So, what would be a really reliable VPN-provider?



  • Good morning all  ;D

    My apologies if I post this in the wrong forum; I figured this would be the safest place to post it. Given all the latest news on privacy and matters, I do realize it is about time to use a VPN. For all I know, the whole world will be watching what I am doing, and I don't feel they need to  :P

    Finding a good VPN-provider appears a rather horrible exercise; yes, there are a 1001 VPN-providers, some with very beautiful websites, some with rather low prices, but when reading customer reviews often the speed is horrible, or customer service is absent/rude/blames the customer for errors (I do realize these reviews may be written by the 'web care team' of the competition  ;D). When reading 'independent' reviews sometimes you are offered a referral link to that 'greatest provider in the test', but even without that: these 'independent' sites also need to make a living. Yes, part of it may come from ads on every page, but another part may perhaps also come from direct payment for that 'independent' review. It is difficult to find solid information.

    Furthermore, some of these 'cheap' providers require you to buy a subscription for every connection you want to make, so, for example wife + me + her tablet = 3 subscriptions. Or they give you very limited bandwith, after which you have to buy expensive marginal bandwith. When cheap suddenly becomes expensive  :-X

    And then I've also read, and I don't know it this is true as I am not a specialist in this field, that some of the 'VPN'-technologies aren't 'really VPN', as Deep Packet Inspection (DPI) can still see what is going on.

    So, it is all very confusing for me-noob ( ;D). A provider of financial services that I am considering using recommended c-r/y-p\t-o/h-i/p-p\i-e.com (I am not trolling: I added these symbols in between because I don't want their 'web care team' to get a google alert and then register here to comment that they are the greatest; I think adding these symbols sort of prevents this  :P).

    For noobs, they aren't very informative on how they work, and what they are telling me-noob has a hard time understanding ( :-). I do understand they use at least two chained VPN-servers, and this is supposed to be more secure than just one. Which I don't understand, since encryption = encryption, I thought. Why do you need double encryption in the first place? Furthermore, they also don't really show their amount of servers, where they are located, so I am still a little in the dark as to that.

    And then I thought: I shall ask it in the PFS-forum; I trust all you extremely knowledgeable people way, way, way more than a vendor that is trying to sell his product to me.

    So, if I could ask: what is a really reliable VPN-provider, with whom you will know that what is encrypted is really encrypted and not 'seeable' by DPI, who doesn't bullshit around with 'you've got to pay extra for every machine/gig/whatever', who has excellent customer support and who is located in a rather safe/privacy minded country?

    Thank you very much for any help  ;D,

    Bye,


  • Rebel Alliance Developer Netgate

    I haven't used any such providers myself, but some of the people I talk to have, and the usual suspects are: StrongVPN, VyprVPN, or similar services.

    In addition to the criteria you mentioned, you should also take note of the provider's logging policies. Some VPN providers will keep connection logs, others will not. Depending on how you intend to use the VPN, that may be a potential concern.

    Here is a somewhat recent article about some providers and how they treat the subject:
    http://torrentfreak.com/vpn-services-that-take-your-anonymity-seriously-2013-edition-130302/



  • Thank you very much for your reply, Jim, and sorry for the delay in answerring.

    It appears there are so many VPN-providers out there that basically appear to be marketing companies only, some of them even saying 'we are in a 'privacy minded' country, and then it turns out their Ltd (company) is there, but the servers are…in the USA or Europe. So this remains a horror to find the right one.

    Intermediate, for my wife, I have now setup OpenVPN on my PFS. It is of course rather slow speed (limited upload), I'll have to see if it works to her majesties satisfaction, otherwise I still have to continue my search (a monstruous search, it appears  :-).

    Thanks again  ;D



  • One thing to keep in mind about VPNs in general is that its not a download.  The upload and download requirements usually turn out to be symetric and thus symetric connections on the server and the client work far better than the typical asymetric upload/download speeds usually offered.

    Whats all this mean?  The simple version is that the speed of the vpn will be limited to the LOWEST of either the client upload/download or the server upload/download speeds.

    So, if you have 100 down 5 up connection on the server and 25 down and 2 up connection at the client, your vpn bandwidth will be limited to 2 both up and down.

    fun right?



  • As far as "who to trust?".  No one.
    If you have a friend in a country that doesn't share with whatever country you are in, send him a pfsense with openvpn box and pay him for bandwidth.

    I think playing mommy against daddy, politically speaking, is the only way to achieve privacy.
    I think all the big vpn services are mangnets for people who interest the feds greatly and thus are fed magnets.


  • Banned

    @kejianshi:

    If you have a friend in a country that doesn't share with whatever country you are in, send him a pfsense with openvpn box and pay him for bandwidth.

    +1. None of the commercial services can be trusted.



  • @kejianshi:

    As far as "who to trust?".  No one.
    If you have a friend in a country that doesn't share with whatever country you are in, send him a pfsense with openvpn box and pay him for bandwidth.

    I think playing mommy against daddy, politically speaking, is the only way to achieve privacy.
    I think all the big vpn services are mangnets for people who interest the feds greatly and thus are fed magnets.

    Thank you for your replies  ;D

    The above actually is a very nice idea. Unfortunately, I don't have such friends  :-[

    Yet, your idea made me think: suppose I rent a 'vps' or something like that in another country, and put OpenVPN on that, wouldn't that be an idea? (Is it possible?). Of course, then you are only replacing the problem, because 'they' can still see what you do.But suppose that you then rent yet another 'vps' in yet another country, put OpenVPN on that one too, and chain the 2?

    As in:
    Me -> OpenVPN-server (oVPNs) in Zimbabwe -> OpenVPN-server in Antarctica -> PFsense forum?

    That way, the first oVPNs can not see where I am going to, and the second one can not see where I am coming from. Unless, of course, they manage to get together and collaborate (if that is technically possible?).

    Would this be an idea?


  • Banned

    Sure, why not… till the Antarctica packets freeze on the way. :D



  • Yes - I like your idea.  Get yourself a VPS in whichever country Edward Snowden ends up and install your vpn there.
    (I'm not joking nearly as much as you might imagine)



  • @kejianshi:

    Yes - I like your idea.  Get yourself a VPS in whichever country Edward Snowden ends up and install your vpn there.
    (I'm not joking nearly as much as you might imagine)

    Its not about if your doing anything illegal, it just cost governments more money to decrypt your VPN traffic.

    http://torrentfreak.com/mastercard-and-visa-start-banning-vpn-providers-130703/

    We need some of the talented people within the Pfsense community to come up with a easy productive package to give users more control over whats passing through our network most important what are they slurping on etc.




  • @kejianshi:

    Yes - I like your idea.  Get yourself a VPS in whichever country Edward Snowden ends up and install your vpn there.
    (I'm not joking nearly as much as you might imagine)

    ;D



  • Costing governments money these days doesn't matter much.  They will just print as much as they need anyway.
    What I like to "cost" them is cpu cycles and MEGAWATTS.  You can't print nuclear reactors.



  • @Clear-Pixel:

    @kejianshi:

    Yes - I like your idea.  Get yourself a VPS in whichever country Edward Snowden ends up and install your vpn there.
    (I'm not joking nearly as much as you might imagine)

    Its not about if your doing anything illegal, it just cost governments more money to decrypt your VPN traffic.

    http://torrentfreak.com/mastercard-and-visa-start-banning-vpn-providers-130703/

    We need some of the talented people within the Pfsense community to come up with a easy productive package to give users more control over whats passing through our network most important what are they slurping on etc.

    I agree. I am not doing anything illegal, but I do not like data being intercepted and stored 'for later use', given that those later 'uses' are bound not to be the most scientifically sound ones.



  • @kejianshi:

    Costing governments money these days doesn't matter much.  They will just print as much as they need anyway.
    What I like to "cost" them is cpu cycles and MEGAWATTS.  You can't print nuclear reactors.

    ;D



  • @kejianshi:

    Costing governments money these days doesn't matter much.  They will just print as much as they need anyway.
    What I like to "cost" them is cpu cycles and MEGAWATTS.  You can't print nuclear reactors.

    To decrypt encrypted data cost time and a Tremendous amount of Processing ….. It is relevant. This is why they are attempting to discourage VPN use at the moment. If it becomes a increasing problem they will simply make it illegal to use or operate a VPN without a permit/license from your local government. Basically you will be paying a annual fee to your own government to decrypt your own data you encrypted and told they will never attempt to decrypt your private data connections. LMAO



  • It only costs processing IF the government doesn't have full access to the unencrypted packets traversing the network of the VPN service supplier and I'd bet 99 times in 100, they get it as quick as they want it.  In the USA the crime and law enforcement act makes it mandatory for anyone running a service with more than a certain number of users to build in law enforcement access (back door) on the providers dime.  (Aint that a kick to the groin if your service is VPN)?

    I'm honestly not sure how compliant providers are, but I don't trust VPNs unless I own it, installed it and am pretty much one of just a few using it.

    http://paranoia.dubfire.net/2011/02/deconstructing-calea-hearing.html

    That said, I think everyone should have 1 PRIVATE VPN somewhere at least and pfsense makes that easy (-:



  • @kejianshi:

    I'm honestly not sure how compliant providers are, but I don't trust VPNs unless I own it, installed it and am pretty much one of just a few using it.

    http://paranoia.dubfire.net/2011/02/deconstructing-calea-hearing.html

    That said, I think everyone should have 1 PRIVATE VPN somewhere at least and pfsense makes that easy (-:

    Nice read ….. article over 2 years old, I wonder how far the government has pushed it so far?

    When quantum computing arrives if it hasn't already, encryption will be no problem at all for world governments. The sad thing about it is quantum computing will never be available to the general public.



  • You can't print nukes but you can put a remote data center where power is plentiful and cheap. http://en.wikipedia.org/wiki/Utah_Data_Center

    The Utah Data Center, also known as the Intelligence Community Comprehensive National Cybersecurity Initiative Data Center,[1] is a data storage facility for the United States Intelligence Community that is designed to store extremely large amounts of data, on the scale of yottabytes..[2][3][4] Its purpose is to support the Comprehensive National Cybersecurity Initiative (CNCI), though its precise mission is classified.[5] The National Security Agency (NSA), which will lead operations at the facility, is the executive agent for the Director of National Intelligence.[6] It is located at Camp Williams, near Bluffdale, Utah, between Utah Lake and Great Salt Lake.



  • Remember the old days?  Specific individuals with a warrant and just a couple of names on the warrant and an actual judge who actually read the warrant for people who are actually suspected of something that is actually bad and not just shrimp net dragging style trolling…

    Yes - I'm well aware of Utah...



  • @kejianshi:

    Remember the old days?  Specific individuals with a warrant and just a couple of names on the warrant and an actual judge who actually read the warrant for people who are actually suspected of something that is actually bad and not just shrimp net dragging style trolling…

    Yes - I'm well aware of Utah...

    Just a couple of examples: NSA using intelligences data gathering to blackmail political figures to serve the Elite ….. or how about insider trading of the Financial Markets for profit.

    Very dangerous times we are living in.



  • Well,  a small update; all the VPN-providers I tried to test are insane, rude, stupid and/or complete rip offs. This ranges from all the 'big names' to smaller ones.

    They either won't allow a trial upfront 'but have a 7 day money back guarantee' (yes, I am the stupid one here; wait in line for 700 days and 17 Paypal disputes to get my 20 dollars back  ;D I often recognize a scam once I smell it).

    Or they give a trial account for 72 hours, give no clear setup instructions and their customer 'service' department gives conflicting new instructions everytime, to finish it off by calling this prospective customer a retard if he tells them they give conflicting instructions.

    Or they are so retarded themselves that they say my pfSense didn't connect to their service even 'though I mailed them a screenshot of the dashboard, clearly showing their external IP-address as the one the VPN-interface uses, and my pfSense OpenVPN log clearly showing it had connected.

    Or, and that is one for real laughs, they are so braindead that they tell me: "pfSense is known to be garbage, please buy a normal retail router" (not kidding, the morons really mailed me that).

    An old Chinese verb goes like: 99% of the world is either corrupt, or incompetent, or both  ;D ;D ;D

    So I like the idea of renting a VPS somewhere as suggested previously, but:
    1. Can't the sysadmin of that hoster then still 'sneak in' my traffic?
    2. Won't that be very expensive, on a monthly basis?
    3. Is it difficult to set something up completely yourself, then? (As you all know, I will remain a noob for many, many, years  ;D).

    Thank you,

    Bye,



  • https://aws.amazon.com/free/

    If you'd like to try out setting up a VPS, Amazon does have a year free setup (w/ some limitations, but all manageable). But then again, it is Amazon…......



  • @l3lu3:

    https://aws.amazon.com/free/

    If you'd like to try out setting up a VPS, Amazon does have a year free setup (w/ some limitations, but all manageable). But then again, it is Amazon…......

    Thanks  :D

    I heard about that, but I have no clue how to set that up. I once found a blog from somebody who also uses pfSense (perhaps a member here, I don't know) who offered to set it up for 20 USD or something like that. I contacted him three times, but he never responded.

    And yes, you are right, it is Amazon. But can Amazon see inside the encrypted traffic, or only the source/destination?


  • Netgate Administrator

    They can't see inside the encrypted traffic, at least not without accesing the keys from inside your VPS instance. They could probably do that though I imagine it's against any privacy policy they have. However the VPS would be the end point of your VPN so traffic leaves that box to it's final destination unencrypted. That's true of any vpn service though.

    Steve



  • I've considered a pfSense-hosted VPN offering for pfSense Gold (or maybe pfSense Platinum) members.


  • Netgate Administrator

    Interesting idea, care to elaborate?

    I've certainly been considering a VPN setup for some time and running pfSens eat both ends makes a lot of sense. Running a pfSense instance at a VPS provider rather than using a dedicated VPN service allows you to use whatever protocol and encryption type you want and it seems to be comparatively priced, cheaper even.

    Steve



  • I currently have a VPS from chicagovps for $40 a year which I run openvpn on. I was with strongvpn before and they are great but I can literally rent a whole VPS for much cheaper and still run other stuff on it if I so desire.


  • Netgate Administrator

    $40 a year? What do you get for that? Bandwith? GB per month?
    Are you running pfSense on the VPS?

    Steve


  • Banned

    They cant even pay the powerbill for that amount :D

    @bryan.paradis:

    I currently have a VPS from chicagovps for $40 a year which I run openvpn on. I was with strongvpn before and they are great but I can literally rent a whole VPS for much cheaper and still run other stuff on it if I so desire.


  • Netgate Administrator

    Indeed. They have a $12 a year service too.  ::)
    Linux only though.

    Steve



  • Just to update that I finally had some time to try a VPN-service. Of course, by now you know me, I am the eternal noob (but I could do your taxes, economics & accounting is the one thing I know how to do  ;D): it doesn't work.

    If you would like to see my struggle, I've posted my problems here in a new thread:

    https://forum.pfsense.org/index.php?topic=75251.msg410774#msg410774

    :P ( :-[)



  • @gonzopancho:

    I've considered a pfSense-hosted VPN offering for pfSense Gold (or maybe pfSense Platinum) members.

    If it is within my financial means, I would buy it right away  :P



  • Best VPN provider is a friend or family member with a pfsense box.



  • I'm outside of my league when it comes to VPN providers, but I'll just chime in my thoughts about it.

    It's very nice to see a VPN provider guaranteeing absolute and complete anonymity, when in fact they are required by law to keep metadata on services they provide. In most countries the law "enforcement" will abuse their rights based on a "national security" threat, and will force the provider to provide (no pun intended) all information they can about the connection that's coming out of their server (VPN's exit server). Most providers will be found guilty of aiding "the crime" if they cannot provide these evidence, and will most likely be forced to pay a big(ish) amount of money, so they are likely to put in place the metadata retention procedures to get ready for the next time a moron with a warrant, pardon my Greek, comes along and requests information.

    The only way to get around those "procedures" is to prevent the provider from getting their hands on any metadata in the first place. Barring the rare occasions when providers install hardware backdoors in systems they host (don't want to point any fingers, but yes, they did), the only way to have a reliable VPN services is to rent hardware at a datacenter. Not a VPS, an entire server. Set up hardware encryption on it, lock it down, then only have it accept VPN connections from your pfsense, and send those connections through a different hosted server. Do this a couple of times in different legal regions, and it's as good as it gets when it comes to VPN.

    Most datacenters will not bother with keeping logs for a long time about who is connecting to what, or any logs for that matter, but all VPN providers are required by law to keep them. And those that deny it, will soon change their stance when they are forced to go to a court and listen to the judge give them crap about how they are helping the criminals. And please do not mention any of the "privacy minded countries". There is no such thing. In every country providers will be shafted, if the judge believes it's required.

    It's like renting a room. The room is still in your name, but the hotel owner isn't required to know what's going on inside the room, unless other neighbors make a complaint.  That's the datacenter example. The VPN provider example is not knowing what goes on in the room, but making a note of which hooker arrived at what time. You get my drift.

    One is renting you the room, one is renting you a place to conduct social meetings. Can you guess who is who, and who is required to keep the logs?

    Give your provider a chance for plausible deniability, and daisy chain a few servers in datacenters around the world. Shoot for countries that IT (so called) "professionals" have no idea what they are doing, and you are safe. If your providers can only provide metadata showing your computer connecting to that server over there, but cannot give any data about what was sent over the connection, then both they and you are relatively safe.

    Just my honest opinion as a provider.


  • Netgate Administrator

    @jflsakfja:

    Not a VPN, an entire server.

    You mean VPS here?

    Steve



  • Ah, one of my usual brainfarting moments. Thanks for pointing it out  ;D


  • Netgate Administrator

    No problem.  :)
    How would you compare a commercial VPN service against terminating a VPN in a VPS?

    Steve



  • A VPS means that ultimately you are putting your trust into the hands of the VPS provider. VPSs aren't exactly up to par with a dedicated server (not only speed wise, security wise), since there have been numerous occasions where an exploit running in one VPS got root in another VPS on the same server. Not saying that every VPS out there is bound to be rooted, I'm saying that the security provided on a VPS isn't always the best.

    As I said above, the only things I trust, are systems I have personally set up. If you don't have access to the system, choose the person that will bring it up to a point where you have access to it wisely. If things get freaky up to the point where you are flying a person along with the server, to do the server installation in a remote datacenter, then welcome to the paranoid club  :o

    Dedicated server prices have gone way down. I'm sure you can find a reasonable offer somewhere. It's what I would do if I had the need for a VPN. Daisy chain a couple of them and you are good to go.

    The little known fact about VPNs is that they actively resist tampering attempts by tearing down the tunnel and reconfiguring a new one, in realtime(ish). The upside of that is if communication between your two dedicated servers is tampered with, traces will show up on your side. The same does not apply to the VPN providers, since the tunnel terminates on their systems. Why attack the encrypted side of it, when you are perfectly fine attacking the decrypted side of it?



  • I prefer to have a private server (either hardware or vps) because the associated IPs are not on the well known list of heavily used public vpn IPs.

    Keeps you from being blocked by default in some countries.



  • I rent a VPS to run as a high-speed Tor exit node (my contrib to web anonymity), and I never thought about configuring OpenVPN or IPSec on it and using it that way.  Something to think about.


Log in to reply