1. 2

      We use OpenStack for all our internal virtual machines (which are quite a lot). I think it’s quite (too?) complex to setup, but the ease of use after the initial setup is really good. There are a lot of OpenStack-compatible images available and it also isn’t difficult to make them yourself for some BSD’s of lesser used Linux distro’s. I really like the automatic SSH-key deployment, IP address configuration (we use public IPv4 and IPv6) and ACL/firewall in the gui. I know some more organizations that use OpenStack, but most (like us) aren’t very public about it. We actually added more/new nodes to it recently :). Hope this helps!

      1. 12

        No VPN provider is going to go to jail over the illicit use of its services by its users. It’s quite possible that prior to the FBI knocking on their door, they didn’t keep logs. I’d imagine the following scenario:

        1. FBI investigates, sees the suspicious traffic coming from PureVPN
        2. FBI gets a warrant/subpoena for PureVPN
        3. FBI knocks on PureVPN’s door with a warrant/subpoena
        4. PureVPN says “can’t fulfill that right now. We don’t keep logs.”
        5. FBI responds “You’ll keep logs starting today.”
        6. PureVPN complies, eventually providing the logs FBI needs of future accesses of the suspect

        This is exactly why people should use Tor before connecting to a VPN and not the other way around. Tor hides you before you connect to an entity that can be coerced to hand over identifying information to law enforcement. But, hey, I could be completely wrong.

        1. 3

          This is a little tangential but I have to ask…

          What do you gain by going home → Tor → VPN → internet instead of going home → Tor → internet? In the latter you have one place (home) which all your connections pass through where a wiretapper could correlate them and glean information about what you are doing from the timing information about how many packets you send when. In the former, you have two (home, VPN). This seems like a net-loss of privacy?

          1. 3

            There’s only two reasons I’d use a VPN for while behind Tor: to gain UDP support, which Tor lacks; or to ensure that my traffic appears to originate from a certain geographic area.

            1. 1

              The VPN (before TOR) can hide TOR traffic.

              If I remember correctly, in one case of a false bomb threat a suspect was pinned because they were the only ones on the whole school using TOR. That is, the metadata of using TOR can turn you into a suspect, as it’s not a popular service and TOR usage is scarce.

              I’m curious about the other way around. How can you connect to a VPN after connecting to TOR? Routing all your traffic throuth TOR using a SOCKS proxy?

              So if I’m not mistaken, a full setup (with drawbacks of course) could be:

              home -> vpn (hides tor usage) -> tor -> vpn (allows UDP and hides exit node IP)

            2. 2

              Some sites don’t allow traffic from Tor exit nodes - routing through the VPN works around that. It also avoids the constant Cloudflare CAPTCHAs. And as @lattera said, UDP support. Some Freenet users use an anonymous VPN, via tor, to hide their IP and Freenet is UDP only.

            3. 2

              A VPN with more foresight could instead use a warrant canary to let its users know whether the FBI may be keeping logs.

              1. 6

                We looked in to this for our privacy focused VPN service for the higher education and research sector in the Netherlands. Unfortunately, the legal status of warrant canaries is unclear at best. When a intelligence agency (most have quite far-reaching powers) with jurisdiction and a legal ground compells you to cooperate, not updating the canary probably is a violation of the subpoena and/or gag order because there is no real legal difference between saying “We got a gag order!” and not saying something because you had a gag order.

                Of course you can calculate the risk and potential consequences when deciding whether a warrant canary would be a good idea or not. Maybe the use of a warrant canary is worth much more to you/your organization than the potential risks of not complying with gag orders.