Skip to content

Instantly share code, notes, and snippets.

@joepie91
Last active October 11, 2024 03:28
Show Gist options
  • Save joepie91/5a9909939e6ce7d09e29 to your computer and use it in GitHub Desktop.
Save joepie91/5a9909939e6ce7d09e29 to your computer and use it in GitHub Desktop.
Don't use VPN services.

Don't use VPN services.

No, seriously, don't. You're probably reading this because you've asked what VPN service to use, and this is the answer.

Note: The content in this post does not apply to using VPN for their intended purpose; that is, as a virtual private (internal) network. It only applies to using it as a glorified proxy, which is what every third-party "VPN provider" does.

  • A Russian translation of this article can be found here, contributed by Timur Demin.
  • A Turkish translation can be found here, contributed by agyild.
  • There's also this article about VPN services, which is honestly better written (and has more cat pictures!) than my article.

Why not?

Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.

But my provider doesn't log!

There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs.

And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble. The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over.

But a provider would lose business if they did that!

I'll believe that when HideMyAss goes out of business. They gave up their users years ago, and this was widely publicized. The reality is that most of their customers will either not care or not even be aware of it.

But I pay anonymously, using Bitcoin/PaysafeCard/Cash/drugs!

Doesn't matter. You're still connecting to their service from your own IP, and they can log that.

But I want more security!

VPNs don't provide security. They are just a glorified proxy.

But I want more privacy!

VPNs don't provide privacy, with a few exceptions (detailed below). They are just a proxy. If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server).

But I want more encryption!

Use SSL/TLS and HTTPS (for centralized services), or end-to-end encryption (for social or P2P applications). VPNs can't magically encrypt your traffic - it's simply not technically possible. If the endpoint expects plaintext, there is nothing you can do about that.

When using a VPN, the only encrypted part of the connection is from you to the VPN provider. From the VPN provider onwards, it is the same as it would have been without a VPN. And remember, the VPN provider can see and mess with all your traffic.

But I want to confuse trackers by sharing an IP address!

Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of CGNAT and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore.

Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a fingerprinting profile. A VPN cannot prevent this.

So when should I use a VPN?

There are roughly two usecases where you might want to use a VPN:

  1. You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.
  2. You want to hide your IP from a very specific set of non-government-sanctioned adversaries - for example, circumventing a ban in a chatroom or preventing anti-piracy scareletters.

In the second case, you'd probably just want a regular proxy specifically for that traffic - sending all of your traffic over a VPN provider (like is the default with almost every VPN client) will still result in the provider being able to snoop on and mess with your traffic.

However, in practice, just don't use a VPN provider at all, even for these cases.

So, then... what?

If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own (either using something like Streisand or manually - I recommend using Wireguard). I will not recommend any specific providers (diversity is good!), but there are plenty of cheap ones to be found on LowEndTalk.

But how is that any better than a VPN service?

A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be.

So why do VPN services exist? Surely they must serve some purpose?

Because it's easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup. You can make every promise in the world, because nobody can verify them. You don't even have to know what you're doing, because again, nobody can verify what you say. It is 100% snake-oil.

So yes, VPN services do serve a purpose - it's just one that benefits the provider, not you.


This post is licensed under the WTFPL or CC0, at your choice. You may distribute, use, modify, translate, and license it in any way.


Before you comment: Be aware that any non-constructive comments will be removed. This includes advertising for VPN providers (yes, even when you phrase the marketing claims like a question), trolling, harassment, insults towards other people, claims that have already been addressed in the article, and so on.

If your comment isn't a genuine question or a concrete counterargument supported by evidence, it probably doesn't belong here.

@Finoderi
Copy link

IPs are shared, not dedicated/unique.

Well, it's possible to choose another IP from the same pool after a while. I don't think a smaller pool compromises your identity that much but may be I'm wrong.

VPNs are very important to these types of countries.

I live in such country. The connection speed of VPN is tolerable most of the time but sometimes it slows to a crawl. And from time to time all VPN traffic, including wireguard protocol, is blocked for several hours for some reason. And there is nothing I can do on my end. Choosing another VPN provider doesn't make any difference. In these cases shadowsocks proxy with the server side on VPS works slightly better but not by much.

@ipkpjersi
Copy link

ipkpjersi commented Mar 22, 2024

Well, it's possible to choose another IP from the same pool after a while. I don't think a smaller pool compromises your identity that much but may be I'm wrong.

You aren't understanding my point. Two or more people can have the same IP address at the exact same time with a traditional VPN service, whereas rolling your own VPN via a VPS means that public IP address assigned to you is only used by you and not anybody else (since you are the only one using the VPN and you are also the one responsible for hosting the VPN). That's part of why traditional VPN services claim "anonymity", because multiple people can be using the same public IP address at the exact same time, you don't know "who" is really using it. In theory, with a traditional VPN service, you could have dozens or hundreds of people using the same public IP address at the exact same time.

@zefir-git
Copy link

zefir-git commented Mar 24, 2024

Well, it's possible to choose another IP from the same pool after a while. I don't think a smaller pool compromises your identity that much but may be I'm wrong.

You aren't understanding my point. Two or more people can have the same IP address at the exact same time with a traditional VPN service, whereas rolling your own VPN via a VPS means that public IP address assigned to you is only used by you and not anybody else (since you are the only one using the VPN and you are also the one responsible for hosting the VPN). That's part of why traditional VPN services claim "anonymity", because multiple people can be using the same public IP address at the exact same time, you don't know "who" is really using it. In theory, with a traditional VPN service, you could have dozens or hundreds of people using the same public IP address at the exact same time.

Most hosting providers will sell you additional IPs for your VPS at €1/mo and you can rotate your IPS all you want (and get completely new ones every month). And you can share your VPN with as many people as you like. So for the cheapest €13/mo N**dVPN plan you can get a server with like 10+ IPs, share with all your friends and even sell it if you want.

When multiple people use 1 IP, the service you are connecting to doesn't know that. So if it tracks an IP, it tracks it the same way regardless if it's from a VPS or VPN. Your VPS could as well be a VPN host used by thousands of people. That's why no service identifies users by IP. Even your home network IP will change (unless you're paying for one that doesn't). I won't even start talking about mobile data IPs.

If you want 1000% anonymity, you can't get that with anything online. If someone really really wants to know who you are, they can. "No log" VPNs have proven to have logs in the past, and if you don't control the VPN yourself to know for sure, are you willing to risk your 1000% security requirement based on trust in a corporation? And if you have a VPS, authorities can always find who you are through the VPS hosting provider. You can't get a new internet subscription without the ISP knowing who you are, so that's out of the options as well.

Furthermore, any service that really wants to, can easily block access to all VPS or VPN etc IPs. How? Every IP belongs to an ASN and all ASNs are publicly registered. Is the ASN a residential ISP? Or is it an ISP for data centres?

Don't waste money on VPN. Waste significantly less money on VPS.

@dxgldotorg
Copy link

dxgldotorg commented Mar 24, 2024

Except that many VPS providers are very stingy on IP allocations and will require you to provide justification before they sell you any more IPs. Linode for instance even calls out certain reasons like multiple website domains as not valid excuses because virtual servers and SNI allow multiple sites to share an IP.

They are a lot more generous with IPv6 but of course that cannot connect without a proxy to IPv4-only endpoints.

@ipkpjersi
Copy link

Most hosting providers will sell you additional IPs for your VPS at €1/mo and you can rotate your IPS all you want (and get completely new ones every month). And you can share your VPN with as many people as you like. So for the cheapest €13/mo N**dVPN plan you can get a server with like 10+ IPs, share with all your friends and even sell it if you want.

Hosting providers can be pretty strict about this actually, you'd be surprised.

When multiple people use 1 IP, the service you are connecting to doesn't know that. So if it tracks an IP, it tracks it the same way regardless if it's from a VPS or VPN. Your VPS could as well be a VPN host used by thousands of people. That's why no service identifies users by IP. Even your home network IP will change (unless you're paying for one that doesn't). I won't even start talking about mobile data IPs.

Sure, that's fair, but a VPS is much less likely to be used as a VPN host than an actual VPN host itself with it's own rented/purchased dedicated hardware. A VPS is much more likely to be a 1-to-1 type of situation.

"No log" VPNs have proven to have logs in the past

Except for the ones that have, you know, literally been tested in court. Of course, that's not to say that they won't change it in the future, but still better than having it not tested at all.

Furthermore, any service that really wants to, can easily block access to all VPS or VPN etc IPs. How? Every IP belongs to an ASN and all ASNs are publicly registered. Is the ASN a residential ISP? Or is it an ISP for data centres?

Sure, but a lot of companies will avoid this because they realize there are countries with horrible censorship and don't want to punish legitimate users from those countries.

One thing I agree with you 10000% on, if you want 1000% anonymity, don't go online - it really boils down to that, it's always possible to find out who you are if someone really wants to.

Ultimately, VPNs and VPSes have different use cases and provide different functionality. I feel like people want to hate on VPNs because it's cool to do so (although I admit there are legitimate criticisms of VPNs), but they actually do have legitimate uses like easily avoiding censorship in countries with heavy censorship and they can work pretty well for this because people do use them for this.

@zefir-git
Copy link

Hosting providers can be pretty strict about this actually, you'd be surprised.

No reasonable providers are. Especially if they don't give you port 25 by default (used for SMTP and sending mail). Hosting providers would only be hurt if you use their IPs to send spam mail and get them into blocklists and unusable for other clients for mail.

Sure, that's fair, but a VPS is much less likely to be used as a VPN host than an actual VPN host itself with it's own rented/purchased dedicated hardware. A VPS is much more likely to be a 1-to-1 type of situation.

That's true, but the target service doesn't know whether you're using a VPS or not. And I'd recommend sharing your VPS-installed VPN with friends who would rather trust you than a corporation.

Except for the ones that have, you know, literally been tested in court. Of course, that's not to say that they won't change it in the future, but still better than having it not tested at all.

The only objective of VPN companies, as all other companies, is to make money, forever if possible. You can never trust a company wants what's best for you. And if you truly want security/anonymity, you don't want any trust in the equation.

@ipkpjersi
Copy link

ipkpjersi commented Mar 24, 2024

I agree with what you just said, with the caveat that if you are the owner of the VPS then you become responsible for what your friends do via that VPN, rather than the responsibility falling on the VPN host company itself when using a traditional VPN service. That's one way I would think traditional VPN services would still be superior (and also ease of use since with VPN services you just download an app vs setting up your own VPN server).

@Finoderi
Copy link

...they can work pretty well for this because people do use them for this.

People use them because they have no other choice, not because of their sheer greatness.

On a side note , have tried to use Linode for a week, hated everything about them. From at least 5 fucking minutes to restart a tiny server to their retarded political activism.

@zefir-git
Copy link

On a side note , have tried to use Linode for a week, hated everything about them. From at least 5 fucking minutes to restart a tiny server to their retarded political activism.

And it's expensive. For under €4 Hetzner cloud gives you a better server with 20TB transfer. OVH currently has a promo at $1/mo for a year (but only 100 Mbps bandwidth, but I think it's unmetered). For around €5 Contabo has 4 core 6GB RAM and 32TB traffic in case you want to put something more on it. Atlantic.Net gives you a free VPS for 1 year (3 TB transfer).

This is not an endorsement for any of the companies or their services.

@nukeop
Copy link

nukeop commented Mar 25, 2024

What political activism?

@dxgldotorg
Copy link

What political activism?

Probably not supporting hate/discrimination or something like that.

@nukeop
Copy link

nukeop commented Mar 25, 2024

What political activism?

Probably not supporting hate/discrimination or something like that.

And without a passive aggressive tone that translates to...?

@dxgldotorg
Copy link

What political activism?

Probably not supporting hate/discrimination or something like that.

And without a passive aggressive tone that translates to...?

I do look at their TOS and it could be this clause that is grounds for termination:

be excessively violent, incite violence, threaten violence, or contains harassing content or hate speech;

Of course many hosting providers have had something similar for ages.

@nukeop
Copy link

nukeop commented Mar 25, 2024

That doesn't mean it's desirable. IMO that clause is there just to give them grounds to ban anyone they want if there's pressure on them. "Hate speech" is meaningless and arbitrary.

@Finoderi
Copy link

They sent me several e-mails about the importance of 'hearing black voices' or with similar cheap corporate bullshit.

@dxgldotorg
Copy link

They sent me several e-mails about the importance of 'hearing black voices' or with similar cheap corporate bullshit.

And you decided to politicize it.

@nukeop
Copy link

nukeop commented Mar 25, 2024

Sounds like they did.

@Finoderi
Copy link

It looks like you are this ideologically captured. Well, my condolences.
First, I don't live in US and it's not my problem Americans can't figure out why Marxism is bad for everybody. I was born and raised in USSR and it's pretty obvious to me.
Second, the only voices I care about are the ones in my head. They have some interesting ideas.

@LokiFawkes
Copy link

I have a feeling Godwin's about to take over any moment now.

@nukeop
Copy link

nukeop commented Mar 25, 2024

Godwyn the Golden?

@Finoderi
Copy link

Godwin's law.

@jheagle
Copy link

jheagle commented May 14, 2024

Very good post, I found it as I become more and more disappointed with my VPN service. The main reason I use VPN was so I can do locale testing for web development. My secondary reason was for cafe, airport, and hotel WiFi networks I don't trust. I am finding more and more website block my VPN which is quite frustrating as my additional incentive was to use VPN when in foreign countries, it looks like this will be less and less possible with the current IP blacklisting going on.

@nukeop
Copy link

nukeop commented May 14, 2024

There's no reason not to trust wifi. All the internet uses HTTPS now. No matter who operates that wifi, they can't do anything to your traffic, and a VPN doesn't change that.

@sneer69
Copy link

sneer69 commented May 14, 2024

There's no reason not to trust wifi. All the internet uses HTTPS now. No matter who operates that wifi, they can't do anything to your traffic, and a VPN doesn't change that.

This is not true. There is a lot of metadata being sent unencrypted even with HTTPS with each session, that can easily provide profiling and identification means for bad actors. Cookies are often sent in plain text, which opens a way to session hijacking. Not all Internet uses HTTPS, HTTP is still in use and it is possible to intercept encrypted traffic by SSL stripping or by exploiting vulnerabilities in SSL/TLS protocol. Also, HTTPS does not protect from Cross-site Scripting (XSS). VPN protocol has it's own problems with recently discovered TunnelVision vulnerability, but Android is invulnerable to it, and that is how a lot of people use VPN. Besides, you could also use VPN to your home network where you have pi-hole and Unbound, which will cut out a lot of unwanted traffic. In my case unwanted DNS traffic makes up at least 66-75% of all, as per pi-hole blocked domains statistics. To summarize, a good VPN adds another layer of protection and security, but you still have to know what you are doing.

@nukeop
Copy link

nukeop commented May 14, 2024

Cookies are sent in plaintext? Is this 2004? Vulnerabilities in SSL? XSS too for some reason?

@jheagle
Copy link

jheagle commented May 14, 2024

Well, there is also another weird perk I experienced with my VPN. When I connected my VPN on the Disney cruise I got free WiFi, you just have to disconnect to use their app for Disney stuff. Typically you have to pay for WiFi usage on the Disney cruise.

@sneer69
Copy link

sneer69 commented May 14, 2024

Cookies are sent in plaintext? Is this 2004? Vulnerabilities in SSL? XSS too for some reason?

I have just visited nytimes website via HTTPS. Out of 12 cookies, 5 were without 'secure' flag, which means that they are being sent unencrypted, in clear text.

Vulnerabilities in all protocols are popping up all the time. SSL is not an exception. Check CVE database. CVE-2014-0160 is one of the most recent ones.

What XSS too? Are you sure that you know what are you talking about?

@nukeop
Copy link

nukeop commented May 14, 2024

Yeah, I am sure. Are you? What does this have to do with VPNs?

@sneer69
Copy link

sneer69 commented May 14, 2024

You said that HTTPS is an alternative to VPN on any wifi. It is not. With VPN all traffic is hidden from anybody on that wifi, even not web related. With HTTPS it is not. HTTPS only works within the application layer of TCP/IP protocol and that is not the only protocol your device uses on the network. It is just a portion of traffic.

You clearly have no idea what are you talking about, so come back to discuss when you learn a bit about networks and protocols and in the meantime, delete your misleading comments before anyone else reads them.

@nukeop
Copy link

nukeop commented May 14, 2024

Nice impotent rage

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment