Virtual private networks

More options for internet privacy

April 15, 2017 — August 12, 2021

computers are awful together

confidentiality

cryptography

diy

VPN stands for Virtual Private Network. There are two main things you might want to do with such a thing:

Connect a bunch of your devices together in a distributed network which is also a private intranet (secure access)
Connect your devices together with some total strangers’ devices so that when some stranger monitors your internet traffic it is har to work out what traffic is you and what is the total strangers. (anonymous access)

The priorities for both are a different. I mostly assume option (2) on this, although I am interested in (1) for DIY socials, backup and private clouds, so I made a notebook for that called virtual meshnets.

Back to the anonymity VPNs. In this case the set up is that you don’t want ISPs and governments to annotate the data they already have on you with a list of which sites you visit and when. In this case the private-browsing VPN configuration from a private-browsing VPN supplier is a tool like Tor which keeps your activity hidden from the outside world.

For this purpose the EFF recommends Americans get a VPN. This applies also in my jurisdiction, Australia. Probably it is time everywhere, except places like China where may be too late.

VPNs do of course degrade the bandwidth of your internet, but Australians are used to awful internet anyway, so this is not a major issue.

OK, so I need a VPN to maintain privacy. Which one? How? Serverwise, do I want to DIY, or pay someone else to provide it? Which VPN software should I use?

(Or should we bypass the internet with a sneakernet or DIY internet? That’s another story.)

There are related technologies here that do similar things. OpenVPN, IPSec, Wireguard… The fashionable new one is Wireguard ~~but AFAICT it is not widely supported yet, and~~ there are questions about how anonymous it is in commercial VPN provider environments. ~~In the interim, pretty much all the consumer VPNs seem to use OpenVPN.~~

1 Client-side configuration

Your devices, using the internet.

Now I want to install the right client software; this is should be straight forward but of course it is not. Just get an account with some VPN provider, and follow their instructions.

This works great for my phone or laptop in some arbitrary cafe hotspot, but it is not ideal for my home devices on the home intranet. See below for VPN access points.

Having set up the VPN there may still be data leakages per default. Vpn.ac has a nice basic list of basic privacy steps disabling unsafe behaviour from the web browser end etc, and one should still enable the usual browser safety steps. Notes for particular platforms follow:

1.1 Linux

So you followed the recommended setup for your VPN provider. Good.

Gotcha: OpenVPN is broken for DNS on Linux by default, in the sense that switching to a VPN connection keeps the same old DNS servers that you were using before. In the absence of further effort, OpenVPN on Linux will use your ISP’s DNS, informing them which site you want and will believe their potentially lying responses. This seems to defeat the purpose.

I think this is not a pure Linux problem per se but because VPN providers tend to provide wrapper scripts for macOS and Windows, one only notices this monstrous oversight on Linux where you one is going bareback. Not 100% sure on that, don’t care quite enough to find out.

Lazy detection of this problem is possible via DNSLeaktest who report

As of OpenVPN version 2.3.9 you can now prevent DNS leaks by specifying a new OpenVPN option. Simply open the.conf (or .ovpn) file for the server that you are connecting to and add the following on a new line.

block-outside-dns

For OpenVPN before 2.3.9 there is a laborious workaround that no normal person will realistically ever use to automatically change DNS.

One can always use the DNS config to override the DNS to never use your ISP’s DNS, which you probably should do. On GNOME/Ubuntu using a large VPN provider with hundreds of servers the default way of doing this will be messy and require hundreds of custom DNS configurations which is no fun at all. 🏗 workaround.

Another problem is that VPN occasionally disconnects and then you are not protected and you don’t notice.

Auto-reconnect is not available in e.g. modern GNOME desktops, but you can access this setting using the command:

nm-connection-editor

To make sure your computer does not leak information during a vpn disconnect, perhaps vpnfailsafe would be a good idea, or other iptables-based hardening.

2 VPN access points

Per default, our household devices should not have to route communications between one another via Amsterdam. This is terrible for sharing files from the network files server or copying photos, or streaming from the household media server etc. Instead, our network should be a normal wifi network, but the wire that connects us to the outside world, everything that goes over that wire should be encrypted. This is possible. See VPN Access Points.

Alternatively one can configure your devices to bypass the vpn for local network connections; this is surprisingly fiddly.

3 Server end

That which provides your devices this service of confidentiality.

Note, that server virtual machines on someone else’s cloud can never be especially secure from determined nasty persons or state actors. But they do at least prevent concerted profiling by commercial interests, and casual ambient profiling by the state, which is good enough for me.

A commercial VPN provider can do better, if their intentions are pure, since they can hide your traffic amongst the traffic of many others. On the other hand, a commercial VPN might be selling your data to evil bastards for their own profit, so… make your own risk assessment.

Two I see mentioned often are Blackvpn and NordVPN (Disclaimer: I get a cut if you sign up using that latter link.) I suspect BlackVPN is less popular now that Beijing has imposed Chinese state spying upon Hong Kong, where BlackVPN is domiciled.

3.1 Commercial VPN services

That one privacy guy’s big overview lists VPN providers by e.g. bandwidth, jurisdiction, and privacy advocacy.

3.1.1 Nordvpn

Classic anonymity VPN. Seem fast and cheap. Their record with disclosing security breaches could be better. They operate a meshnet service too.

Server configs may be downloaded en masse, as a zip or individually. They have client software. I think it is supposed to sidestep the DNS leak problem amongst other things. It does not for me.

wget -N https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/nordvpn-release_1.0.0_all.deb
sudo dpkg -i nordvpn-release_1.0.0_all.deb
sudo apt install nordvpn
mkdir -p ~/.config/nordvpn

You may also need to enable some services:

sudo systemctl enable --now nordvpnsd
systemctl --user enable --now nordvpnud

There are quirks in this software.

~~Firstly it is overzealous in enforcing VPN and redirects localhost.~~ ~~You have to whitelist localhost ports individually, using~~

nordvpn whitelist 12345

(UPDATE: seems to be fixed now.)

The second quirk is that it is closed-source software, and therefore inscrutable.

3.2 DIY OpenVPN server

Running your own VPN/proxy/anonymizing/p2p etc servers can be less convenient for the panopticon in its ceaseless attempts to get up in your business, if you do not trust the VPN providers (but, if it is hosted in a cloud, you do trust the cloud providers.) The tradeoff here is that you want to share a VPN server with other people so that you are collectively anonymized. If it is just me always using the same VPN server then it is not hard to de-anonymise me; I’m the guy who is always using that server. Once again, make your own risk assessment here.

Easy with simple gui, outline
somewhat-secure, cheap, light VPN in the cloud: popup-openvpn.
streisand
openvpn on docker+digitalocean: See kylemanna/openvpn, and the digitalocean pitch, or the alternative walkthrough with a couple more terms clarified.

Even easier than real VPN, try turning your SSH login into a quasi-VPN via sshuttle.

sshuttle --dns -r username@sshserver 0/0

4 Stealth mode

Hiding that you are hiding. obfsproxy and other tor pluggable transports attempt this. It is not so simple and if we really want normal people to go through these tedious steps people will die of boredom before they ever get around to overthrowing their repressive regimes.

You can get pre-rolled scripts from help sites such as scramblevpn which tells you how to make a cheap Raspberry Pi router.

5 Tor

Is already its own proxy/privacy thingy. If you are using a computer on Tor you should not use a VPN through Tor. If you want to hide that you are using Tor you could use Tor through a VPN.

6 Other

How does tcpcrypt fit in?

tcpcrypt is a protocol that attempts to encrypt (almost) all of your network traffic. Unlike other security mechanisms, Tcpcrypt works out of the box: it requires no configuration, no changes to applications, and your network connections will continue to work even if the remote end does not support Tcpcrypt, in which case connections will gracefully fall back to standard clear-text TCP. Install Tcpcrypt and you’ll feel no difference in your every day user experience, but yet your traffic will be more secure and you’ll have made life much harder for hackers.

BeyondCorp Zero Trust Enterprise Security does without VPN entirely, getting devices to… what? Authenticate piecemeal?