1. 44
    1. 5

      The author clearly states “glorified proxy” and not just proxy. This clearly indicates that he or she is talking about the way it is being used, not about what it technically is down to the nitty-gritty details. And frankly, I agree that if a VPN is used in the way it was described, a VPN is in fact a glorified proxy.

      Furthermore: You can still log traffic while “merely being a conduit” and the amount of traffic which flows through a VPN is usually not that much at all. I think they can certainly log and store all that traffic, given that a 3TB harddisk (Toshiba P300) costs about 70$. As the upper speed limit is is 500 Mbit/sec and the write speed of said HDD is 118 MByte/sec (so 944 Mbit/sec), and the fact that the data-volume of my fiber connection at home for the previous month is 539 GigaBytes (yes I am a heavy user), it would not be feasible to store all of my home-traffic, but I am pretty certain that if I were to use a VPN-service on a single endpoint, it would be feasible to log and store that.

      So I am not that impressed with the reply.

      In fact, the only redeeming point for me was that they mention that you can connect to their servers through a proxy-service.

      1. 1

        Furthermore: You can still log traffic while “merely being a conduit”

        Not a lawyer, but reading the links to EU directives and judgements provided by AirVPN, it really appears they are not allowed to.

        1. 6

          No, if that is what they conclude, then they are selectively shopping in all the legal documents and court cases that have been fought over the last 25 years by European ISP’s.

          Courts have ruled multiple times that the “we are just a conduit”-argument does not hold in many cases. One such case is anti-piracy legislation, where you can be a conduit, but have to enforce the 3 strikes rules (France) or have to block and redirect traffic to and from certain domains and ip addresses (The Netherlands). There is also a legal requirement for all providers to log all traffic for at least a year, into a system for law enforcement. This has to be done, despite being “just a conduit”, due to the same European legislation.

          The only real “conduits” as far as European laws are concerned, are the Tier 2 and Tier 1 providers that connect other providers, but you simply have to assume that every provider that can sell to consumers or businesses will have a legal requirement to log all the traffic that moves to and from the public networks.

          But I’d love to see the outcome of the legal battle of a case which actually involves a VPN provider, though I would not be surprised if the outcome is the same as for ISP’s.

      2. 3

        [Statement] You’re still connecting to their service from your own IP, and they can log that.

        [Response from AirVPN co-founder] We provide our users with any tool to never make their “real” IP address appear to our servers.

        I am curious what the tool is, how it works and if it provides good throughput and latency when used. (Also, why is ‘real’ put in quotes?)

        To be frank, I don’t find the response interesting: There are a lot of claims which try to rebut the original posts statements, but without providing much details.

        1. 2

          I’m not sure it is possible never make their “real” IP Address appear to their servers. But it is possible to send fake traffic to these servers but even in that way, outgoing packet size won’t be even near to incoming packet size. Even, you generate fake traffic with OpenVPN client to server, there would be a way to deanonymize user with AS numbers (providers)

          Just a idea:

          To be sure a VPN provider really respects privacy, provider needs to only allow traffic from Tor.

      3. 11

        Is “Set up your own” really great advice? Administer a server and trust yourself to correctly configure a VPN service? Yeah, no thanks. It doesn’t even give you the advantage of fighting IP geolocation since your VPS provider will probably assign you a static IP.

        My advice on VPNs would be “Don’t use VPN services that require you make an account”. You don’t need an account for a VPN, just look at Mullvad. I trust Mullvad to keep me safe from copyright letters more than my ISP.

        1. 11

          It’s almost impossible to misconfigure wireguard, bar some absurd mistakes like publishing your server’s private key. Generate a wireguard key pair on the client and the server, copy the corresponding public keys to the other machine, and you’re done. No ciphersuites to choose from, no key size to configure, nothing. And you now have a private tunnel (truly private!) with virtually zero performance overhead. Wireguard is less chatty than most, so it works well with intermittent disconnections too.

          1. 5

            I agree with your take for the general public, but I think managing a self-administered VPN is within the capabilities of anyone reading this comment.

            With base OpenBSD and maybe 20-30 lines between configuring iked and deploying an X.509 CA with ikectl, there’s little to screw up. This doesn’t solve the trust problem vis-a-vis one’s cloud provider, but if you’re avoiding known bad actors, this mitigation alone serves to decentralize your footprint to those engaged in surveillance capitalism.

            1. 5

              Wireguard is pretty straightforward to set up as well.

              1. 1

                I never got iked working. It’s a pain point to this day.

              2. 2

                I think “Set up your own” is a great advice when you have enough budget.

                Because if your current VPN provider doesn’t hosts their servers themselves, you are decreasing number of providers that you need to trust. But also, it is really important to choose the right VPS provider.

                1. 1

                  Every commercial VPN charges similar amounts to a bottom of the line VPS on digital ocean, which I thought was sufficient to run a VPN.

                2. 2

                  What about ProtonVPN? A lot of people here seem to be using ProtonMail, so curious if this other service is trust-worthy too?

                3. 9

                  The author’s point’s while valid, they assume that VPNs are only used by people to remain Anonymous.

                  VPNs are heavily used for censorship circumvention in situation where people don’t care much about anonymity, but want to restrictions put on them by their ISP

                  1. 9

                    I think the author misses a critical point about VPN providers and why some of us use them: You choose and control who could potentially snoop on you.

                    Would you rather trust coffee shop wifi or a provider whom you’ve researched, feel is “good enough” for your needs, and are in a customer/service provider relationship with? Do you trust your ISP to shield you from p2p nastygrams or do you trust a foreign vpn provider who has a track record of not caring?

                    Its about choice and trust. Trust isn’t all or nothing, you should know how much you trust your provider and with what.

                    1. 3

                      Would you rather trust coffee shop wifi or a provider whom you’ve researched

                      I trust my local coffee shop more than any tech company!

                      1. 1

                        But, do you trust people accessed your local coffee shop network?

                        1. 1

                          It was a joke, but yeah, that’s what SSHing into my home computer is for.

                          1. 2

                            I was thinking “is he making jokes?” and just looked into your comments, and you seem serious to me. So, sorry about lack of sense of humour.

                            That’s what SSHing into my home computer is for.

                            Seems like not a huge problem because SSH warns you when fingerprints changed.

                            1. 2

                              Hehe, no worries. I enjoyed the article; thanks for posting it.

                              A while back I quipped that “VPN is just SSH for suits”; I have honestly never used a VPN because I still can’t figure out what the point is if you already know how to use SSH.

                              1. 2

                                Reason to use a VPN like ipsec rather than openssh’s SOCKS proxy: better compatibility, lower overhead.

                                Compatibility: ipsec or similar VPNs are mostly transparent to applications. Not every program is happy out of the box to talk over a SOCKS proxy. Offhand I’m not sure if ssh’s SOCKS proxy can be used for UDP protocols. (You can use socksify or something to shove all TCP sockets over a particular SOCKS proxy but IME it isn’t reliable.)

                                Overhead: not all that bad but just mentioning it for completeness: you can get some head-of-line blocking delays if there’s any packet loss between you and the sshd. Something like ipsec won’t unduly delay packets if some arrive out of order. (Also, not sure if this is accurate but I’ve read somewhere that openssh has some throughout limitation on long fast networks. You probably don’t run into that though.)

                                Btw not picking on openssh here, just mentioning it by name because it’s the ssh impl you’re most likely to use these data and the only ssh impl I’m happy to trust.

                                This isn’t to say don’t use ssh SOCKS as if it were a tiny vpn, I have done that plenty times myself, just outlining valid reasons one might want the more complicated solution instead.

                                1. 2

                                  Thanks for the technically correct answer. =)

                                  I guess what I really meant was more like “I’ve never wanted to tunnel a network connection made from a program that isn’t a browser or running over an SSH connection” which is slightly different.

                                  Now I’m having trouble thinking of any such networked program I use at all other than games. I guess VLC, but apparently that supports SOCKS too. I’m sure they exist; I just don’t have any use for them. =)

                      2. 2

                        You choose and control who could potentially snoop on you

                        I think this is a very good point. Your ISP generally has to be in your country, and as such may be bound by laws requiring them censor certain sites or to log data or metadata. You can’t choose a foreign ISP, but you can choose to use a VPN provider in a different jurisdiction.

                        1. 1

                          Yep, and those are exactly the two use cases where the author says a VPN is reasonable. It’s too bad the author chose to be dogmatic and pooh-pooh those two cases instead of just admitting that their advice isn’t universal.

                        2. 5

                          I dislike how Github is being used as a blog by so many; I dislike Github entirely, however, so that’s just one of many points I could make.

                          Use Tor. It’s telling the author never mentions Tor; I’m inclined to believe the author isn’t qualified to write about this topic.

                          1. 3

                            Use Tor. It’s telling the author never mentions Tor; I’m inclined to believe the author isn’t qualified to write about this topic.

                            Tor requires more discipline to get what you want out of it, and many exit nodes are on block lists, making day to day browsing kind of troublesome.

                            VPN companies, on the other hand, often sponsor popular YouTube channels, and make other large ad buys, giving them reach far beyond tech audiences who might understand better how to work around some of the Tor problems. In other words, targeting VPN providers provides far greater bang for your, proverbial and literal, buck.

                            1. 7

                              The amount of discipline required to “get what you want” out of Tor is all the same as the discipline required to get the same thing from any other VPN provider: anonymity in the face of a determined adversary. It’s just that Tor’s documentation and default configuration are designed for such an adversary, while most VPN’s are designed for an apathetic adversary that’s willing to store your IP, but not willing to deal with the hassle and potential false positives of fingerprinting.

                              1. 3

                                Tor requires more discipline to get what you want out of it

                                If “what you want” == “just hide the dang home IP address”, it doesn’t require much. Just start it and set it as the proxy in Firefox. And, yes, it requires a bit more patience for the captchas and crap, but it’s really not that bad.

                                1. 2

                                  I don’t believe “hide my IP address” is what most people are told they want out of a VPN.

                                  1. 3

                                    Well, people are told very vague “privacy” and “encrypt your internet” stuff but realistically, as a normal person (i.e. “Not Snowden”) you want two things

                                    • prevent your ISP from logging which websites you visit
                                    • prevent the websites from getting your IP address (and looking it up on GeoIP, etc.)
                            2. 2

                              Which raises the interesting question: how could a VPN provider prove they aren’t logging anything?

                              1. 1

                                They can’t even they have provided SSH access to their servers. Because it is possible to implement rootkits.

                                1. 1

                                  This is not a proposal, just the first things that come to mind:

                                  Suppose they show you a widely used VM base image + a script to build ‘their’ VM image from it, plus proof that a generic service / provider is used to serve those images. They pay for a trustworthy 3rd party (the EFF?) to vet their systems and e.g. publicize fingerprints of machines they have verified as consisting only of those images.

                                  How much trust would you then be able to place in them?

                                  More generally, what can service providers prove ‘beyond reasonable doubt’ in relatively simple ways?

                              2. 1

                                Security is always a trade off. There are no guarantees. It’s about managing risk and convenience.