Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Most VPN Services are Terrible

Most VPN Services are Terrible

Short version: I strongly do not recommend using any of these providers. You are, of course, free to use whatever you like. My TL;DR advice: Roll your own and use Algo or Streisand. For messaging & voice, use Signal. For increased anonymity, use Tor for desktop (though recognize that doing so may actually put you at greater risk), and Onion Browser for mobile.

This mini-rant came on the heels of an interesting twitter discussion: https://twitter.com/kennwhite/status/591074055018582016

Again I strongly do not recommend using any of these providers.

Provider / known "Secret" Key

Astril / way2stars  
EarthVPN / earthvpn
GFwVPN / gfwvpn  
GoldenFrog / thisisourkey  
IBVPN / ibVPNsharedPSK!  
IPVanish / ipvanish  
NordVPN  / nordvpn
PrivateInternetAccess (PIA) / mysafety  
PureVPN / 12345678  
SlickVPN / gogoVPN
TorGuard / torguard 
TigerVPN / tigerVPN
UnblockVPN / xunblock4me  
VPNReactor / VPNReactor  

Yes, I know. Many/most of these offer OpenVPN, or special clients for IPSec. But for all of the above, they are actively placing a significant portion of their user base (particularly those with older Androids and desktops) at risk by not using per-user PSKs. If your threat model is streaming BBC or helping your cousin geo-shift Hulu, go wild and plug into the Mad Max-esque Thunderdome commons and take your chances. If you're a dissident in Tehran or Riyadh, be extremely cautious of any of these providers.

Lastly, a VPN Hall of Shame honorary mention goes to DoubleHop.me* on general principle for blatant sexism and utter insincerity. Their privacy/legal policy section includes LGBT slurs and literally has your-mom jokes. But even ignoring that, as of this writing, there is virtually zero technical information provided, only YouTube videos apparently intended for 10 year-old boys.

Moral of the story: Don't believe everything you read on, say, TorrentFreak and PCMagazine. And (crucially) think about your threat model—are you guarding against amateur WiFi snoops at Starbucks or Marriott? Reducing identity monetization profiling by ISPs (ie ad tracking)? Minimizing exposure to government surveillance? Trying to be anonymous online? If the latter, a VPN won't help much.

Citations:

https://www.google.com/#q=goldenfrog+thisisourkey Archive: http://archive.is/qlrLK

http://www.gfwvpn.com/?q=node/224 Archive: http://archive.is/EdpFV

https://www.vpnreactor.com/android_l2tp_ipsec.html Archive: http://archive.is/uwJvk

http://unblockvpn.com/support/how-to-set-up-l2tp-on-the-android.html Archive: http://archive.is/4To5Y

http://www.ibvpn.com/billing/knowledgebase/34/Set-up-the-VPN-connection-on-Android-handsets.html Archive: http://archive.is/srptW

https://www.astrill.com/knowledge-base/50/L2TP-IPSec-PSK---How-to-configure-L2TP-IPSec-on-Android.html Archive:http://archive.is/PZpRU

http://billing.purevpn.com/knowledgebase.php?action=displayarticle&id=33 Archive: http://archive.is/R4JTi

https://www.privateinternetaccess.com/pages/client-support/ Archive: http://archive.is/U1bkL

http://torguard.net/knowledgebase.php?action=displayarticle&id=58 Archive: http://archive.is/iKJjl

https://www.ipvanish.com/visualguides/L2TP/Android/ Archive: http://imgur.com/IQU1mdg

http://www.earthvpn.com/android-l2tp-setup-guide/ Archive: http://archive.is/roKtf

https://nordvpn.com/tutorials/android/l2tpipsec/ (scroll down) Archive: http://archive.is/BQumt

https://help.tigervpn.com/support/search/solutions?term=shared+secret+tigerVPN Archive: http://archive.is/xZ136

https://www.slickvpn.com/tutorials/ipsec-for-iphone/ and http://archive.is/h4rI9

*DoubleHop.me: Archive:http://archive.is/G11WQ and http://archive.is/MZgWE and http://imgur.com/Zn5HSIj

@huertanix
Copy link

huertanix commented Apr 10, 2017

@kenkeiter Interesting find on Tunnelbear; Is there any documentation online illustrating how a non-user-unique private key could be used by an attacker?

@TraderStf
Copy link

TraderStf commented May 29, 2017

Perhaps would be nice to mention those providing a per-user PSK. No link with them, just try a lot of them to waste my time :o)

VPN Unlimited - 20 alpha-numeric characters.

@gwt10
Copy link

gwt10 commented Jul 30, 2017

Lastly, a VPN Hall of Shame honorary mention goes to DoubleHop.me* on general principle for blatant sexism and utter insincerity. Their privacy/legal policy section includes LGBT slurs and literally has your-mom jokes.

lol, is that a priority for you? Or is this some PC rant you had to thrown in there? Grow up.

As far as those commercial VPNs are concerned, I'm not trying to hide from the NSA or am that paranoid. Hiding from Comcast or any ISP will do just fine, thank-you-very-much.

Besides, using something like Tor will only attract attention from the NSA since they figure that just by you using it, you have something illegal to hide from anyway. They now have you in their sights.

Copy link

ghost commented Aug 12, 2017

Besides, using something like Tor will only attract attention from the NSA since they figure that just by you using it, you have something illegal to hide from anyway. They now have you in their sights.

The NSA, by that logic, is also scrutinizing the U.S. military since it's a major user of TOR. And yes, the NSA does do that, admittedly or not. It's the CIA's hacking team that now really needs to be considered, however, since it's budget is larger than that of the NSA's in its entirety. It's also completely unbound by even what little law still applies to to the NSA's activities. Or what little law supposedly still restricts it in any way, which is likely none. Still, likely none is possibly more than definitively none.

@hjeanmccurry
Copy link

hjeanmccurry commented Sep 24, 2017

@gwt10 "Grow up" LOL how ironic

@tasket
Copy link

tasket commented Oct 17, 2017

I have to agree with the critics of this piece, which is indeed too vague to use as a basis for any decision. That leaves it in the category of scare mongering.

PIA, for example, recommends OpenVPN for security and offers a 4096-bit certificate to validate the host. There is no PSK for this option and each user authenticates with a unique passcode.

Non-OpenVPN connections are described on a "we also offer" basis along with security warnings:

The PPTP/L2TP/SOCKS5 protocols are provided for devices lacking compatibility with the Private Internet Access application or OpenVPN protocol. PPTP/L2TP/SOCKS5 should be used for masking one's IP address, censorship circumvention, and geolocation.
If you need encryption, please use the Private Internet Application or OpenVPN protocol with our service.
https://www.privateinternetaccess.com/pages/client-support/ios-openvpn-connect

On that basis, I have to doubt the overall quality of your "mini-rant".

@Bomper
Copy link

Bomper commented Dec 21, 2017

@PacketSmuggler:

The only Zero Customer Knowledge VPN provider in operation is Cryptostorm.

Mullvad also doesn't require any identifiable information or email, and accepts Bitcoin.

@alimakki
Copy link

alimakki commented Jan 2, 2018

Hi Kenn,

The URL for Streisand has changed, is now https://github.com/StreisandEffect/streisand.

Cheers.

@yrwyjz
Copy link

yrwyjz commented Jun 29, 2018

nothing is absolutely anonymous on the web, in china, using a good vpn probably is the most efficient way to access websites blocked by cn gov, these are the good VPNs which work effectively in china.

@TraptureNine
Copy link

TraptureNine commented Sep 24, 2018

Just say: “Hi Kenn, are you aware of Sentinel VPN yet? -
https://Sentinel.co | Medium.com/Sentinel | @Sentinel_Co”

@Atavic
Copy link

Atavic commented Jan 22, 2019

Mike Kuketz found that NordVPN app for Android sends your email address plus the Google Advertising ID to the third party Iterable Inc. during the registration process.
Exodus Privacy confirms that the app contains several wide-spread trackers.

https://www.kuketz-blog.de/android-nordvpn-uebermittelt-e-mail-adresse-an-tracking-anbieter/
https://reports.exodus-privacy.eu.org/en/reports/55961/

@GETandSELECT
Copy link

GETandSELECT commented Jun 23, 2019

Lastly, a VPN Hall of Shame honorary mention goes to DoubleHop.me* on general principle for blatant sexism and utter insincerity. Their privacy/legal policy section includes LGBT slurs and literally has your-mom jokes.

Do you have a source for that? I don't find it on their website.

@kennwhite
Copy link
Author

kennwhite commented Jun 23, 2019

Yes. It's literally in the sources listed.

@mehditlili
Copy link

mehditlili commented Jun 27, 2019

they are actively placing a significant portion of their user base (particularly those with older Androids and desktops) at risk by not using per-user PSKs.

Do you mind explaining how that puts users at risk, or link to a page that explains that?

@lupalby
Copy link

lupalby commented Oct 22, 2019

@kennwhite Can you comment on Cyberghost VPN? I've been using it for few years now and it worked well for me and so far I haven't found anybody putting them in the spotlight for something. It was the case for the very famous NordVPN too.. up to now. So now I'm curious about your opinion on Cyberghost.
Thanks!

@briangordon
Copy link

briangordon commented Oct 25, 2019

This strikes me as rather exaggerated. It's not great that some of these VPN services are providing instructions for using a known IPSec PSK in some cases but I'm going to hazard a guess that the majority of VPN customers are using the native app from their service provider, not following those instructions. In NordVPN's case at least, the Windows app is a wrapper around OpenVPN and the Linux client has Wireguard support, so the IPSec PSK isn't relevant. And even in the worst case where someone's using L2TP/IPSec with a known PSK, it's still better than nothing because IPSec provides forward secrecy if you're not being actively MITM'd. As for no-logs policies, I wouldn't necessarily trust them but "possibly logs" is still better than your ISP which "definitely logs."

@10beasts-net
Copy link

10beasts-net commented May 23, 2020

The current usage of PureVPN in China is not good. And many people have reported that its servers in China have become unavailable.

@mdb-vzeddie
Copy link

mdb-vzeddie commented Jul 17, 2020

It seems that PIA does specifically note that if you're in a particularly sensitive position you shouldn't use L2TP or older protocols. They say that you should default to OpenVPN if possible, On my desktop (PIA v2.2 on the latest Win10), the only available protocol options are OpenVPN and a beta version of Wireguard.

Copy link

ghost commented Oct 27, 2020

Hello,

Can you provide insight into perfect-privacy? I remember using them long, long before VPNs were thought of something for consumer use.

I also knew back then it was the preferred VPN by fraudsters. There are news articles about one there server locations being raided and them unable to find logs.

Thanks!

@dattapw
Copy link

dattapw commented Nov 25, 2020

Doublehop SCAM stole my money and blocked me.

22 Nov: I bought a yearly subscription for $33. I made a payment of 0.00176325 BTC to 18ZcmBksf9GEVxfABYUXUp39oryF7CJkHG for Order ID: 17uGMc. The order did not process.

I sent an e-mail to them. I sent them a WhatsApp message. They said they'd process my order by the weekend.

25 Nov: I pinged them back. They blocked me on WhatsApp.

Scammers took my money and ran away. DO NOT BUY FROM THESE PEOPLE.

@runboy93
Copy link

runboy93 commented Jan 5, 2021

I know this list might be old stuff already (?), but what about these ones, anything?

AzireVPN
IVPN
Surfshark

@huadelaotou
Copy link

huadelaotou commented Apr 8, 2021

It is really true that many VPNs are very bad. After using them, I found that many websites still can not be logged in, it saying that I can apply for a refund, but several months passed and still didn't receive the money. So how important it is to choose a good VPN.

@gtroshin
Copy link

gtroshin commented Apr 24, 2021

👍

@upsangel
Copy link

upsangel commented Jan 13, 2022

I have been focusing on reviewing the VPN connection speed, it's surprising to read about the pre-shared key issues. I am wondering how to verify is it still a issue in 2022 as this gist was reported in 2016. Now most VPN provider advertise their Wireguard VPN mode. Will this implicitly resolve the disclosed pre-share key issue?

@sunshying
Copy link

sunshying commented Jan 20, 2022

I've used PandaVPN for about half a year and it's quite stable in Singapore and China .. Its blog also says Wireguard protocol will be supported soon.

@indiflamingo
Copy link

indiflamingo commented Feb 14, 2022

Most VPNs are not secure, we did a detailed test of the most popular VPNs, learn more

@ericntunctu
Copy link

ericntunctu commented Mar 1, 2022

I think strongvpn is good enough

@suli903
Copy link

suli903 commented May 26, 2022

Yes, I agree with you, many VPNs are really bad and security is not guaranteed. Therefore, it is very important to choose a VPN. According to my experience, I think that although ExpressVPN is a little more expensive, its security is still very high, and Purevpn and surfshark vpn are generally OK. Personal opinion, hope it helps.

@GearGladys
Copy link

GearGladys commented Jun 6, 2022

A bad VPN will make people experience a bad, unhappy, and insecure experience. Many free VPNs may have such an experience. In the current VPN field, ExpressVPN is considered to be the best software. Of course, Surfshark vpn, pandavpn, etc. are also recommended.

@Toolreview
Copy link

Toolreview commented Jun 28, 2022

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment