Skip to content

Instantly share code, notes, and snippets.

@joepie91
Last active October 6, 2024 08:38
Show Gist options
  • Save joepie91/5a9909939e6ce7d09e29 to your computer and use it in GitHub Desktop.
Save joepie91/5a9909939e6ce7d09e29 to your computer and use it in GitHub Desktop.
Don't use VPN services.

Don't use VPN services.

No, seriously, don't. You're probably reading this because you've asked what VPN service to use, and this is the answer.

Note: The content in this post does not apply to using VPN for their intended purpose; that is, as a virtual private (internal) network. It only applies to using it as a glorified proxy, which is what every third-party "VPN provider" does.

  • A Russian translation of this article can be found here, contributed by Timur Demin.
  • A Turkish translation can be found here, contributed by agyild.
  • There's also this article about VPN services, which is honestly better written (and has more cat pictures!) than my article.

Why not?

Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.

But my provider doesn't log!

There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs.

And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble. The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over.

But a provider would lose business if they did that!

I'll believe that when HideMyAss goes out of business. They gave up their users years ago, and this was widely publicized. The reality is that most of their customers will either not care or not even be aware of it.

But I pay anonymously, using Bitcoin/PaysafeCard/Cash/drugs!

Doesn't matter. You're still connecting to their service from your own IP, and they can log that.

But I want more security!

VPNs don't provide security. They are just a glorified proxy.

But I want more privacy!

VPNs don't provide privacy, with a few exceptions (detailed below). They are just a proxy. If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server).

But I want more encryption!

Use SSL/TLS and HTTPS (for centralized services), or end-to-end encryption (for social or P2P applications). VPNs can't magically encrypt your traffic - it's simply not technically possible. If the endpoint expects plaintext, there is nothing you can do about that.

When using a VPN, the only encrypted part of the connection is from you to the VPN provider. From the VPN provider onwards, it is the same as it would have been without a VPN. And remember, the VPN provider can see and mess with all your traffic.

But I want to confuse trackers by sharing an IP address!

Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of CGNAT and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore.

Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a fingerprinting profile. A VPN cannot prevent this.

So when should I use a VPN?

There are roughly two usecases where you might want to use a VPN:

  1. You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.
  2. You want to hide your IP from a very specific set of non-government-sanctioned adversaries - for example, circumventing a ban in a chatroom or preventing anti-piracy scareletters.

In the second case, you'd probably just want a regular proxy specifically for that traffic - sending all of your traffic over a VPN provider (like is the default with almost every VPN client) will still result in the provider being able to snoop on and mess with your traffic.

However, in practice, just don't use a VPN provider at all, even for these cases.

So, then... what?

If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own (either using something like Streisand or manually - I recommend using Wireguard). I will not recommend any specific providers (diversity is good!), but there are plenty of cheap ones to be found on LowEndTalk.

But how is that any better than a VPN service?

A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be.

So why do VPN services exist? Surely they must serve some purpose?

Because it's easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup. You can make every promise in the world, because nobody can verify them. You don't even have to know what you're doing, because again, nobody can verify what you say. It is 100% snake-oil.

So yes, VPN services do serve a purpose - it's just one that benefits the provider, not you.


This post is licensed under the WTFPL or CC0, at your choice. You may distribute, use, modify, translate, and license it in any way.


Before you comment: Be aware that any non-constructive comments will be removed. This includes advertising for VPN providers (yes, even when you phrase the marketing claims like a question), trolling, harassment, insults towards other people, claims that have already been addressed in the article, and so on.

If your comment isn't a genuine question or a concrete counterargument supported by evidence, it probably doesn't belong here.

@nukeop
Copy link

nukeop commented May 17, 2024

What's your threat model and what data that isn't encrypted by HTTPS is a vulnerability for you?

@sneer69
Copy link

sneer69 commented May 17, 2024

Not encrypted by HTTPS: text messages, voice and video calls, VOIP, instant messaging, file sharing (torrent), metadata (timestamps, location information, device identifiers), some media streaming like Twitch, emails.

@nukeop
Copy link

nukeop commented May 17, 2024

Ok, let's consider this point by point:

  • Text messages: SMS protocol is not affected by VPN. SMS messages are not sent over the internet, so they don't touch wifi.
  • Voice, video calls, VOIP, media streaming (Twitch): this is commonly realized by web sockets, and WSS lets you encrypt traffic with TLS as you do with HTTPS
  • Instant messaging: usually realized via HTTPS
  • File sharing (torrent): BitTorrent supports protocol encryption
  • Metadata: there are many different kinds but those you named are parts of data sent over HTTPS
  • Emails: depending on your client, will be secured by HTTPS between you and your email server, and the connection between your email server and the destination server is not affected by your VPN. GPG can be used to encrypt email

@nukeop
Copy link

nukeop commented May 17, 2024

You're free to unsubscribe and stop spreading made up false claims. I will also report posts with unhinged, fabricated information about me.

@sneer69
Copy link

sneer69 commented May 17, 2024

SMS messages these days are sent via the internet, not GSM. I'm just not sure if it's from the BTS or the local device.

Twitch sends streams via RTMP with low security.

TeamSpeak and Discord are also unencrypted by default, using proprietary protocols.

Most torrent clients send data unencrypted and share IP addresses.

Even if clients and protocols support encryption, it does not mean it is used for all traffic.

Overall, you are relying on each application you use to correctly implement encryption and take care of your privacy and security on a random Wi-Fi network, when their priority is delivery. This creates a significant attack surface.

@LokiFawkes
Copy link

You're free to unsubscribe and stop spreading made up false claims. I will also report posts with unhinged, fabricated information about me.

And you're free to fuck right the hell off. If reporting worked, you wouldn't be here.

@dxgldotorg
Copy link

dxgldotorg commented May 18, 2024

SMS messages these days are sent via the internet, not GSM. I'm just not sure if it's from the BTS or the local device.

Twitch sends streams via RTMP with low security.

TeamSpeak and Discord are also unencrypted by default, using proprietary protocols.

Most torrent clients send data unencrypted and share IP addresses.

Even if clients and protocols support encryption, it does not mean it is used for all traffic.

Overall, you are relying on each application you use to correctly implement encryption and take care of your privacy and security on a random Wi-Fi network, when their priority is delivery. This creates a significant attack surface.

Pretty sure Twitch, TeamSpeak, and Discord wrap their protocols in HTTPS.

When used in a browser, secure protocols are pretty much mandatory for the browser not to complain.

@sneer69
Copy link

sneer69 commented May 18, 2024

Thanks for the info. I rest my case with Twitch, TeamSpeak and Discord then.

@Finoderi
Copy link

Finoderi commented Jun 1, 2024

@nukeop
Copy link

nukeop commented Jun 1, 2024

That article doesn't seem to be supported by facts. One such sentence I found funny

They are run either by Chinese nationals or located in China. It means user data is likely open to Chinese authorities.

That's pure speculation, or rather, a made up accusation based on nothing. Most people are concerned with their browsing metadata being shared with the five eyes countries.

@Finoderi
Copy link

Finoderi commented Jun 1, 2024

https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/
The article contains this link among many others.
But you need a basic education to read more than just 'key takeaways' obviously.

@nukeop
Copy link

nukeop commented Jun 1, 2024

Still, a Chinese company may own several VPN brands, but there's nothing factual to suggest that they are sharing any nebulously defined "data" with any government.

@Finoderi
Copy link

Finoderi commented Jun 1, 2024

Apart from the fact that TLC is literally a state-owned enterprise.
'The lady doth protest too much, methinks'.

@nukeop
Copy link

nukeop commented Jun 1, 2024

What's that supposed to mean and what is TLC?

@Finoderi
Copy link

Finoderi commented Jun 1, 2024

Exactly.

@nukeop
Copy link

nukeop commented Jun 1, 2024

Okay, once you want to support what you're saying with arguments you can come back to the thread any time.

@LokiFawkes
Copy link

He meant TCL, and if you don't know what TCL is, maybe try reading the source or looking them up instead of playing incredulity.

@nukeop
Copy link

nukeop commented Jun 2, 2024

It does not support the claim that "It means user data is likely open to Chinese authorities" which that article made. It's simply a Chinese company.

It's a red herring; not an argument against VPNs in particular, it's just a vague anti-China sentiment masquerading as reason. The same kind of handwaving can be used against pretty much any Chinese product; or any product where there are several brands owned by larger companies. Yes you need to do your homework and figure out which ones are trustworthy.

@LokiFawkes
Copy link

LokiFawkes commented Jun 2, 2024

Wholly state-owned company, Batman. You don't think Nukeop could be a CCP shill do you?

@LokiFawkes
Copy link

VPNs, Virtual Private Networks, are useful for securing the path of a connection to a private resource.
Virtual Public Networks, or VPN services, are proxies usually owned by nationstates and databrokers. That's what you should not trust any farther than you can throw, and it's kinda hard to throw someone else's datacenter very far at all.

@Finoderi
Copy link

Finoderi commented Jun 2, 2024

Okay, once you want to support what you're saying with arguments...

Everything you asked about is already in those two articles. If you can't read, it's your personal tragedy. If you don't know what a state-owned enterprise means and cannot be bothered to learn, you can try to live with it I guess. I see no other options.

@nukeop
Copy link

nukeop commented Jun 2, 2024

There are wholly state-owned companies in every country.

@nukeop
Copy link

nukeop commented Jun 2, 2024

As I said, this isn't even an argument against VPNs in general. You can distrust state-owned companies, but there are VPNs not owned by them. There are many provably secure ones to choose from.

Even then, they're pretending an SOE is something suspicious or odd and don't offer any additional arguments, counting on pre-established anti-Chinese sentiment because this kind of propaganda is prevalent in American media lately.

@Finoderi
Copy link

Finoderi commented Jun 2, 2024

they're pretending an SOE is something suspicious or odd...

I know perfectly well how this works under totalitarian regime because I fucking live in such a country, as I've already said. This level of naivete you demonstrate here is beyond good and evil.

@nukeop
Copy link

nukeop commented Jun 2, 2024

I prefer to base arguments on things that are objective and provable.

@Finoderi
Copy link

Finoderi commented Jun 2, 2024

You prefer to flood any discussion with 'what ifs?' and 'whys?' and ignore any arguments that don't fit your narrative.

@nukeop
Copy link

nukeop commented Jun 2, 2024

What is an article with a vague reference to the fact that some VPNs are owned by some company connected to a government of some country if not a "what if"? That's not an argument for or against any properties or characteristics of the VPN technology, it doesn't mean anything for the principles of this technology, etc.

@Finoderi
Copy link

Finoderi commented Jun 2, 2024

Why we shouldn't trust companies infecting our devices with malware? I have no idea...
And the fact I found cute is that you try to discredit the whole article based on that claims about Chinese companies. But they are just a small part of the whole story about a few companies owning the majority of available VPN services.

@nukeop
Copy link

nukeop commented Jun 2, 2024

By itself it doesn't mean anything. It's a common business practice for companies to own dozens of brands. Look at Unilever. I'd rather focus on actual objectively provable downsides.

@Finoderi
Copy link

Finoderi commented Jun 2, 2024

That's a well known propagandistic tool. Nothing is objectively good or bad, nothing is certain, it's all relative, evidence are insufficient etc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment