VPN Recommendations for pfSense?

guardian

@KOM:

Renting your own box is a pretty bad idea since anything in or out of it will be traced back to you very easily.

How so?  They would either have to have direct control over my box, or be in a position to monitor the traffic coming and going from my host.  If they're already at that point, you're screwed anyway.  I didn't mention that I'm also a Tor exit node, so I have a shit-ton of random traffic flying around at a sustained 10 Mb/s.

Being a Tor Exit point may give you "plausible deniability" and help you "hide in a crowd", but if your remote host IP becomes the subject of interest - all they have to do is "ask" the entity renting the host, and that exit IP is directly traceable to you.  If it comes from VPNx, then they have to "ask" VPNx, and if they don't have logs, then VPNx can say "no idea, we don't log".

KOM

They can say I rent the box, but they have no insight into what's going on there.  There is so much traffic that, like you said, there is plausible deniability.  I still have zero trust in any VPN service that claims to not log.  Given time, there will be laws in all countries that force VPN companies to log all traffic in the name of "national security".

guardian

If it goes though the US, then it's likely all being vacuumed up and stored on a hard drive far for analysis anyway.  ;-)

Elizabetho

For specifically pfSense you should need to use Expressvpn for it, it has huge numbers of location and with fastest connection. you can easily setup and install on your other devices as well. it will provide you military grade encryption upto 128bit which is strongest by comparing other VPN service providers.

kylepmorris5

Check these Fastest VPN Services List and choose the best VPN for you, I didnt want to recommend any VPN because everyone knows what to buy and what not to buy. Read all the reviews and buy the Best VPN.

mhertzfeld

This list used to be on Reddit but I see that the guy started hosting his own website now.  I find the list to be very comprehensive.  "Seems" to be impartial as well.

https://thatoneprivacysite.net/vpn-comparison-chart/

IMO I like PIA or AirVPN.

kevrichards

@mhertzfeld:

This list used to be on Reddit but I see that the guy started hosting his own website now.  I find the list to be very comprehensive.  "Seems" to be impartial as well.

IMO I like PIA or AirVPN.

I found NordVPN to be a reliable one even on this site. There are other guides on most secure VPNs working with PfSense

teresajensen

Well there are many VPN services available on net but you should research first which suits you. I personally recommend **[which I'm using myself it's the best one.

Edit: Link removed looked like a spam post.](which I'm using myself it's the best one.<br /><br /><br />Edit: Link removed looked like a spam post.)**

pfBasic

Old thread got necro'd, it was interesting reading through the opinions from a few years ago.

The most interesting thing I saw was a lot of people talking about hiding from the NSA, US Gov't, and what the best way to do this might be.

This is silly.

If you are trying to hide from the NSA or US Gov't, you cannot. I don't care what you do, you can't succeed. Nothing you do can begin to hide you from them. Best case scenario, you've got a PhD in cryptography or three, you're rich and you've dedicated tremendous resources to your privacy. Great, they have a few thousand people smarter than you on their payroll, virtually limitless resources, and they are the worlds most powerful government…. What are you thinking? These people penetrate nation states, "air-gapped" nuclear facilities, and log the activities of the public of the United States of America, and you are discussing whether a VPS or VPN is the best choice to avoid them  :o?

Then I saw someone post an alternative as routing all of your traffic through an Iranian VPN  ;D. Wow. You've solved it!

You do have one really powerful tool in your arsenal though, they don't care about you  :). Why would they?

The only organizations you have to are able to hide from are the general public, script kiddies, your ISP if you care, maybe some DMCA notices?
For those - pick any provider that gives you AES-128, SHA-2xx, RSA-2048. You are more than safe from any hacker that is going to take their time to work on you at least as far as a VPN is concerned - they'll just take an easier avenue anyways.

It is highly unlikely that you will ever come under a concentrated attack or scrutiny for what you do on the internet.

As far as your ISP or the MPAA is concerned, use an enigma. Neither one of those entities are going to decrypt your traffic. Aside from the legal shitstorm of hacking a persons encrypted data it would be a media nightmare for them and what do they have to gain? They simply are not going to even attempt to decrypt your data, ever.

I'm all for VPN's and whatnot, I use them too. In fact I push most of the machines on my network out through an AES-256 VPN all the time just because my old cheap hardware can do it so why not? But I have no delusions about who I am and am not hiding from.

Just use a VPN, the rest of the details really are not that important at all.

Velcro

Well said pfBasic….

I have used Vyper and PIA...

The bad:
PIA does not have great support(not that you need a lot)
PIA sends me to a company called Logicweb???
I couldn't find good instructions for Vyper
Vyper was more expensive then PIA

The good:
Easy instructions for PIA https://www.privateinternetaccess.com/pages/client-support/pfsense although not the highest encryption.
Vyper had better support

I would start with PIA month-to-month and then change if you want

pfBasic

@Velcro:

Easy instructions for PIA https://www.privateinternetaccess.com/pages/client-support/pfsense although not the highest encryption.

You can use up to AES-256 on PIA VPN.

Really though anything above AES-128 is total overkill, if your hardware slows down your connection even a little bit using AES-256 then use AES-128. But if your hardware is powerful enough (my $80 pfSense box easily is for my 150/20 connection) then by all means use AES-256 for the shits and giggles.

As stated previously though, you can really use the weakest/fastest encryption algorithm available and the net outcome for your security is going to be the same.

Derelict

http://boingboing.net/2006/07/10/analogy-explains-str.html

kejianshi

Its not the brute force attacks against crypt I worry about.

Its the purposely weakened random number generation, limited primes and things like that.

With AES you would think that you are safe forever.

You will need the power of 3 suns or a billion nuclear reactors and a million years….  Whatever.

However, I can pretty much promise you there will be a huge scandal later where we all learn its broken and always has been.  Like all the rest before it.

We need something new written by people without the help of people whos job it is to break our crypt.  Not just bigger numbers.

I like blowfish 128 by the way.  It has a few faults but I just feel like no one got the chance to make it easily breakable by certain people.

People talk every now and again about how blowfish could be broken in theory but I've never seen it actually broken and really only barely bent.

I prefer something that could in theory be broken to something the people who's job it is to break our crypt had a hand in making.  Crazy right?

onshi

From the news recently:

https://www.bleepingcomputer.com/news/security/cyberstalking-suspect-arrested-after-vpn-providers-shared-logs-with-the-fbi/

Cyberstalking Suspect Arrested After VPN Providers Shared Logs With the FBI

VPN providers often advertise their products as a method of surfing the web anonymously, claiming they never store logs of user activity, but a recent criminal case shows that at least some, do store user activity logs…

As others have mentioned upthread, the unsubstantiated claim by various VPN providers that they "do not keep logs" simply does not stand up to scrutiny or even common sense.

If they are based in a jurisdiction with typical rule of law, they can be compelled to cooperate with law enforcement in a variety of ways including sharing data and in some cases collecting additional data. Whatever transient logs they happen to keep briefly would not be shielded simply because of an unenforceable marketing promise. Providers may have the option of closing up shop rather than cooperate (as some privacy-oriented tech operations have done on principle in the past), but the VPN business is shady and apparently quite lucrative… have you heard of VPN providers shutting down rather than cough up logs?

If they are not based in a jurisdiction with rule of law then perhaps the provider might not submit to such a request from authorities, but on the other hand, authorities are just as likely to have even more power and also you have no recourse in the event of privacy-violating malfeasance on the part of the provider.

If you're doing evil stuff online, these VPNs will not protect you.

Given that we are not doing evil stuff, for the price, most of these VPNs continue to offer an attractive service for the price.

The most telling thing here is that so many people are willing to trust a random shady-as-all-get-out VPN operation with their traffic, but not their telco. I mean, duh, right? But if I were a telco that would give me pause.

bcruze

i have been using 256bit encryption with PIA for a little under a year now, with NO issues whatsoever…

with the new features i learn about PFsense daily it just keeps getting better.

i did try to use Nordvpn for a trial, but dropped them after the price jump and their documentation at the time did not work.

kejianshi

I look at encryption the same way I look at doors, windows and curtains.

No one thinks you are evil or crazy for shutting a door or closing the curtains in your home.

Its a simple mater of privacy and security.

Actually, they are not good for making you anonymous at all.  If anything they make you less anonymous.

For me, VPNs are pure utility.  For personal use, they mostly get me around geofiltering and provide security between point A and point B.

I'm always amused when someone suggests that crypto and VPNs are tools of the wicked and evil.

cpghost

Hello,

like many ISP subscribers, I'm behind a DS-Lite type connection with globally routable IPv6, and no public IPv4 address (IPv4 connectivity through IPv6 softwires to CGN). All VPN providers I tried up to now sucked, because they either lack IPv6 support entirely, or implement it only partially or incorrectly. All this resuling in copious IPv6 leaks all over the place. Since I need to connect to IPv6 servers too, following the advice of the VPN providers to simply disable IPv6 isn't an option.

I'm still waiting for a decent VPN provider with up-to-date (full) IPv6 support. Even something like perfect-privacy.com isn't there yet, since they claim to be able to multiplex IPv6 and IPv4 traffic over the same IPv4 tunnel, but according to their tech support, they don't yet implement IPv6 envelopes, i.e. tunnels to IPv6 servers running openvpn bypassing those pesky CGNs.

Or maybe things have improved since I last checked? Any suggestions for decent IPv6 VPNs highly appreciated.