Skip to content

Instantly share code, notes, and snippets.

@joepie91
Last active April 17, 2024 18:05
Show Gist options
  • Save joepie91/5a9909939e6ce7d09e29 to your computer and use it in GitHub Desktop.
Save joepie91/5a9909939e6ce7d09e29 to your computer and use it in GitHub Desktop.
Don't use VPN services.

Don't use VPN services.

No, seriously, don't. You're probably reading this because you've asked what VPN service to use, and this is the answer.

Note: The content in this post does not apply to using VPN for their intended purpose; that is, as a virtual private (internal) network. It only applies to using it as a glorified proxy, which is what every third-party "VPN provider" does.

  • A Russian translation of this article can be found here, contributed by Timur Demin.
  • A Turkish translation can be found here, contributed by agyild.
  • There's also this article about VPN services, which is honestly better written (and has more cat pictures!) than my article.

Why not?

Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.

But my provider doesn't log!

There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs.

And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble. The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over.

But a provider would lose business if they did that!

I'll believe that when HideMyAss goes out of business. They gave up their users years ago, and this was widely publicized. The reality is that most of their customers will either not care or not even be aware of it.

But I pay anonymously, using Bitcoin/PaysafeCard/Cash/drugs!

Doesn't matter. You're still connecting to their service from your own IP, and they can log that.

But I want more security!

VPNs don't provide security. They are just a glorified proxy.

But I want more privacy!

VPNs don't provide privacy, with a few exceptions (detailed below). They are just a proxy. If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server).

But I want more encryption!

Use SSL/TLS and HTTPS (for centralized services), or end-to-end encryption (for social or P2P applications). VPNs can't magically encrypt your traffic - it's simply not technically possible. If the endpoint expects plaintext, there is nothing you can do about that.

When using a VPN, the only encrypted part of the connection is from you to the VPN provider. From the VPN provider onwards, it is the same as it would have been without a VPN. And remember, the VPN provider can see and mess with all your traffic.

But I want to confuse trackers by sharing an IP address!

Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of CGNAT and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore.

Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a fingerprinting profile. A VPN cannot prevent this.

So when should I use a VPN?

There are roughly two usecases where you might want to use a VPN:

  1. You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.
  2. You want to hide your IP from a very specific set of non-government-sanctioned adversaries - for example, circumventing a ban in a chatroom or preventing anti-piracy scareletters.

In the second case, you'd probably just want a regular proxy specifically for that traffic - sending all of your traffic over a VPN provider (like is the default with almost every VPN client) will still result in the provider being able to snoop on and mess with your traffic.

However, in practice, just don't use a VPN provider at all, even for these cases.

So, then... what?

If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own (either using something like Streisand or manually - I recommend using Wireguard). I will not recommend any specific providers (diversity is good!), but there are plenty of cheap ones to be found on LowEndTalk.

But how is that any better than a VPN service?

A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be.

So why do VPN services exist? Surely they must serve some purpose?

Because it's easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup. You can make every promise in the world, because nobody can verify them. You don't even have to know what you're doing, because again, nobody can verify what you say. It is 100% snake-oil.

So yes, VPN services do serve a purpose - it's just one that benefits the provider, not you.


This post is licensed under the WTFPL or CC0, at your choice. You may distribute, use, modify, translate, and license it in any way.


Before you comment: Be aware that any non-constructive comments will be removed. This includes advertising for VPN providers (yes, even when you phrase the marketing claims like a question), trolling, harassment, insults towards other people, claims that have already been addressed in the article, and so on.

If your comment isn't a genuine question or a concrete counterargument supported by evidence, it probably doesn't belong here.

@M-u-m-p-i-t-z
Copy link

M-u-m-p-i-t-z commented Jul 31, 2023

Some questions:

But I want to confuse trackers by sharing an IP address!

Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of [CGNAT](https://en.wikipedia.org/wiki/Carrier-grade_NAT) and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore.

Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a [fingerprinting profile](https://panopticlick.eff.org/). A VPN cannot prevent this.

Just suppose my ISP doesn't use CGNAT but I keep my IP for weeks, and my browser doesn't allow fingerprinting because only fake data is sent. If I visit different websites without VPN, the fingerprint is always different but I have the same IP, what sense does that make, you can not track easier?
If I use a VPN and / or proxies, I get a different IP every day that I share with thousands of other people and always have a different fingerprint. What should not work in this practice?

When using a VPN, the only encrypted part of the connection is from you to the VPN provider. From the VPN provider onwards, it is the same as it would have been without a VPN. And remember, the VPN provider can see and mess with all your traffic.

Yes, but how can an outsider see which of the thousands of users is accessing which websites? The data streams that go in cannot be assigned to the decrypted streams that go out. Thus, you have 1000 defendants when someone fucks up.
Before the question is answered again with "But the VPN provider knows everything", please read my last question.
The VPN provider can know everything, but does not have to.

Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.

The ISP does that too and sells the data and you can't always choose the ISP. A VPN provider that shares data with its customers without obtaining their consent is acting illegally and committing a crime itself. The ISP writes it in its terms of service.

And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble. The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over.

Wouldn't it be much easier to tell the authorities "Sorry I can't identify my users because I have no logs! I can only provide all users as a list"? It would never come to a criminal complaint, how do you want to prove a specific person did a crime? For what reason should the VPN provider here can be legally prosecuted, as long as no law requires that I do not log my users, which in turn must then be written in the terms of service?

@LokiFawkes
Copy link

@M-um-p-i-t-z Exactly as stated: The IP address is a useless metric these days.

Firstly, good luck actually setting up a browser that flies under the radar like that. If you sign in anywhere, your browser will be tracked, your new fingerprint will be tracked as long as you stay signed in or sign in again.

Marketers employ many different methods of tracking. From the classic cross-site tracking cookie, to the modern fingerprinting methods we know today. You basically aren't safe from this unless you're using Tor Browser (with or without actually using the Tor network) and not signing in anywhere.

As long as you're signed in, or allowing cookies, or allowing javascript, or it's able to get actual canvas sizes, etc from your browser, no proxy in the world can protect you.

The VPN provider that shares data of its customers without obtaining their consent is actually protected by silver tongued legalese in the terms of service and gag orders in the law.

It is in fact not easier to tell the authorities, "Sorry I can't identify my users because I have no logs!". That's a good way to get in trouble with 14 Eyes surveillance laws. And no, those surveillance laws are not limited to the 14 core nations of the Eyes. Most nations of the world are in on it without increasing the number of "eyes" in the name, and even if your company is from another country, if you have servers in an Eyes country, you're subject to their laws.

If they can't directly command you by law to conduct mass surveillance, they can hold you accountable for "letting" your users commit what these countries consider to be crimes. Such as journalism, protests, or god forbid being Fr*nch.

@Naleksuh
Copy link

Naleksuh commented Aug 3, 2023

I think the IP part is confusing people because first the post says "You're still connecting to their service from your own IP, and they can log that." then later it says "Your IP address is a largely irrelevant metric in modern tracking systems. ". I think the confusion is because joepie91 is talking about tracking by the government in the first one, and tracking by advertisers in the second one. It might be a good idea to clarify that.

@LokiFawkes It depends on the fingerprinting software. Some include your IP address, other people don't. Either way, there is more to fingerprinting than your IP address. Here's a test site many people use: https://coveryourtracks.eff.org/

Edit: Actually the original gist already links to this site

@LokiFawkes
Copy link

@Naleksuh Yeah, it seems a lot of people are confused by the concept of attacking the same assertion from multiple angles.

@M-u-m-p-i-t-z
Copy link

Firstly, good luck actually setting up a browser that flies under the radar like that. If you sign in anywhere, your browser will be tracked, your new fingerprint will be tracked as long as you stay signed in or sign in again. Marketers employ many different methods of tracking. From the classic cross-site tracking cookie, to the modern fingerprinting methods we know today. You basically aren't safe from this unless you're using Tor Browser (with or without actually using the Tor network) and not signing in anywhere.
Since some time Firefox prevents exactly these practices with its tracking protection, each domain has its own memory here where no other domain can access and if you use containers in addition, even the domain gets a different memory in each container.
As long as you're signed in, or allowing cookies, or allowing javascript, or it's able to get actual canvas sizes, etc from your browser, no proxy in the world can protect you.
With each domain the browser fingerprint changes and remains valid for this domain until the browser is closed but each container has different fingerprints for the same domains and another IP.
The VPN provider that shares data of its customers without obtaining their consent is actually protected by silver tongued legalese in the terms of service and gag orders in the law.
My government's laws prohibit the unstoppable storage of connection data. There must be a reasonable suspicion of a serious crime and there must be a suspect, not just thousands of VPN users because someone might have done something wrong.

It is in fact not easier to tell the authorities, "Sorry I can't identify my users because I have no logs!". That's a good way to get in trouble with 14 Eyes surveillance laws. And no, those surveillance laws are not limited to the 14 core nations of the Eyes. Most nations of the world are in on it without increasing the number of "eyes" in the name, and even if your company is from another country, if you have servers in an Eyes country, you're subject to their laws.
Why should a company get into trouble with the secret service if it complies with the laws in force in its country, where no one has to store any data. And if it would be so easy to get companies to record, why does even the NSA have its own department that deals with cracking VPN connections?
Be honest, if the secret service is looking for you, it will find you, no question, but who is wanted by the secret service?
The only danger you are exposed to when using VPN or even Tor is that you are swimming in a pot together with a few criminals, the price is not too high for me to protect my privacy.

@nukeop
Copy link

nukeop commented Aug 4, 2023

What's the point of fingerprinting if my fingerprint changes every 30s? And what's the point of tracking if I block tracking scripts and ads?

@LokiFawkes
Copy link

@M-um-p-i-t-z I can answer your entire response by answering your last sentence. You're not protecting your privacy. This is called the action bias.

But sure, if you think Firefox is protecting you by changing your fingerprint, go ahead and double check with the EFF.
No, it's not.

You have to set everything manually, make your canvas generic (thereby also limiting the screenspace in your browser or glitching certain graphics), and put every tab in a container. And even then, it's still not enough.

I'm a firefox user, with container tabs, strict privacy settings to the point that about:config is unrecognizable from the original, whole nine yards. And yet sites still find ways to worm cross site cookies across the containers. It's a neverending arms race, and the one thing they're not concerned with, is the IP address.

@LokiFawkes
Copy link

@nukeop Let's pretend you aren't the butt of the joke in this entire thread. Just for a second.
To what are you referring?

@LokiFawkes
Copy link

LokiFawkes commented Aug 6, 2023

@nukeop
You did not answer. To what are you referring?
Have you forgotten that it is you who knows less than nothing on the topic as you have proven multiple times in this thread?

Also, github gists is a discussion platform.

@vanderplancke
Copy link

@nukeop You did not answer. To what are you referring? Have you forgotten that it is you who knows less than nothing on the topic as you have proven multiple times in this thread?

Also, github gists is a discussion platform.

You know nukeop is a vpn shill right. Likes to attack anyone calling it out on it's grift. Ignore it and it will go away.

Copy link

ghost commented Aug 10, 2023

I agree. though I use one, because i trust it more, travel and torrenting

@M-u-m-p-i-t-z
Copy link

@LokiFawkes

@M-um-p-i-t-z I can answer your entire response by answering your last sentence. You're not protecting your privacy. This is called the action bias.

But sure, if you think Firefox is protecting you by changing your fingerprint, go ahead and double check with the EFF. No, it's not.

What is this supposed to prove? But I did it for you with the result that I double check on two days with 3 containers with different IPs from VPNs and I get 3 Yes in every single tab on both days. Tor Browser also. Seems like u have a mass of changes in about:config, that you look unique to the side. I am not. And your IP can be tracked, so they do so. Whether this is relevant or whether you do not want to believe it is irrelevant. So stop spreading such generalizations, they are not true.
Screenshot

@clippycoder
Copy link

clippycoder commented Aug 15, 2023

A few comments:

  • I think you are being to harsh on VPN services here. I understand that we cannot know for sure if a specific VPN provider is not logging you, but I wouldn't go so far as to say that none like that exist. It's a bit of a gamble, maybe, but sometimes that's better than nothing.
  • Additionally, I use a free VPN service to access geo-blocked content and to bypass network restrictions. I don't really trust it's privacy value, given that it's free, but for my purposes I'm content with that. And also, being a free tier of an otherwise paid service, it has an nice-looking and intuitive UI, much more than can be said for many open source projects.

Overall, given that VPNs provide benefits outside of privacy, and that privacy may very well be also provided, I think VPNs, even paid ones, have their place. But I don't think that this should detract from your argument that with no verifiability, VPN privacy may often be false advertising.

@tobx
Copy link

tobx commented Aug 30, 2023

I am pretty sure the main selling point of VPN services is to use IP ranges of foreign countries in order to circumvent being caught when doing illegal file sharing. Copyright holders work together with local authorities and local authorities can request user information from local internet providers. As long as the user's IP is from a country where there is no cooperation between authorities in this regard, copyright holders will not even try. So it does not even matter if there are logs or not. Even if, at one point in time, authorities would work together and if there are logs, chances are that the user's IP addresses are not stored anymore by the users actual internet provider or that the case becomes time-barred. Furthermore as long as there was not a single case of mass charges against VPN users, those users will keep using VPNs.

I think users that understand enough of IT to know what a VPN service is and that are able to use it and only use it legally for privacy and against tracking are quite a minority.

@douma
Copy link

douma commented Aug 31, 2023

I use VPN (OpenVPN with Pihole), with a private/ dedicated ip address, on a private VPS server, only to hide my traffic from my ISP (ISP's have the biggest share in selling data), to hide my true location for the websites I visit, to block ads and to block sites like facebook, google from tracking me... and to log my own network activities. In this way I have found a virus on my computer sending packages of information every hour to a certain host. Legally they could find out what websites I visit, but a VPN adds another threshold for them to find out. Don´t give them (legal agencies) any reason to track you down. Doing something illegal on the internet is extremely stupid, even with a VPN.

@eos1973
Copy link

eos1973 commented Sep 14, 2023

quite a lot of comments and discussions, apparently there is no complete solution.
Except acquiring a service from some server in a corner of Eastern Europe. XD

@nukeop
Copy link

nukeop commented Sep 14, 2023

Mullvad VPN is easily the best

Copy link

ghost commented Sep 14, 2023

Hello everyone.

These same questions that can be asked here about the cloud's open source. It is contradictory that open software works in cloud like sass (software as a service) or baas (backend as a service) etc. Because, in theory, we do not have access to any source code and the control of this server.

Some people have created the software license as AGPL for this. Although the company distributes the software to AGPL, you can never check which function is being performed. First, because we have a feeling of arrest, because you don't have the money to execute the software with your own infrastructure (hosting, physical server). And second, because we have the feeling of not knowing the future direction of the cloud product or service.

Just as we cannot trust VPNs, I don't think we should trust cloud services that uses open license as AGPL, MIT, GPLv2, GPLv3 etc. Does these concerns of mine make sense?

@panzer-arc
Copy link

This approach is parroted in various MSM articles but doesn't address all the potential concerns. I trust VPN providers more than my ISP. I see no evidence that I should trust my ISP by default even if they don't MITM me. They would know every single domain I connect to on all of my devices if I didn't tunnel my traffic. Why can't I find an explanation of how my data is used/stored on their site?
https://www.privacyguides.org/en/basics/vpn-overview/#should-i-use-a-vpn

@nukeop
Copy link

nukeop commented Sep 30, 2023

Yeah, it's a list of defeatist, often false or easily refuted bullet points written in a style of total confidence, which to some impressionable people may look like competence. Some of the bullet points are actually strawmen that nobody who uses VPNs would argue.

@Finoderi
Copy link

Finoderi commented Oct 2, 2023

Why can't I find an explanation of how my data is used/stored on their site?

Can you find something like that on the site of you favourite VPN service?
Have you actually read articles that short summary on privacyguides.org is referring to?

@rfc-2549
Copy link

rfc-2549 commented Oct 2, 2023

Mullvad is the only good VPN services
Either that or tor

@humanlyhuman
Copy link

humanlyhuman commented Oct 4, 2023

Mullvad is the only good VPN services Either that or tor

ivpn is pretty good too
check out https://www.ivpn.net/blog/why-you-dont-need-a-vpn

@sjorspa
Copy link

sjorspa commented Oct 13, 2023

A valid reason for VPN is by NOT want to hide your VPN but make sure you connect with a trusted one, IE if you have a dynamic IP and need to go to a firewalled site, this might be a very valid point. Another valid point can be Geolocation barriers, IE many content providers block based on your countries IP. The other points are pretty valid by the way. For real privacy use Tor and make sure that you don't login with accounts that you also use on your normal connection.

@sneer69
Copy link

sneer69 commented Oct 27, 2023

"A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be."

Can I see that statistic and your dataset?

@papahuge
Copy link

papahuge commented Nov 3, 2023

image
^
I'm pretty sure this is why most people need a glorified proxy service.

@5aturnius
Copy link

image ^ I'm pretty sure this is why most people need a glorified proxy service.

Precisely. I cannot believe the idiocy of morons on the internet with the idea that there is some way to outsmart intelligence agencies with the smartest people on the planet working together stacked against them. That there are thus conversely certain activities that "expose" one to said agencies. We need legislation to fight this battle on the same scale that this violation of user privacy operates on.

@nukeop
Copy link

nukeop commented Nov 29, 2023

Leaked NSA documents prove that they are powerless against TOR and have been since its inception.

@tobx
Copy link

tobx commented Nov 29, 2023

@5aturnius

Precisely. I cannot believe the idiocy of morons on the internet with the idea that there is some way to outsmart intelligence agencies with the smartest people on the planet working together stacked against them. That there are thus conversely certain activities that "expose" one to said agencies. We need legislation to fight this battle on the same scale that this violation of user privacy operates on.

The smartest people on the planet generally do not work for government agencies, because they pay less than private companies. The ones that do not care so much about money often have a problem with intelligence agencies and work for the science mostly at universities. Still, they have very good people and apart from probably not being the smartest people on the planet, they have money and power. That is probably not enough to hack security standards like VPN or encryption algorithms, but they can force companies to cooperate by legislation or pay companies to get into systems or pay to get software or hardware vulnerabilities to hack into systems.

That being said, you do not use VPNs to outsmart intelligence agencies that work together against you. If you are really so criminal or unlucky that you want to hide from intelligence agencies, then you use VPNs or better TOR in order to not draw any attention to yourself, so they won't even start to work against you.

@ahydronous
Copy link

Dumbest article ever. Completely glosses over the utmost mission to privacy Mulvad has, or the fact that Private Internet Access is court-tested.

@Finoderi
Copy link

Finoderi commented Dec 8, 2023

utmost mission to privacy

Someone can type that unironically. Fascinating.

@ahydronous
Copy link

Someone can type that unironically. Fascinating.

Someone can be this dumb unironically. Fascinating.

You can pay for Mulvad by sending in a letter with cash money. All you get back (and what they know) is an account number.

Private Internet Access has been audited too, btw : )

Anyway, I'm done here. Anyone reading this will realize how moronic this article is and just sign up for a good VPN.

Byee

@Finoderi
Copy link

Finoderi commented Dec 9, 2023

OK. For those who can read unlike that chap.
PIA is a US based company. It will obey US laws by definition no matter what. Furthermore the company still uses physical drives to store user data, and those drives can be ceased by authorities.

Mullvad is better in that regard. But Sweden is a member of 14 Eyes Alliance and not a completely safe jurisdiction for a VPN provider.

@tobx
Copy link

tobx commented Dec 9, 2023

Anyway, I'm done here. Anyone reading this will realize how moronic this article is and just sign up for a good VPN.

I cannot speak for everyone, but the aggressiveness in your writing makes me stay away from Mullvad.

Your arguments also make me trust less. „Sending a letter with money“ is trying to tell a potential customer, that you have no private data, so nothing could ever happen. But that only distracts from the fact, that you cannot prove that there is no logging. If Mullvad logs account number with real IP, „money in a letter“ does not help at all.

Even if there were court decisions in the past with no log files, or audits, that does not change the fact that a VPN is always able to implement logging in the future for all or specific customers. You can also disable logs for audits and turn them on afterwards. Also, how can we trust the auditor?

There is no way for a VPN provider to prove that there are no logs, so the article makes fully sense. The fact that you call it „moronic“ without providing good arguments, just makes the article even more convincing.

@maoydev
Copy link

maoydev commented Feb 21, 2024

@BrodyDoggo I can explain this. The purpose of a VPN is to provide a tunneled connection into a private network. It's like a proxy, except you can traverse firewalls and connect to devices over any port or protocol through it. In a proper VPN, you even get your own IP address in the private network. However, this is not how clearnet VPN services like NordVPN or ExpressVPN work. Even when they use real VPN protocols, they're just putting you into a NAT network and hiding you behind one IP address, their IP address. Essentially, the same as a proxy. They can control what ports you get to use, what protocols you get to use. Essentially, the same as a proxy. At best, with no restrictions on ports and protocols, you'd be looking at something called a SOCKS proxy. In many actual VPN setups, you might even set your virtual network adapter that's connected to the VPN, as a SOCKS proxy to prevent direct access to the clearnet. But these VPN services you see out there range from web proxies to SOCKS proxies, advertised as being more private than a proxy, and often come with proprietary apps that strip SSL so they can collect and sell your browsing habits. They even advertise this SSL-stripping function as virus protection, when in reality, their VPN cannot protect you from viruses even by stripping SSL (though if they're honest they can try), but it can make them money by collecting data. By stripping SSL, typically by replacing your root certificate so your browsing happens in an encrypted form that they can read but outsiders still can't, they not only can get your browsing habits beyond just IP addresses and DNS requests, but they can also harvest metadata AND the payload of the connection, including passwords and other personally identifying information that would have otherwise been transmitted without a man in the middle. So really the difference between a VPN and a proxy is the P in VPN - private. If it doesn't provide a tunnel to a private network, it's not a VPN, regardless of what protocol it uses or what its name is. VPN - Virtual connection to private resources like company servers Also a VPN - Virtual connection to your company or home's private network, doubling as a proxy for the clearnet Not a VPN - A tunnel to a web proxy, branded as a VPN, meant to look like you're browsing from the server you connected to rather than from where you are

If you still want to call these VPNs, the distinction would then be between Virtual Private Networks and Virtual Public Networks.

Is there any difference to them on a local perspective, like isp traffic protection and such?

@Finoderi
Copy link

Overquoting should be punishable by death.

@LokiFawkes
Copy link

LokiFawkes commented Feb 21, 2024

@maoydev Between not having a proxy and having one? Not really.
Without these services, most your ISP will know is what IP you're talking to, and currently between CDN centralization and Web2 "just trust the cloud" centralization, too many services share the same IP addresses with each other for it to really matter. Aside from that, if they're clever they may catch the SNI at the start of your connection. They still can't make anything of it if you have a bunch of ongoing sessions. Once ECH catches on (and browsers start supporting ECH while using a nameserver of your own choosing), that vulnerability will be dead too. You stand to lose more privacy than you stand to gain when trusting a Virtual Public Network.

@vanderplancke
Copy link

Hmmm the lone vpn simp is still at it. Almost like she gets kickbacks for each service sold.

Thinking logically, do you genuinely believe that the government would allow a means of hiding your ISP they themselves couldn't track?

@nukeop
Copy link

nukeop commented Feb 21, 2024

Can you keep unhinged conspiracy theories out of the thread? You're not making your side look sane

@vanderplancke
Copy link

vanderplancke commented Feb 22, 2024

Do you believe the government would allow a product they couldn't track? Yes or no? The likes of Tom Clancy and Richard Marcinko discussed communications security and spying. I would side with the experts over a shill who decries any criticism of VPNs.

@Aphexed
Copy link

Aphexed commented Feb 24, 2024

I visited IP vanish for coverage. I made it through paying for the first month then I was blocked because of Cloud flare and my email

@ipkpjersi
Copy link

VPNs are shared, VPSes themselves (not the host) are not, so your VPS gets tied to you - not great for privacy, is it? VPNs are great for bypassing censorship in countries like China with censorship problems and you don't need to setup your own to do that, it's kinda overkill.

Dumbest article ever. Completely glosses over the utmost mission to privacy Mulvad has, or the fact that Private Internet Access is court-tested.

It doesn't touch on bypassing censorship in restrictive countries either.

@Finoderi
Copy link

Finoderi commented Mar 22, 2024

so your VPS gets tied to you - not great for privacy, is it?

You get an external IP or IPs from a pool of that VPS-provider. I don't see much difference.

VPNs are great for bypassing censorship in countries like China with censorship problems...

It can be done with limited success and the result is far from great.

@ipkpjersi
Copy link

You get an external IP or IPs from a pool of that VPS-provider. I don't see much difference.

Sure, I can explain with difference. With a VPS, that IP is specifically tied to you for as long as you are renting that VPS. With a VPN, there is a shared pool of IPs where any individual IP can be used by multiple people at the exact same time - that's the difference. IPs are shared, not dedicated/unique.

It can be done with limited success and the result is far from great.

I guess we just disagree on this, then. VPNs are very important to these types of countries.

@Finoderi
Copy link

IPs are shared, not dedicated/unique.

Well, it's possible to choose another IP from the same pool after a while. I don't think a smaller pool compromises your identity that much but may be I'm wrong.

VPNs are very important to these types of countries.

I live in such country. The connection speed of VPN is tolerable most of the time but sometimes it slows to a crawl. And from time to time all VPN traffic, including wireguard protocol, is blocked for several hours for some reason. And there is nothing I can do on my end. Choosing another VPN provider doesn't make any difference. In these cases shadowsocks proxy with the server side on VPS works slightly better but not by much.

@ipkpjersi
Copy link

ipkpjersi commented Mar 22, 2024

Well, it's possible to choose another IP from the same pool after a while. I don't think a smaller pool compromises your identity that much but may be I'm wrong.

You aren't understanding my point. Two or more people can have the same IP address at the exact same time with a traditional VPN service, whereas rolling your own VPN via a VPS means that public IP address assigned to you is only used by you and not anybody else (since you are the only one using the VPN and you are also the one responsible for hosting the VPN). That's part of why traditional VPN services claim "anonymity", because multiple people can be using the same public IP address at the exact same time, you don't know "who" is really using it. In theory, with a traditional VPN service, you could have dozens or hundreds of people using the same public IP address at the exact same time.

@zefir-git
Copy link

zefir-git commented Mar 24, 2024

Well, it's possible to choose another IP from the same pool after a while. I don't think a smaller pool compromises your identity that much but may be I'm wrong.

You aren't understanding my point. Two or more people can have the same IP address at the exact same time with a traditional VPN service, whereas rolling your own VPN via a VPS means that public IP address assigned to you is only used by you and not anybody else (since you are the only one using the VPN and you are also the one responsible for hosting the VPN). That's part of why traditional VPN services claim "anonymity", because multiple people can be using the same public IP address at the exact same time, you don't know "who" is really using it. In theory, with a traditional VPN service, you could have dozens or hundreds of people using the same public IP address at the exact same time.

Most hosting providers will sell you additional IPs for your VPS at €1/mo and you can rotate your IPS all you want (and get completely new ones every month). And you can share your VPN with as many people as you like. So for the cheapest €13/mo N**dVPN plan you can get a server with like 10+ IPs, share with all your friends and even sell it if you want.

When multiple people use 1 IP, the service you are connecting to doesn't know that. So if it tracks an IP, it tracks it the same way regardless if it's from a VPS or VPN. Your VPS could as well be a VPN host used by thousands of people. That's why no service identifies users by IP. Even your home network IP will change (unless you're paying for one that doesn't). I won't even start talking about mobile data IPs.

If you want 1000% anonymity, you can't get that with anything online. If someone really really wants to know who you are, they can. "No log" VPNs have proven to have logs in the past, and if you don't control the VPN yourself to know for sure, are you willing to risk your 1000% security requirement based on trust in a corporation? And if you have a VPS, authorities can always find who you are through the VPS hosting provider. You can't get a new internet subscription without the ISP knowing who you are, so that's out of the options as well.

Furthermore, any service that really wants to, can easily block access to all VPS or VPN etc IPs. How? Every IP belongs to an ASN and all ASNs are publicly registered. Is the ASN a residential ISP? Or is it an ISP for data centres?

Don't waste money on VPN. Waste significantly less money on VPS.

@dxgldotorg
Copy link

dxgldotorg commented Mar 24, 2024

Except that many VPS providers are very stingy on IP allocations and will require you to provide justification before they sell you any more IPs. Linode for instance even calls out certain reasons like multiple website domains as not valid excuses because virtual servers and SNI allow multiple sites to share an IP.

They are a lot more generous with IPv6 but of course that cannot connect without a proxy to IPv4-only endpoints.

@ipkpjersi
Copy link

Most hosting providers will sell you additional IPs for your VPS at €1/mo and you can rotate your IPS all you want (and get completely new ones every month). And you can share your VPN with as many people as you like. So for the cheapest €13/mo N**dVPN plan you can get a server with like 10+ IPs, share with all your friends and even sell it if you want.

Hosting providers can be pretty strict about this actually, you'd be surprised.

When multiple people use 1 IP, the service you are connecting to doesn't know that. So if it tracks an IP, it tracks it the same way regardless if it's from a VPS or VPN. Your VPS could as well be a VPN host used by thousands of people. That's why no service identifies users by IP. Even your home network IP will change (unless you're paying for one that doesn't). I won't even start talking about mobile data IPs.

Sure, that's fair, but a VPS is much less likely to be used as a VPN host than an actual VPN host itself with it's own rented/purchased dedicated hardware. A VPS is much more likely to be a 1-to-1 type of situation.

"No log" VPNs have proven to have logs in the past

Except for the ones that have, you know, literally been tested in court. Of course, that's not to say that they won't change it in the future, but still better than having it not tested at all.

Furthermore, any service that really wants to, can easily block access to all VPS or VPN etc IPs. How? Every IP belongs to an ASN and all ASNs are publicly registered. Is the ASN a residential ISP? Or is it an ISP for data centres?

Sure, but a lot of companies will avoid this because they realize there are countries with horrible censorship and don't want to punish legitimate users from those countries.

One thing I agree with you 10000% on, if you want 1000% anonymity, don't go online - it really boils down to that, it's always possible to find out who you are if someone really wants to.

Ultimately, VPNs and VPSes have different use cases and provide different functionality. I feel like people want to hate on VPNs because it's cool to do so (although I admit there are legitimate criticisms of VPNs), but they actually do have legitimate uses like easily avoiding censorship in countries with heavy censorship and they can work pretty well for this because people do use them for this.

@zefir-git
Copy link

Hosting providers can be pretty strict about this actually, you'd be surprised.

No reasonable providers are. Especially if they don't give you port 25 by default (used for SMTP and sending mail). Hosting providers would only be hurt if you use their IPs to send spam mail and get them into blocklists and unusable for other clients for mail.

Sure, that's fair, but a VPS is much less likely to be used as a VPN host than an actual VPN host itself with it's own rented/purchased dedicated hardware. A VPS is much more likely to be a 1-to-1 type of situation.

That's true, but the target service doesn't know whether you're using a VPS or not. And I'd recommend sharing your VPS-installed VPN with friends who would rather trust you than a corporation.

Except for the ones that have, you know, literally been tested in court. Of course, that's not to say that they won't change it in the future, but still better than having it not tested at all.

The only objective of VPN companies, as all other companies, is to make money, forever if possible. You can never trust a company wants what's best for you. And if you truly want security/anonymity, you don't want any trust in the equation.

@ipkpjersi
Copy link

ipkpjersi commented Mar 24, 2024

I agree with what you just said, with the caveat that if you are the owner of the VPS then you become responsible for what your friends do via that VPN, rather than the responsibility falling on the VPN host company itself when using a traditional VPN service. That's one way I would think traditional VPN services would still be superior (and also ease of use since with VPN services you just download an app vs setting up your own VPN server).

@Finoderi
Copy link

...they can work pretty well for this because people do use them for this.

People use them because they have no other choice, not because of their sheer greatness.

On a side note , have tried to use Linode for a week, hated everything about them. From at least 5 fucking minutes to restart a tiny server to their retarded political activism.

@zefir-git
Copy link

On a side note , have tried to use Linode for a week, hated everything about them. From at least 5 fucking minutes to restart a tiny server to their retarded political activism.

And it's expensive. For under €4 Hetzner cloud gives you a better server with 20TB transfer. OVH currently has a promo at $1/mo for a year (but only 100 Mbps bandwidth, but I think it's unmetered). For around €5 Contabo has 4 core 6GB RAM and 32TB traffic in case you want to put something more on it. Atlantic.Net gives you a free VPS for 1 year (3 TB transfer).

This is not an endorsement for any of the companies or their services.

@nukeop
Copy link

nukeop commented Mar 25, 2024

What political activism?

@dxgldotorg
Copy link

What political activism?

Probably not supporting hate/discrimination or something like that.

@nukeop
Copy link

nukeop commented Mar 25, 2024

What political activism?

Probably not supporting hate/discrimination or something like that.

And without a passive aggressive tone that translates to...?

@dxgldotorg
Copy link

What political activism?

Probably not supporting hate/discrimination or something like that.

And without a passive aggressive tone that translates to...?

I do look at their TOS and it could be this clause that is grounds for termination:

be excessively violent, incite violence, threaten violence, or contains harassing content or hate speech;

Of course many hosting providers have had something similar for ages.

@nukeop
Copy link

nukeop commented Mar 25, 2024

That doesn't mean it's desirable. IMO that clause is there just to give them grounds to ban anyone they want if there's pressure on them. "Hate speech" is meaningless and arbitrary.

@Finoderi
Copy link

They sent me several e-mails about the importance of 'hearing black voices' or with similar cheap corporate bullshit.

@dxgldotorg
Copy link

They sent me several e-mails about the importance of 'hearing black voices' or with similar cheap corporate bullshit.

And you decided to politicize it.

@nukeop
Copy link

nukeop commented Mar 25, 2024

Sounds like they did.

@Finoderi
Copy link

It looks like you are this ideologically captured. Well, my condolences.
First, I don't live in US and it's not my problem Americans can't figure out why Marxism is bad for everybody. I was born and raised in USSR and it's pretty obvious to me.
Second, the only voices I care about are the ones in my head. They have some interesting ideas.

@LokiFawkes
Copy link

I have a feeling Godwin's about to take over any moment now.

@nukeop
Copy link

nukeop commented Mar 25, 2024

Godwyn the Golden?

@Finoderi
Copy link

Godwin's law.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment