Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Most VPN Services are Terrible

Most VPN Services are Terrible

Short version: I strongly do not recommend using any of these providers. You are, of course, free to use whatever you like. My TL;DR advice: Roll your own and use Algo or Streisand. For messaging & voice, use Signal. For increased anonymity, use Tor for desktop (though recognize that doing so may actually put you at greater risk), and Onion Browser for mobile.

This mini-rant came on the heels of an interesting twitter discussion: https://twitter.com/kennwhite/status/591074055018582016

Again I strongly do not recommend using any of these providers.

Provider / known "Secret" Key

Astril / way2stars  
EarthVPN / earthvpn
GFwVPN / gfwvpn  
GoldenFrog / thisisourkey  
IBVPN / ibVPNsharedPSK!  
IPVanish / ipvanish  
NordVPN  / nordvpn
PrivateInternetAccess (PIA) / mysafety  
PureVPN / 12345678  
SlickVPN / gogoVPN
TorGuard / torguard 
TigerVPN / tigerVPN
UnblockVPN / xunblock4me  
VPNReactor / VPNReactor  

Yes, I know. Many/most of these offer OpenVPN, or special clients for IPSec. But for all of the above, they are actively placing a significant portion of their user base (particularly those with older Androids and desktops) at risk by not using per-user PSKs. If your threat model is streaming BBC or helping your cousin geo-shift Hulu, go wild and plug into the Mad Max-esque Thunderdome commons and take your chances. If you're a dissident in Tehran or Riyadh, be extremely cautious of any of these providers.

Lastly, a VPN Hall of Shame honorary mention goes to DoubleHop.me* on general principle for blatant sexism and utter insincerity. Their privacy/legal policy section includes LGBT slurs and literally has your-mom jokes. But even ignoring that, as of this writing, there is virtually zero technical information provided, only YouTube videos apparently intended for 10 year-old boys.

Moral of the story: Don't believe everything you read on, say, TorrentFreak and PCMagazine. And (crucially) think about your threat model—are you guarding against amateur WiFi snoops at Starbucks or Marriott? Reducing identity monetization profiling by ISPs (ie ad tracking)? Minimizing exposure to government surveillance? Trying to be anonymous online? If the latter, a VPN won't help much.

Citations:

https://www.google.com/#q=goldenfrog+thisisourkey Archive: http://archive.is/qlrLK

http://www.gfwvpn.com/?q=node/224 Archive: http://archive.is/EdpFV

https://www.vpnreactor.com/android_l2tp_ipsec.html Archive: http://archive.is/uwJvk

http://unblockvpn.com/support/how-to-set-up-l2tp-on-the-android.html Archive: http://archive.is/4To5Y

http://www.ibvpn.com/billing/knowledgebase/34/Set-up-the-VPN-connection-on-Android-handsets.html Archive: http://archive.is/srptW

https://www.astrill.com/knowledge-base/50/L2TP-IPSec-PSK---How-to-configure-L2TP-IPSec-on-Android.html Archive:http://archive.is/PZpRU

http://billing.purevpn.com/knowledgebase.php?action=displayarticle&id=33 Archive: http://archive.is/R4JTi

https://www.privateinternetaccess.com/pages/client-support/ Archive: http://archive.is/U1bkL

http://torguard.net/knowledgebase.php?action=displayarticle&id=58 Archive: http://archive.is/iKJjl

https://www.ipvanish.com/visualguides/L2TP/Android/ Archive: http://imgur.com/IQU1mdg

http://www.earthvpn.com/android-l2tp-setup-guide/ Archive: http://archive.is/roKtf

https://nordvpn.com/tutorials/android/l2tpipsec/ (scroll down) Archive: http://archive.is/BQumt

https://help.tigervpn.com/support/search/solutions?term=shared+secret+tigerVPN Archive: http://archive.is/xZ136

https://www.slickvpn.com/tutorials/ipsec-for-iphone/ and http://archive.is/h4rI9

*DoubleHop.me: Archive:http://archive.is/G11WQ and http://archive.is/MZgWE and http://imgur.com/Zn5HSIj

Copy link

ghost commented Oct 27, 2020

Hello,

Can you provide insight into perfect-privacy? I remember using them long, long before VPNs were thought of something for consumer use.

I also knew back then it was the preferred VPN by fraudsters. There are news articles about one there server locations being raided and them unable to find logs.

Thanks!

@dattapw
Copy link

dattapw commented Nov 25, 2020

Doublehop SCAM stole my money and blocked me.

22 Nov: I bought a yearly subscription for $33. I made a payment of 0.00176325 BTC to 18ZcmBksf9GEVxfABYUXUp39oryF7CJkHG for Order ID: 17uGMc. The order did not process.

I sent an e-mail to them. I sent them a WhatsApp message. They said they'd process my order by the weekend.

25 Nov: I pinged them back. They blocked me on WhatsApp.

Scammers took my money and ran away. DO NOT BUY FROM THESE PEOPLE.

@runboy93
Copy link

runboy93 commented Jan 5, 2021

I know this list might be old stuff already (?), but what about these ones, anything?

AzireVPN
IVPN
Surfshark

@upsangel
Copy link

upsangel commented Jan 13, 2022

I have been focusing on reviewing the VPN connection speed, it's surprising to read about the pre-shared key issues. I am wondering how to verify is it still a issue in 2022 as this gist was reported in 2016. Now most VPN provider advertise their Wireguard VPN mode. Will this implicitly resolve the disclosed pre-share key issue?

@suli903
Copy link

suli903 commented Sep 2, 2022

Many countries do not allow the use of VPNs, and it has to be said that the security of VPNs is an issue that many companies should consider.

@vpnfast
Copy link

vpnfast commented Sep 20, 2022

some VPNs sell your data connection to other customers.

@Toolreview
Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment