The Living Thing / Notebooks :

Virtual private networks and ilk

SSH tunnels, wacky transport layers, replacing internet traffic with obfuscatory misdirection

You don’t want ISPs and governments to record your complete browser history? VPNs, Tor, SSH tunnels can hide what you are doing on the internet.

The EFF tells Americans it might be a good time to get a VPN.. This applies also in my jurisdiction, Australia. Probably it is time everywhere.

Note that the VPNs do degrade the efficiency of your internet, but Australians are used to awful internet anyway, so this is not a major issue.

OK, you need a VPN to maintain privacy. Which one? How? Serverwise, do you want to DIY, or pay someone else to provide it? Which VPN software should you use?

(Or bypass the internet with a sneakernet, but that’s another story.)


Your devices, using the internet.

Now you want to install the right client software; this is usually fairly straightforward. The only non-obvious thing is that you can set your ROUTER to use the VPN. Or some other access point.

TODO: explain how.


The usual options.

Make my router do VPN

Tedious. You need a fancy router, and the shitty one you got from your ISP isn’t fancy. For now, here’s a link to a setup guide from a major commercial provider. Also you can buy a pre-configured one. Which is a bit less secure, but you might actually get around to it.

Make another computer into a VPN access point

Here’s a way standard linux can be wireless access point, which is much cheaper than a fancy router, although with crappier antennae. See also this grumpy but simple and acclaimed answer. There are some wrinkles.

You can probably do this cheaper using a single board computer. Here is a friendly WAP setup for a Raspberry Pi. Here is the remix) And here is a quick semi-scripted VPN setup, and an simpler version.

In practice, this is all stupidly complex, even though it should be a ubiquitous default. Realistically, what I do is usually: try to configure an access point, then discover that there is some weird kernel error/bug specific to the particular device I am using, which has never been seen on the internet, which requires a specialist network nerd, and which I don’t have time to fix.

I am somewhere in the upper single-digit percentiles of the population in terms of fluency in stupid geeky shit like this and I fail to work it out, so realistically, most of your friends are not using VPNs and therefore too much data is being leaked to unaccountable surveillance programs. The world is awful.


Gotcha: OpenVPN is broken for DNS on Linux by default, in the sense that switching to a VPN connection maintains the same old DNS servers, invalidating a lot of the point. In the absence of further effort, OpenVPN on Linux will use your ISP’s DNS, informing them which site you want and will believe their potentially lying responses.

I think this is not a pure Linux problem, per se but because VPN providers tend to provide wrapper scripts for macOS and Windows, one only notices this monstrous oversight on Linux where you are going bareback. Not 100% sure on that, don’t care quite enough to find out.

Lazy detection of this problem via DNSLeaktest who report

As of OpenVPN version 2.3.9 you can now prevent DNS leaks by specifying a new OpenVPN option. Simply open the .conf (or .ovpn) file for the server that you are connecting to and add the following on a new line.


For Openvpn before 2.3.9 there is a laborious workaround that no normal person will realistically ever use.


Server configs may be downloaded en masse, as a zip or individually. They have client software dist. I think it is supposed to sidestep the DNS leak problem amongst other things. It does not for me.

sudo apt-get install {/path/to/}nordvpn-release_1.0.0_all.deb
sudo apt-get update
sudo apt-get install nordvpn
mkdir -p ~/.config/nordvpn

You also need to enable some services:

sudo systemctl enable --now nordvpnsd
systemctl --user enable --now nordvpnud

There are a few quirks to this software; in particular it is so insanely aggressive in enforcing VPN that it redirects localhost. You have to whitelist localhost ports individually, using

nordvpn whitelist 12345

The second quirk is that it is closed-source software, and therefore suspect.


Gotcha: per-device VPN breaks household sharing. You need to send some connections over…

Of course it does; you need a VPN router for this shit. Or you could probably do something with custom routing using iptables/ipfw/route etc. Will you? Are you truly going to maintain that setup with every device in your house? Couldn’t you be spending that time on something better? If your solution needs iptables it also needs you to live with people who talk iptables. What kind of society would that be? Get a vpn router.

Server end

(which provides you this service of confidentiality)

Note, that server virtual machines on someone else’s cloud can never be especially secure from determined nasty persons or state actors. But they do at least prevent concerted profiling by commercial interests, and casual ambient profiling by the state, which is good enough for me.

A commercial VPN provider can probably do that better, with greater expertise, if their intentions are pure. On the other hand, a commercial VPN might be selling your data to evil bastards for their own profit, so… make your own risk assessment.

Two I see mentioned often are Blackvpn and NordVPN (Disclaimer: I get a cut if you sign up using that latter link.).

Commercial VPN services

That one privacy guy’s big overview is a great list VPN providers by e.g. bandwidth, jurisdiction, and privacy advocacy.

DIY server

Running your own VPN/proxy/anonymizing/p2p etc servers can be less convenient for the panopticon.

Even easier than real VPN, try turning your SSH login into a quasi-VPN via sshuttle.

sshuttle --dns -r [email protected] 0/0

Stealth mode

Hiding that you are hiding. obfsproxy and other tor pluggable transports attempt this. It is not so simple and if we really want normal people to go through these tedious steps people will die of boredom before they ever get around to overthrowing their repressive regimes.

You can get pre-rolled scripts from help sites such as scramblevpn which tells you how to make a cheap Raspberry Pi router.


Is already its own proxy/privacy thingy.


How does tcpcrypt fit in?

tcpcrypt is a protocol that attempts to encrypt (almost) all of your network traffic. Unlike other security mechanisms, Tcpcrypt works out of the box: it requires no configuration, no changes to applications, and your network connections will continue to work even if the remote end does not support Tcpcrypt, in which case connections will gracefully fall back to standard clear-text TCP. Install Tcpcrypt and you’ll feel no difference in your every day user experience, but yet your traffic will be more secure and you’ll have made life much harder for hackers.