Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Most VPN Services are Terrible

Most VPN Services are Terrible

Short version: I strongly do not recommend using any of these providers. You are, of course, free to use whatever you like. My TL;DR advice: Roll your own and use Algo or Streisand. For messaging & voice, use Signal. For increased anonymity, use Tor for desktop (though recognize that doing so may actually put you at greater risk), and Onion Browser for mobile.

This mini-rant came on the heels of an interesting twitter discussion: https://twitter.com/kennwhite/status/591074055018582016

Again I strongly do not recommend using any of these providers.

Provider / known "Secret" Key

Astril / way2stars  
EarthVPN / earthvpn
GFwVPN / gfwvpn  
GoldenFrog / thisisourkey  
IBVPN / ibVPNsharedPSK!  
IPVanish / ipvanish  
NordVPN  / nordvpn
PrivateInternetAccess (PIA) / mysafety  
PureVPN / 12345678  
SlickVPN / gogoVPN
TorGuard / torguard 
TigerVPN / tigerVPN
UnblockVPN / xunblock4me  
VPNReactor / VPNReactor  

Yes, I know. Many/most of these offer OpenVPN, or special clients for IPSec. But for all of the above, they are actively placing a significant portion of their user base (particularly those with older Androids and desktops) at risk by not using per-user PSKs. If your threat model is streaming BBC or helping your cousin geo-shift Hulu, go wild and plug into the Mad Max-esque Thunderdome commons and take your chances. If you're a dissident in Tehran or Riyadh, be extremely cautious of any of these providers.

Lastly, a VPN Hall of Shame honorary mention goes to DoubleHop.me* on general principle for blatant sexism and utter insincerity. Their privacy/legal policy section includes LGBT slurs and literally has your-mom jokes. But even ignoring that, as of this writing, there is virtually zero technical information provided, only YouTube videos apparently intended for 10 year-old boys.

Moral of the story: Don't believe everything you read on, say, TorrentFreak and PCMagazine. And (crucially) think about your threat model—are you guarding against amateur WiFi snoops at Starbucks or Marriott? Reducing identity monetization profiling by ISPs (ie ad tracking)? Minimizing exposure to government surveillance? Trying to be anonymous online? If the latter, a VPN won't help much.

Citations:

https://www.google.com/#q=goldenfrog+thisisourkey Archive: http://archive.is/qlrLK

http://www.gfwvpn.com/?q=node/224 Archive: http://archive.is/EdpFV

https://www.vpnreactor.com/android_l2tp_ipsec.html Archive: http://archive.is/uwJvk

http://unblockvpn.com/support/how-to-set-up-l2tp-on-the-android.html Archive: http://archive.is/4To5Y

http://www.ibvpn.com/billing/knowledgebase/34/Set-up-the-VPN-connection-on-Android-handsets.html Archive: http://archive.is/srptW

https://www.astrill.com/knowledge-base/50/L2TP-IPSec-PSK---How-to-configure-L2TP-IPSec-on-Android.html Archive:http://archive.is/PZpRU

http://billing.purevpn.com/knowledgebase.php?action=displayarticle&id=33 Archive: http://archive.is/R4JTi

https://www.privateinternetaccess.com/pages/client-support/ Archive: http://archive.is/U1bkL

http://torguard.net/knowledgebase.php?action=displayarticle&id=58 Archive: http://archive.is/iKJjl

https://www.ipvanish.com/visualguides/L2TP/Android/ Archive: http://imgur.com/IQU1mdg

http://www.earthvpn.com/android-l2tp-setup-guide/ Archive: http://archive.is/roKtf

https://nordvpn.com/tutorials/android/l2tpipsec/ (scroll down) Archive: http://archive.is/BQumt

https://help.tigervpn.com/support/search/solutions?term=shared+secret+tigerVPN Archive: http://archive.is/xZ136

https://www.slickvpn.com/tutorials/ipsec-for-iphone/ and http://archive.is/h4rI9

*DoubleHop.me: Archive:http://archive.is/G11WQ and http://archive.is/MZgWE and http://imgur.com/Zn5HSIj

I had a long conversation with PIA support once, asking them about this issue. Basically they say that both their native iOS app (which uses IPsec), the other OS clients and using OpenVPN protocol do not use shared keys.

Only if you choose to use L2TP the shared key will be used. Unfortunately this is not my domain of experience and I don't know exactly how to verify what they said.

OnBrink commented Aug 19, 2016

Kenn White this is nothing new to anyone, providers such as TorGuard/PIA/IPVarnish etc offer many different types of protocols - openvpn being the one mostly recommended by these companies and by default offered in there software, L2TP/IPSec can be quite fast for users who's most important goal is streaming there favourite programs where security isn not a big deal to them - all your doing is scare mongering to grab a little attention - if a user uses openvpn/SSTP or other more secure protocols they are fine!

People shouldn't listen to this guy, he should get update to date with the times, your way behind going by your feed.

Owner

kennwhite commented Aug 19, 2016

Andrea, as we discussed, what PIA and most other large providers are doing is actively harming a subset of their users. It would be trivial to generate a per-user PSK and offer that for, eg, older Android clients, etc., but they don't. You make a great point -- it's not possible to verify any claims made by most VPN providers. I'm aware of only one service that has undergone independent 3rd party security review (still in progress). But in the end, do your research and make your choices. If security is a serious concern, it's important to take in all the factors of a provider (ecosystem, business practices, mix of co-tenant customers, etc. Feel free to ignore a gist on the Internet. :-)

Owner

kennwhite commented Aug 19, 2016

OnBrink, if security "is not a big deal" then any VPN provider will do. Seriously, feel free to write up a guide to IPSec and OpenVPN VPNs and share it. But no need to make this personal -- life's too short, my friend.

Here are some things to check with any VPN provider:

  1. Do you have to provide an email to have an account? You're being logged.
  2. Do you have to provide a credit card? You're being logged.
  3. Does the service require you to use a binary installer to gain access? You're being logged AND rooted.

The only Zero Customer Knowledge VPN provider in operation is Cryptostorm. You can pay via a variety of methods, receive your tokens via a variety of secure communication paths, and you never have to provide an email, a credit card number, or any other identifying information.

If configuring your connection isn't done with a text file from the provider and an open source client, you're providing unfettered access to your system and your traffic. If shopped around and picked a cheap provider, there are a lot of bad things players like that do to their customers.

Cryptostorm tokens are hashed using SHA512, the resulting hash is used as the userID for the network, and your password can be anything, as the system only looks for usernames that are valid hashes. The hashed token is a proof of purchase, Cryptostorm doesn't care who is using the network, so long as they can prove they paid.

All of the other VPN providers offer a solemn oath that they are not logging you. Cryptostorm is the only provider that uses a business process which means that they can not.

I'd be happy to answer any questions anyone might have regarding the Cryptostorm service.

Note that Astrill's desktop client does OpenVPN by default (not PSK).

For mobile, they tend to point folks towards a method of loading VPN profiles that uses L2TP-PSK, which would run into the problems @kennwhite points out above (not useful for sophisticated adversaries).

You can, however, install the OpenVPN mobile app, generate certificates on Astrill's servers, and install mobile VPN profiles using OpenVPN; here are instructions for iOS and Android.

(a neat side-effect is that OpenVPN is one of the few ways to use a TCP VPN on mobile!)

merlinnusr commented Aug 21, 2016

for blatant sexism

return to your safe space .

Owner

kennwhite commented Aug 22, 2016

merlinnusr: you left out the other half of that sentence -- insincerity; there is nothing but handwaving around their technical infrastructure and they thought it was hysterical to add adolescent slurs & jokes in their page on privacy and legal policies. I've updated the context above to make that more explicit. Considering that some who seek out VPN services include people at risk trying to circumvent dangerous regimes (including nations who persecute and kill LGBT people), I find that grossly irresponsible on DM's part, and yes, it's more than worthy of calling them out on it.

sitepodmatt commented Aug 30, 2016

This doesn't surprise me, especially PureVPN being listed.

PureVPN for a long period made their Windows client "no encryption / fastest" by default, despite advertising security everywhere and website giving a false sense of security, this default was hidden away in advanced settings. I shudder at the potential ramifications this had and people who were affected, given they are a Hong Kong company this should have been obvious to them. It's a shame they turned a blind eye to security as some of endpoint locations were very stable and performant, unlike some of the smaller VPNs companies using slow openvz low cost VPS.

I let the 1yr subscription lapse as it's not even suitable for the media center with such lax security, just before it expired though they email me this, which made me smile:

"Please email us an image of your credit card's front at enquiry@purevpn.com (Please leave last 4 digits and your name visible, black out the rest). This is an absolutely safe procedure and only takes a minute or so. Plus, we promise to delete this image within 24 hours."

TraderStf commented Sep 6, 2016

I agree with @sitepodmatt. They also pretend having hundreds of servers, ip, etc but if you check them, it's always the same used. Google the news/press releases/ads, you'll see how they cheat on the number of customers, it depends of the page from few thousands to several in few months... You will also find tests in which they were almost each time the slowest vpn! Without mentioning their money-back, 7 days but max 500 MB, in clear a trap well hidden. Pretend 24/24 support, I had to wait 1.5 day in the middle of the week, no holidays no where! Hosted on incapsula, usa ok well, but when you can contact them, it's always during usa-daytime... being in HK or in fact SG, another lie, if you dig a bit...
In summary, run Forest, run...

Please merge the following fork. Added multiple VPNs and fixed spelling for Astrill.

onevpn : Enter OneVPN “password” and “Shared Secret” which is “123456789” then press “OK“

anonsubmitter commented Nov 25, 2016

Perfect-Privacy's pre-shared key is available on the server page in the member area of the website.
Source: https://www.perfect-privacy.com/howto/l2tpipsec-with-ios/

Proxy.sh's pre-shared key is "security"
Source: https://proxy.sh/panel/knowledgebase/117/L2TP-VPN-for-Linux-Ubuntu.html

VPNArea's pre-shared key is "vpnareaworks4u"
Source: https://vpnarea.com/forum/thread/l2tp-shared-key/

koenrh commented Nov 26, 2016

hide.me's pre-shared key is "hide.io".
Source: https://hide.me/en/vpnsetup/android/l2tp/

ExpressVPN's pre-shared key is "12345678".
Source: https://www.expressvpn.com/support/vpn-setup/manual-config-for-android-with-l2tp/

VyprVPN's pre-shared key is "thisisourkey".
Source: https://support.goldenfrog.com/hc/en-us/articles/203815556-VyprVPN-L2TP-IPsec-VPN-Setup-for-Android-4-X

Sacro commented Nov 26, 2016

PureVPN will accept password change requests over e-mail

image

sean9999 commented Nov 27, 2016

☝️ LMAO. Please spraypaint your desired password on your house, take a picture, and then take out an ad in the New York Times with that picture.

BunnyLL commented Nov 30, 2016

Yes, you probably are right. Some popular VPN may be monitored and they are no longer secure anymore.
Check SkyVPN, it's brand new. https://play.google.com/store/apps/details?id=me.skyvpn.app

I'm curious what ya'll think of TunnelBear. It's been around in the Mac community for a while but I'm unsure of it's true secure nature.

Kenn,

Great information. Especially telling people to consider their threat model.

X8716e commented Mar 24, 2017

I'm late to the party, but I applaud your exposure of such utterly horrid practices by the great majority of VPNs. Please do continue such exposure of any and all services sold or freely distributed as 'secure' & 'private' under false pretenses.

pwnsdx commented Mar 25, 2017

@PacketSmuggler: Well, despite I have nothing against Cryptostorm. They can still "log" you: you are still connecting to their servers with your IP address and your traffic is still routed through their servers.

@schutzsmith TunnelBear provides OVPN config files. While they don't appear to be distributing a light PSK, they are distributing a non-user-unique private key. You can take a look at that here: https://s3.amazonaws.com/tunnelbear/linux/openvpn.zip

freediverx commented Mar 30, 2017

This piece makes some very harsh yet vague accusations about the lack of security in VPN services in general. Reading between the lines, as well as through the comment section, I get the sense that the level of security depends largely on what software and protocols are used and to what degree you trust the service provider. But this still leaves the possibility that some VPN services, properly configured, can provide a reasonable level of privacy for online activity, assuming you're not being individually targeted by a sophisticated adversary.

The author's comments and background also suggest he is more on the side of content owners than end users in the ongoing battle between Draconian copyright laws and fair use. This is especially striking in his endorsement of US-based VPN providers over foreign-based ones, considering this goes against prevailing wisdom in security and privacy circles. Given this bias, I would take his recommendations with a large grain of salt.

@PacketSmuggler
I don't think your list gives a very good picture about how trusty a VPN is. There are VPNs where you can subscribe without any data, and even pay with bitcoins. If you use your VPN for all your data traffic a bad willing VPN could snoop it all, just like uour ISP could and does. You pay and trust a VPN to provide you security on the web. Therefore there methods and reputation are your main concerns, like if for example are there any examples of them getting hacked or lawsuits where they refuse to give bad guy data info to FBI, which indicates that they protect their customers data.
The only type of threat model i can imagine in which you are really concerned about the points you mentioned would be when you use a VPN for one very specific task and make sure you don't sent any data over the VPN connection that could tell anything about you, like login to your email. And if that would be the case you are that paranoid or your threat model is that significant that you would use more secure channels like tor and/or built your own VPN server.
So my conclusion is that your points are mainly related to ways to make their VPN service looks badass, but thats it.

@kenkeiter Interesting find on Tunnelbear; Is there any documentation online illustrating how a non-user-unique private key could be used by an attacker?

Perhaps would be nice to mention those providing a per-user PSK. No link with them, just try a lot of them to waste my time :o)

VPN Unlimited - 20 alpha-numeric characters.

gwt10 commented Jul 30, 2017

Lastly, a VPN Hall of Shame honorary mention goes to DoubleHop.me* on general principle for blatant sexism and utter insincerity. Their privacy/legal policy section includes LGBT slurs and literally has your-mom jokes.

lol, is that a priority for you? Or is this some PC rant you had to thrown in there? Grow up.

As far as those commercial VPNs are concerned, I'm not trying to hide from the NSA or am that paranoid. Hiding from Comcast or any ISP will do just fine, thank-you-very-much.

Besides, using something like Tor will only attract attention from the NSA since they figure that just by you using it, you have something illegal to hide from anyway. They now have you in their sights.

X8716e commented Aug 12, 2017

Besides, using something like Tor will only attract attention from the NSA since they figure that just by you using it, you have something illegal to hide from anyway. They now have you in their sights.

The NSA, by that logic, is also scrutinizing the U.S. military since it's a major user of TOR. And yes, the NSA does do that, admittedly or not. It's the CIA's hacking team that now really needs to be considered, however, since it's budget is larger than that of the NSA's in its entirety. It's also completely unbound by even what little law still applies to to the NSA's activities. Or what little law supposedly still restricts it in any way, which is likely none. Still, likely none is possibly more than definitively none.

@gwt10 "Grow up" LOL how ironic

tasket commented Oct 17, 2017

I have to agree with the critics of this piece, which is indeed too vague to use as a basis for any decision. That leaves it in the category of scare mongering.

PIA, for example, recommends OpenVPN for security and offers a 4096-bit certificate to validate the host. There is no PSK for this option and each user authenticates with a unique passcode.

Non-OpenVPN connections are described on a "we also offer" basis along with security warnings:

The PPTP/L2TP/SOCKS5 protocols are provided for devices lacking compatibility with the Private Internet Access application or OpenVPN protocol. PPTP/L2TP/SOCKS5 should be used for masking one's IP address, censorship circumvention, and geolocation.
If you need encryption, please use the Private Internet Application or OpenVPN protocol with our service.
https://www.privateinternetaccess.com/pages/client-support/ios-openvpn-connect

On that basis, I have to doubt the overall quality of your "mini-rant".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment