Introduction
8 days ago I made this post asking for the most controversial privacy topics. My first post answering a controversial question got so few upvotes that it was almost my worst post to date. I don’t do these for upvotes, though. I do them for fun :)
So, with that, here is the second post demystifying some controversial privacy topics. @[email protected] asked “VPN: essential or snake oil?”
I try to avoid topics that have been thoroughly answered multiple times, or has such a direct answer that it would be too short to make a post about. This topic is a bit of both, but worth writing anyway, because I do have my own insights.
Some people didn’t like that I break the main question down into multiple sub questions. It is valid criticism, but it’s my style of writing, so I will stick to what I’m good at.
What does a VPN do?
A Virtual Private Network (abbreviated “VPN”) is a way of proxying your internet traffic through a third party. There are many reasons why you would want this:
Hiding your IP address: VPNs will replace your IP address with a random IP address assigned by the VPN provider. IP addresses are unique to your router, meaning you can be uniquely identified. IP addresses are usually static, meaning it never changes, but sometimes your ISP may assign you a dynamic IP address, which will change every few months or so. If you open up ports on your router (for various purposes), it can leave your network vulnerable to certain attacks as long as the attackers know your public IP address.
Hiding your location: Your IP address can narrow your location down to the city you live in. In some cases, such as shared Wi-Fi (like on a college campus) or public Wi-Fi, the IP address can be more easily identified to the specific block or building you are in. Any internet connection made can see your IP address, and can automatically use that to attempt to locate you.
Encrypting your traffic: VPNs can allow your traffic to be encrypted, so that your ISP or other people connected to the same network can’t see which sites you visit or (in some cases) what data is sent. The reasons why this is important are too long to list, but you can work it out on your own.
Network based ad blocking: Some VPN providers allow you to block ads before they even reach your device, which can increase your loading times and save you data on metered connections. This can be achieved without a VPN through your own DNS filters, but it is a feature of VPNs too.
Access blocked content: VPNs can be used as a way to bypass censorship if your network regulates your traffic (such as at an office or school). A VPN can bypass these restrictions, allowing you to access content freely.
Accessing region-specific content: Content on streaming services such as Netflix, video sharing sites such as YouTube, or many other services may restrict what content is available to you based on your country. A VPN can allow you to bypass these restrictions in some cases.
Those can all be ways to enhance your privacy, security, anonymity, and freedom while browsing the internet. VPNs do come with some downsides, though.
What are the downsides of using a VPN?
When you browse the internet without a VPN, you are placing your trust in your ISP or cellular provider to uphold your privacy, and placing trust in the network devices such as your router to uphold your security. In practice, that is almost never the case. Using a VPN doesn’t automatically make it more trustworthy, but it does place that trust in the hands of your VPN provider instead. Some VPN providers are more trustworthy than others, but there are good options to choose from. You still have to trust an entity to uphold your privacy and security, but VPNs can be a much better place to keep that trust.
Not everyone may want to use a VPN though. Besides distrust, VPNs have other downsides. VPNs will slow down your internet speeds, may block certain functions such as torrenting, and may incriminate you in some countries. Ultimately, the choice to use a VPN is yours.
If you believe the upsides outweigh the downsides, then a VPN is a good tool to have. If your threat model requires anything a VPN provides, it’s an essential tool. Some functions of a VPN can be achieved through careful setup of a DNS and elite anonymity proxy, but VPNs will always be the easiest option.
Which VPN providers are the best?
There are currently 3 top VPN providers for privacy. All of them are open source, and all of them have their pros and cons. I haven’t listed every feature for each, but here are the notable differences:
Proton VPN
Proton VPN provides a free tier VPN with some functionality limited, as well as a premium tier if you have a Proton subscription. If you already have a Proton subscription already, and don’t mind putting all your eggs in one basket, Proton VPN is a good option.
Mullvad VPN
Mullvad VPN is probably the most private VPN available. It is only paid, but it allows you to pay any way you want, including cash and cryptocurrencies. No signup is required, because you are given a randomly generated account number for payment. You can regenerate the number at any time.
IVPN
IVPN is unique and relatively unknown. The main benefit I see is that it is the only VPN of these three that is available on Accrescent for Android, allowing you to have extra confidence in the integrity of the app. Eventually Mullvad VPN and Proton VPN will be available on Accrescent.
These VPNs will uphold your privacy and security, and won’t log your internet traffic. VPNs in the past have been used to aide law enforcement by handing over those logs, so it is good that these don’t.
Conclusion
VPNs can be an essential tool if you need them, and there are options that respect your privacy. Always be aware of the risks, no matter how trustworthy a VPN provider may be. Thank you for reading!
- The 8232 Project
You missed one big downside of using a VPN: many websites and services will block you even if you are using them 100% legitimately just because they don’t want to trust any traffic coming from a VPN.
Is that true though? I use always on VPN (one of the 3 mentioned) and never had issues. I have more problems with Firefox/Fennec and adblocking add ons. I am in Europe so is this more a US issue? I get blocked sometimes because of GDPR
If you do anything involving commerce, VPN isn’t gonna work.
Most online stores are gonna flag all transactions because the IP is “suspicious”.
Banks might not let you log in.
Well, if you are doing transactions with credit or debit, its already tied to your identity so you might as well turn off the VPN.
Accessing region-specific content doesn’t work as well as it once did with some services actively blocking access from public VPN services nowadays.
Windscribe has a plan where you can pay for an IP address dedicated to you, but this takes away the advantages a shared IP may have.
Proton VPN is no log…
But they have and will turn over your real IP address from your ProtonMail account if legally ordered to.
As would any company. They are bound by their local laws.
Which is why it’s better they do everything to not have that data or at least not have it accessible. Proton could be doing a lot more to make the information not avaliable to them.
What are some of the things they should make inaccessible to themselves?
Yeah.
OP suggests the ease of use for just using ProtonMail and ProtonVPN all bundled together.
Maybe don’t do that. Maybe use Proton VPN, but find a seperate and/or more secure email provider.
Tuta, Mailfence, StartMail are all comparably secure compared to ProtonMail.
Posteo is possibly more secure/safe from a legal subpoena in that they claim to not log IPs, and they claim they anonymize your account from your payment method… though I have not researched it enough to personally say yes they do this and it actually works to prevent the legal info request situation.
EDIT: Also, just to throw this in, another weird thing about IVPN is that they are actually legally based in Gibraltar, which puts it in a fairly weird legal situation where it does not appear to be totally clear how a legal request for data from them would actually be processed.
The real problem is email is not a private communication medium or at least not easily
We hope some day that something like darkmail will actually be a reality, until it is we recommend folks not use it as much as possible,
Though for when that is necessary a more private and secure email provider is a worthwhile thing to use, as much as anything like it can exist.
solution: use their tor hidden service instead. It’s for exactly that
So Swiss court can compel a company to start logging IP addresses even if they don’t do it normally.
That’s really bad.
Another point is that VPN providers are likely to be a target for authorities. So you’re actually potentially more likely to get monitored by police
There is also the risk that the owners of a VPN provider might change hands at any time, or get taken over by police
Finally, there is a possibility that the VPN provider might get hacked and then all your traffic is getting monitored
They’re basically useful for geo blocking and unprotected public wifi networks, bad ISPs or connecting to your home system.
But they don’t automatically make you safe
If it wasn’t for the fact that in the UK internet connections are logged I probably wouldn’t bother with a VPN.
It really annoys me that a government choice is forcing me to be wasteful.
I really appreciate this post since I think many discussions about VPNs are misleading or treat them as a magic solution to all problems.
I think you’ve given a fair outline of what a VPN.
But, being the Internet, I have a few thoughts,
Hiding your IP address: VPNs will replace your IP address with a random IP address assigned by the VPN provider.
I don’t think the word “random” is needed. The IP address a VPN assigns is no more random than the IP address your ISP assigns. I think someone could see random and assume more security, which would be incorrect.
IP addresses are usually static, meaning it never changes, but sometimes your ISP may assign you a dynamic IP address, which will change every few months or so.
Last I knew ISPs still charged for static IP address, so most would be dynamic. Although often times a dynamic IP address is de facto static, since an ISP will never change it.
If you open up ports on your router (for various purposes), it can leave your network vulnerable to certain attacks as long as the attackers know your public IP address.
I think this should be a separate bullet point, since this is clearly security and not privacy. I think as a security point it needs further discussion. Really I imagine this only comes up in peer to peer connection scenarios. I don’t know if the denial of service attacks of old are still relevant.
Encrypting your traffic: VPNs can allow your traffic to be encrypted, so that your ISP or other people connected to the same network can’t see which sites you visit or (in some cases) what data is sent. The reasons why this is important are too long to list, but you can work it out on your own.
I think it’s important to clarify who you are encrypting your traffic from. Generally your traffic is already encrypted. DNS is often not encrypted.
These are very valid points, thank you! I have some thoughts of my own, as well:
The IP address a VPN assigns is no more random than the IP address your ISP assigns
I probably should have clarified this. Free versions of VPNs change your IP with nearly every time you disconnect and reconnect, often finding the fastest one. Paid versions may allow you to select one yourself, or choose truly randomly.
Last I knew ISPs still charged for static IP address, so most would be dynamic.
I heard the opposite. If you find out any information about this, please let me know!
I don’t know if the denial of service attacks of old are still relevant.
Technically yes, but not from just spamming the
ping
command.Thanks!
Re random IPs,
Sure, but my point is there is no such thing as a “truly random” IP address. You receive an IP from your ISP or VPN provider, that provider has a pool of IP addresses. Dynamic means you get one from the pool. Static means you get the one reserved for you, from a similar pool. The security/privacy benefits are nearly zero and not worth highlighting as an advantage.
Re static IP,
https://nordvpn.com/blog/static-ip-vs-dynamic-ip-address/ says,
Costly. Static addresses usually cost more for ISPs and consumers than dynamic IP addresses.
If you attract the attention of the authorities and you use a residential connection with multiple users, they will have a difficult time conclusively establishing who did what.
If you use a VPN it’s likely to be a lot easier (single user, paid with personal card, etc) and it looks like you’re trying to hide so the penalty may be higher.
Eh. IPv6 might make individual devices unique. I mean I’m no expert in how IP addresses work. But it used to be every device on a network share a IPv4 address, but with IPv6, every device now has a different IP.
The article does not explain the primary design purpose of a VPN – providing an encrypted tunnel into or between two private subnets.
For example, your home subnet is typically all 192.168.nnn.nnn addresses – a class of addresses which the wider internet does not route, and which your router/modem does not allow the wider internet to access unless explicitly permitted.
Say you have a NAS on your home network, and you want to access it from your laptop while at a cafe; you could set up a VPN between your laptop and your home router, and it can make your home network appear as your local network to your laptop, giving you access to your NAS.
Or between two office locations of a business – their database servers, accounting systems, printers, etc can all be freely accessible between offices without being exposed to the wider internet.
Do services such as Mullvad let you do this somehow?
Most mass-marketed VPN services (the type marketed for accessing the internet) allow you to VPN into their private subnet where the thing you can access is their gateway router (which you use in place of your home gateway router/modem for connecting to the internet). You don’t need a VPN service to use VPN software between two points you control.
A VPN is just a way to say “wrap up my normal internet packets and ship them somewhere specific before they continue the normal way.” The normal way is you want to get a message to some other server, and as a part of setting up the network you’re on, your machine should already have a list of other devices it’s physically connected to (“physically” could be “via radio waves” so not just wired) and they should have already advertised “hey, I’ve got access to these places too” for your information. Your router is likely the only one in your home network advertising anything that is on the larger internet, so all your outgoing messages will have to go that way to get to their destination. For example, I’ve got a phone, a wifi access point, a router, and my ISP’s box; my phone knows the WiFi access point is two hops away from internet because the access point said so, that’s the best one it can see, so it sends it that way and hopes it makes it. Each machine in between does the same thing until hopefully it gets where it is supposed to.
With a VPN, the same messages are wrapped in a second message that is addressed to the other end of the VPN. When it gets to the VPN provider, it’s unwrapped, then the inside message is sent off to wherever it’s supposed to go. If a message comes back to the VPN provider addressed to you (ish, this is simplifying a bit), it’s wrapped up the same way and sent back to you.
Big companies often put resources “behind” the VPN, so you can’t send messages from the outside addresses to the office printer, they’ll get blocked, but you can request a connection to the VPN, and messages that come in through that path do get allowed. The VPN can be one central place where you make sure everything coming in is allowed, then on the other side the security can be a little less tight.
VPNs also encrypt the internal message as a part of wrapping them up, which means that if you’re torrenting via a VPN, all anyone else can see is a message addressed to your VPN provider and then an encrypted message inside. And anyone you were exchanging messages with only ever saw traffic to and from the VPN provider, they never saw where it was going after your VPN provider got it. Only you and the VPN provider know what was happening on both ends, and hopefully they don’t look too closely or keep records.
Hopefully now it’s clear that Mullvad and similar won’t help you access your own things from outside, they’re only good for routing your stuff through them and then out into the rest of the internet. However, this isn’t secret magic tech: you can run your own VPN that goes in the other direction, allowing you into your own home network and then able to connect to things as if you were physically there. Tailscale is probably the easiest thing for things like that nowadays, it’ll set up a whole system where your devices can find each other and set up a mesh of secure, direct connections no matter where they are physically located. By default, just the direct device-to-device connections are re-routed, but you can also make a device an “exit node” that can route all your traffic like a traditional VPN.
Of course, that will be the exact opposite of what you want for privacy while torrenting, as it’s all devices that you clearly own and not hiding their identities whatsoever. But it’s very cool for home networking and self-hosting stuff.
- making the introduction about the topic itself
- today, all traffic is encrypted. You do not need a vpn for that. Even if you wouldn’t use TLS, using a vpn wouldn’t make it much more secure.
- just address that IPs can be static or dynamic. There are many different cases and you exclude them.
- just because the ip is hidden, you may still reveal your location by other means.
- i am still in charge of my privacy, vpn only hide ip. All other personal identification methods are still valid.
- if you need to be anonymuous vpns aren’t the best tool for it which is the controversal part about vpns. If you just want to torrent, you have to use vpns in many locations. Vpns are useless if you log in to services.
making the introduction about the topic itself
This is not necessary for what I am trying to achieve.
today, all traffic is encrypted. You do not need a vpn for that. Even if you wouldn’t use TLS, using a vpn wouldn’t make it much more secure.
You’ll find that a lot of it is not encrypted, namely DNS and background calls. Windows especially is bad about this. MITM attacks aren’t hard, either. I worked as a penetration tester in network security.
just address that IPs can be static or dynamic. There are many different cases and you exclude them.
I am trying to be as informative as possible, and it is a relevant and interesting issue.
just because the ip is hidden, you may still reveal your location by other means.
I never claimed otherwise.
i am still in charge of my privacy, vpn only hide ip. All other personal identification methods are still valid.
I never claimed otherwise. A VPN does more than just hide your IP address, though.
if you need to be anonymuous vpns aren’t the best tool for it which is the controversal part about vpns. If you just want to torrent, you have to use vpns in many locations. Vpns are useless if you log in to services.
VPNs can help with anonymity, but don’t on their own make you completely anonymous. VPNs are also still valid, even when you log into services, if you haven’t tied those services to any real data.
If you would like me to go into more detail about any of these, I am happy to. Otherwise, you are free to write your own post about VPNs.
Cheers!
Thanks. That was a good summary, and I appreciate that you brought up threat models.
People should think about what kinds of threats are worth their time and money. If that list of threats contains something where a VPN can help, you should totally consider getting a VPN. If your threat model doesn’t include things like that, VPN might not be the solution you’re looking for.
Brining up trust was another good point. People should think about how much they trust their ISP or some VPN company. Obviously, you can’t trust every VPN company out there, but where you draw the line is closely connected to your threat model. For example, if you are a journalist in dangerous country, picking the right company is a matter of life and death. If you are in a safer environment, your threat model is probably very chill by comparison, so you might be fine with some less secure options.
Opinion: Your low up-vote counts are due to post length. Post these in a blog, bullet key points on Lemmy with a link. Watch up-votes soar.
Removed by mod
Is there research showing that DPI spoofing actually stops DMCA takedown notifications from ISPs, or is this anecdotes and vibes?
This will have no effect on torrenting or other P2P protocols. Your IP address will still be out there.
I’ve never heard of DMCA warnings based on DNS requests. That doesn’t really make sense.
I guess they’re confusing Tor with Bittorrent.
Why would you be worried about your ISP seeing your DNS requests unless you’re using a VPN?
You could have a completely private way of running DNS requests, and then what difference would it make when they just see you connect to that address immediately afterward?