPN provider that shares data with its customers without obtaining their consent is acting illegally and committing a crime itself. The ISP writes it in its terms of service.

And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble. The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over.

Wouldn't it be much easier to tell the authorities "Sorry I can't identify my users because I have no logs! I can only provide all users as a list"? It would never come to a criminal complaint, how do you want to prove a specific person did a crime? For what reason should the VPN provider here can be legally prosecuted, as long as no law requires that I do not log my users, which in turn must then be written in the terms of service?

@LokiFawkes
Copy link

@M-um-p-i-t-z Exactly as stated: The IP address is a useless metric these days.

Firstly, good luck actually setting up a browser that flies under the radar like that. If you sign in anywhere, your browser will be tracked, your new fingerprint will be tracked as long as you stay signed in or sign in again.

Marketers employ many different methods of tracking. From the classic cross-site tracking cookie, to the modern fingerprinting methods we know today. You basically aren't safe from this unless you're using Tor Browser (with or without actually using the Tor network) and not signing in anywhere.

As long as you're signed in, or allowing cookies, or allowing javascript, or it's able to get actual canvas sizes, etc from your browser, no proxy in the world can protect you.

The VPN provider that shares data of its customers without obtaining their consent is actually protected by silver tongued legalese in the terms of service and gag orders in the law.

It is in fact not easier to tell the authorities, "Sorry I can't identify my users because I have no logs!". That's a good way to get in trouble with 14 Eyes surveillance laws. And no, those surveillance laws are not limited to the 14 core nations of the Eyes. Most nations of the world are in on it without increasing the number of "eyes" in the name, and even if your company is from another country, if you have servers in an Eyes country, you're subject to their laws.

If they can't directly command you by law to conduct mass surveillance, they can hold you accountable for "letting" your users commit what these countries consider to be crimes. Such as journalism, protests, or god forbid being Fr*nch.

@Naleksuh
Copy link

Naleksuh commented Aug 3, 2023

I think the IP part is confusing people because first the post says "You're still connecting to their service from your own IP, and they can log that." then later it says "Your IP address is a largely irrelevant metric in modern tracking systems. ". I think the confusion is because joepie91 is talking about tracking by the government in the first one, and tracking by advertisers in the second one. It might be a good idea to clarify that.

@LokiFawkes It depends on the fingerprinting software. Some include your IP address, other people don't. Either way, there is more to fingerprinting than your IP address. Here's a test site many people use: https://coveryourtracks.eff.org/

Edit: Actually the original gist already links to this site

@LokiFawkes
Copy link

@Naleksuh Yeah, it seems a lot of people are confused by the concept of attacking the same assertion from multiple angles.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment