Skip to content

Instantly share code, notes, and snippets.

@joepie91
Last active December 5, 2024 13:14
Show Gist options
  • Save joepie91/5a9909939e6ce7d09e29 to your computer and use it in GitHub Desktop.
Save joepie91/5a9909939e6ce7d09e29 to your computer and use it in GitHub Desktop.
Don't use VPN services.

Don't use VPN services.

No, seriously, don't. You're probably reading this because you've asked what VPN service to use, and this is the answer.

Note: The content in this post does not apply to using VPN for their intended purpose; that is, as a virtual private (internal) network. It only applies to using it as a glorified proxy, which is what every third-party "VPN provider" does.

  • A Russian translation of this article can be found here, contributed by Timur Demin.
  • A Turkish translation can be found here, contributed by agyild.
  • There's also this article about VPN services, which is honestly better written (and has more cat pictures!) than my article.

Why not?

Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.

But my provider doesn't log!

There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs.

And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble. The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over.

But a provider would lose business if they did that!

I'll believe that when HideMyAss goes out of business. They gave up their users years ago, and this was widely publicized. The reality is that most of their customers will either not care or not even be aware of it.

But I pay anonymously, using Bitcoin/PaysafeCard/Cash/drugs!

Doesn't matter. You're still connecting to their service from your own IP, and they can log that.

But I want more security!

VPNs don't provide security. They are just a glorified proxy.

But I want more privacy!

VPNs don't provide privacy, with a few exceptions (detailed below). They are just a proxy. If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server).

But I want more encryption!

Use SSL/TLS and HTTPS (for centralized services), or end-to-end encryption (for social or P2P applications). VPNs can't magically encrypt your traffic - it's simply not technically possible. If the endpoint expects plaintext, there is nothing you can do about that.

When using a VPN, the only encrypted part of the connection is from you to the VPN provider. From the VPN provider onwards, it is the same as it would have been without a VPN. And remember, the VPN provider can see and mess with all your traffic.

But I want to confuse trackers by sharing an IP address!

Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of CGNAT and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore.

Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a fingerprinting profile. A VPN cannot prevent this.

So when should I use a VPN?

There are roughly two usecases where you might want to use a VPN:

  1. You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.
  2. You want to hide your IP from a very specific set of non-government-sanctioned adversaries - for example, circumventing a ban in a chatroom or preventing anti-piracy scareletters.

In the second case, you'd probably just want a regular proxy specifically for that traffic - sending all of your traffic over a VPN provider (like is the default with almost every VPN client) will still result in the provider being able to snoop on and mess with your traffic.

However, in practice, just don't use a VPN provider at all, even for these cases.

So, then... what?

If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own (either using something like Streisand or manually - I recommend using Wireguard). I will not recommend any specific providers (diversity is good!), but there are plenty of cheap ones to be found on LowEndTalk.

But how is that any better than a VPN service?

A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be.

So why do VPN services exist? Surely they must serve some purpose?

Because it's easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup. You can make every promise in the world, because nobody can verify them. You don't even have to know what you're doing, because again, nobody can verify what you say. It is 100% snake-oil.

So yes, VPN services do serve a purpose - it's just one that benefits the provider, not you.


This post is licensed under the WTFPL or CC0, at your choice. You may distribute, use, modify, translate, and license it in any way.


Before you comment: Be aware that any non-constructive comments will be removed. This includes advertising for VPN providers (yes, even when you phrase the marketing claims like a question), trolling, harassment, insults towards other people, claims that have already been addressed in the article, and so on.

If your comment isn't a genuine question or a concrete counterargument supported by evidence, it probably doesn't belong here.

@nukeop
Copy link

nukeop commented Jun 2, 2024

Can you back that with any sources or is it fantasy-land as always with you?

@sneer69
Copy link

sneer69 commented Jun 2, 2024

Had to unsubscribe. Spam chat bots.

@LokiFawkes
Copy link

Can you back that with any sources or is it fantasy-land as always with you?

Which do you want first? Huawei? https://2017-2021.state.gov/wp-content/uploads/2020/12/5G-Myth_Fact3-508.pdf
https://en.wikipedia.org/wiki/Criticism_of_Huawei

How about Alibaba? https://www.bloomberg.com/news/articles/2024-02-26/alibaba-discloses-state-ownership-in-more-than-12-business-units
https://markets.businessinsider.com/news/stocks/chinese-government-alibaba-tencent-stock-purchases-communist-party-tiktok-bytedance-2023-1
And that last link covers Tencent too. Which of course exists simply to be an arm of the CCP to begin with.

Not to mention even when the CCP doesn't "officially" or publicly have shares in a company, they have influence on all companies in China, which is exactly why international companies from outside of China segregate their Chinese operations from the rest of the company. If they didn't, companies like Google and Apple would have to give CCP influence on their entire operations or pull out of China. It's why some movies don't even make it to Chinese Disney but can still release worldwide or why the Chinese version would be censored. Even when the CCP doesn't own your company in China, the CCP owns your company in China.

@nukeop
Copy link

nukeop commented Jun 3, 2024

No, I want information backing up that

CCP holds a stake in every company over there

It doesn't matter anyway for the sake of any argument so you are allowed to stop humiliating yourself

@LokiFawkes
Copy link

To hold a stake means to hold a share or otherwise exert influence on a company. This would of course be beyond the simple "regulations" like we have here in the US, but instead actual government censorship. But fun fact, any company with a CCP member as an employee (that pretty much encompasses anyone in China who doesn't want to be a slave forever, even if they end up being a slave forever regardless, so most companies fall under this) has to have an in-firm committee or branch of the CCP. That is a stake.

The CCP is buying up "golden shares" of every company in China. That is a stake.

The CCP censors all companies in China to the point of making them all propaganda outlets for the CCP. That is a stake.

Therefore,
The CCP holds a stake in every company over there.

@MrDisguised
Copy link

MrDisguised commented Jun 13, 2024

https://www.theverge.com/2023/4/21/23692580/mullvad-vpn-raid-sweden-police
https://www.youtube.com/watch?v=hPrMtIXUh1s
Don't be a paranoid and touch some grass @LokiFawkes

Mental outlaw made a full video on mullvad vpn raid and what happened.

@Finoderi
Copy link

Have you watched this video of his: https://www.youtube.com/watch?v=GxVIa3eDdnM ?
And kids using cliche about grass spend too much time on Twitter.

@nukeop
Copy link

nukeop commented Jun 17, 2024

To hold a stake means to hold a share or otherwise exert influence on a company. This would of course be beyond the simple "regulations" like we have here in the US, but instead actual government censorship. But fun fact, any company with a CCP member as an employee (that pretty much encompasses anyone in China who doesn't want to be a slave forever, even if they end up being a slave forever regardless, so most companies fall under this) has to have an in-firm committee or branch of the CCP. That is a stake.

The CCP is buying up "golden shares" of every company in China. That is a stake.

The CCP censors all companies in China to the point of making them all propaganda outlets for the CCP. That is a stake.

Therefore, The CCP holds a stake in every company over there.

It's a big fat lie that the government owns a stake in every company in China, there's just no distracting us from the fact that you got caught repeating lies you believed yourself. No amount of handwaving is going to change that. Just like with many other factual matters in this thread.

@LokiFawkes
Copy link

You really like flaunting your willful ignorance, don't you, Nukeop
I can lead you to water but I can't make you drink, and honestly, you're probably not a real horse anyway.

@nukeop
Copy link

nukeop commented Jun 18, 2024

You were exposed and you have no facts to back that up. Just admit you were wrong and move on.

@iobe-a
Copy link

iobe-a commented Jul 5, 2024

Proton has complied to identify a target in the past, so that's probable cause not to use Proton.

AFAIK that was an IP and browser fingerprinting for Proton Mail (which can be accessed via TOR) in a case in 2021 and recovery email from Apple given to Proton Mail upon registration (unnecessarily) from last month. There was no ProtonVPN related cases, were they?

Of course, a proper opsec is the most important, but for daily (legal) use, with just privacy in mind, on a public WiFi for example, the three services I mentioned are the only ones I'd use.

I read the article, and there is a bunch of generalizations and consipracy theories in it. It has its merits, but it does not apply to all VPN services equally, at this point in time, in my opinion.

For critical endeavours total distrust is crucial, but for day to day activities some VPN providers may be valid.

You’re real smart. Sincerely.

@Rdxcj
Copy link

Rdxcj commented Aug 15, 2024

Click To Download Don't use VPN services

lmao another dumb stealer

@hackers-terabit
Copy link

This thread is an example of how a small group of misinformed people, with good intentions can mislead a large group of people. Over several years, all that this thread has proven is how essential commercial VPN providers are.

@dxgldotorg
Copy link

This thread is an example of how a small group of misinformed people, with good intentions can mislead a large group of people. Over several years, all that this thread has proven is how essential commercial VPN providers are.

With nearly all websites nowadays running on TLS 1.2, TLS 1.3, or QUIC theft of passwords and financial information by network sniffing is already pretty much a thing of the past.

@EatPrilosec
Copy link

EatPrilosec commented Nov 17, 2024

But my provider doesn't log!
There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs.

ok. fair point.

If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own (either using something like Streisand or manually - I recommend using Wireguard). I will not recommend any specific providers (diversity is good!), but there are plenty of cheap ones to be found on LowEndTalk.

refer to your previous point. are VPS hosts not capable of logging traffic, andnot capable of monitoring the whole environment of the entire manual VPN setup in your head for some reason?

this logic is like saying the only possible way to keep my family safe is to design my own front, back, and garage door locks, because all consumer models have been picked at least once at somepoint, prolly by LPL with a rake, or that other guy by giving it a good whack with a lock of the same model

the true evaluation of your safety using the internet is how much of a target you are, just like safety at home. if im in compton imma need more than a lock, lock + glock combo. but im over here in media torrento canada, i dont need all dat.

if youre in a hostile neighborhood, MORE locks might help. tor, etc. but if youre some gov't entities target, theyre busting down the door. your solution is to buy a warehouse they can also bust down the warehouse bay doors of.

for most peoples needs: streamin' that phat 4k dolby vision 7.1 surroundsound wolverine & deadpool rip, a vpn that might log you is fine.

the percieved need for more than that makes me question your internet habits....

@Finoderi
Copy link

Most people don't need a VPN.
And monitoring encrypted traffic by a VPS provider doesn't make any sense.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment