So, what would be a really reliable VPN-provider?
-
They can't see inside the encrypted traffic, at least not without accesing the keys from inside your VPS instance. They could probably do that though I imagine it's against any privacy policy they have. However the VPS would be the end point of your VPN so traffic leaves that box to it's final destination unencrypted. That's true of any vpn service though.
Steve
-
I've considered a pfSense-hosted VPN offering for pfSense Gold (or maybe pfSense Platinum) members.
-
Interesting idea, care to elaborate?
I've certainly been considering a VPN setup for some time and running pfSens eat both ends makes a lot of sense. Running a pfSense instance at a VPS provider rather than using a dedicated VPN service allows you to use whatever protocol and encryption type you want and it seems to be comparatively priced, cheaper even.
Steve
-
I currently have a VPS from chicagovps for $40 a year which I run openvpn on. I was with strongvpn before and they are great but I can literally rent a whole VPS for much cheaper and still run other stuff on it if I so desire.
-
$40 a year? What do you get for that? Bandwith? GB per month?
Are you running pfSense on the VPS?Steve
-
They cant even pay the powerbill for that amount :D
I currently have a VPS from chicagovps for $40 a year which I run openvpn on. I was with strongvpn before and they are great but I can literally rent a whole VPS for much cheaper and still run other stuff on it if I so desire.
-
Indeed. They have a $12 a year service too. ::)
Linux only though.Steve
-
Just to update that I finally had some time to try a VPN-service. Of course, by now you know me, I am the eternal noob (but I could do your taxes, economics & accounting is the one thing I know how to do ;D): it doesn't work.
If you would like to see my struggle, I've posted my problems here in a new thread:
https://forum.pfsense.org/index.php?topic=75251.msg410774#msg410774
:P ( :-[)
-
@gonzopancho:
I've considered a pfSense-hosted VPN offering for pfSense Gold (or maybe pfSense Platinum) members.
If it is within my financial means, I would buy it right away :P
-
Best VPN provider is a friend or family member with a pfsense box.
-
I'm outside of my league when it comes to VPN providers, but I'll just chime in my thoughts about it.
It's very nice to see a VPN provider guaranteeing absolute and complete anonymity, when in fact they are required by law to keep metadata on services they provide. In most countries the law "enforcement" will abuse their rights based on a "national security" threat, and will force the provider to provide (no pun intended) all information they can about the connection that's coming out of their server (VPN's exit server). Most providers will be found guilty of aiding "the crime" if they cannot provide these evidence, and will most likely be forced to pay a big(ish) amount of money, so they are likely to put in place the metadata retention procedures to get ready for the next time a moron with a warrant, pardon my Greek, comes along and requests information.
The only way to get around those "procedures" is to prevent the provider from getting their hands on any metadata in the first place. Barring the rare occasions when providers install hardware backdoors in systems they host (don't want to point any fingers, but yes, they did), the only way to have a reliable VPN services is to rent hardware at a datacenter. Not a VPS, an entire server. Set up hardware encryption on it, lock it down, then only have it accept VPN connections from your pfsense, and send those connections through a different hosted server. Do this a couple of times in different legal regions, and it's as good as it gets when it comes to VPN.
Most datacenters will not bother with keeping logs for a long time about who is connecting to what, or any logs for that matter, but all VPN providers are required by law to keep them. And those that deny it, will soon change their stance when they are forced to go to a court and listen to the judge give them crap about how they are helping the criminals. And please do not mention any of the "privacy minded countries". There is no such thing. In every country providers will be shafted, if the judge believes it's required.
It's like renting a room. The room is still in your name, but the hotel owner isn't required to know what's going on inside the room, unless other neighbors make a complaint. That's the datacenter example. The VPN provider example is not knowing what goes on in the room, but making a note of which hooker arrived at what time. You get my drift.
One is renting you the room, one is renting you a place to conduct social meetings. Can you guess who is who, and who is required to keep the logs?
Give your provider a chance for plausible deniability, and daisy chain a few servers in datacenters around the world. Shoot for countries that IT (so called) "professionals" have no idea what they are doing, and you are safe. If your providers can only provide metadata showing your computer connecting to that server over there, but cannot give any data about what was sent over the connection, then both they and you are relatively safe.
Just my honest opinion as a provider.
-
@jflsakfja:
Not a VPN, an entire server.
You mean VPS here?
Steve
-
Ah, one of my usual brainfarting moments. Thanks for pointing it out ;D
-
No problem. :)
How would you compare a commercial VPN service against terminating a VPN in a VPS?Steve
-
A VPS means that ultimately you are putting your trust into the hands of the VPS provider. VPSs aren't exactly up to par with a dedicated server (not only speed wise, security wise), since there have been numerous occasions where an exploit running in one VPS got root in another VPS on the same server. Not saying that every VPS out there is bound to be rooted, I'm saying that the security provided on a VPS isn't always the best.
As I said above, the only things I trust, are systems I have personally set up. If you don't have access to the system, choose the person that will bring it up to a point where you have access to it wisely. If things get freaky up to the point where you are flying a person along with the server, to do the server installation in a remote datacenter, then welcome to the paranoid club :o
Dedicated server prices have gone way down. I'm sure you can find a reasonable offer somewhere. It's what I would do if I had the need for a VPN. Daisy chain a couple of them and you are good to go.
The little known fact about VPNs is that they actively resist tampering attempts by tearing down the tunnel and reconfiguring a new one, in realtime(ish). The upside of that is if communication between your two dedicated servers is tampered with, traces will show up on your side. The same does not apply to the VPN providers, since the tunnel terminates on their systems. Why attack the encrypted side of it, when you are perfectly fine attacking the decrypted side of it?
-
I prefer to have a private server (either hardware or vps) because the associated IPs are not on the well known list of heavily used public vpn IPs.
Keeps you from being blocked by default in some countries.
-
I rent a VPS to run as a high-speed Tor exit node (my contrib to web anonymity), and I never thought about configuring OpenVPN or IPSec on it and using it that way. Something to think about.
-
@jflsakfja:
The only way to get around those "procedures" is to prevent the provider from getting their hands on any metadata in the first place. Barring the rare occasions when providers install hardware backdoors in systems they host (don't want to point any fingers, but yes, they did), the only way to have a reliable VPN services is to rent hardware at a datacenter. Not a VPS, an entire server. Set up hardware encryption on it, lock it down, then only have it accept VPN connections from your pfsense, and send those connections through a different hosted server. Do this a couple of times in different legal regions, and it's as good as it gets when it comes to VPN.
This was the original / genesis idea behind the "rack of NUCs". (http://imgur.com/6DNonNp)
@jflsakfja:
Most datacenters will not bother with keeping logs for a long time about who is connecting to what, or any logs for that matter,
It's not that they won't bother, it's that, at that level, they can't. It would be like sampling a firehose with a test tube.
-
@gonzopancho:
This was the original / genesis idea behind the "rack of NUCs". (http://imgur.com/6DNonNp)
Yeap, hardware prices have gone way down, there is (IMHO) no reason to shoot for a VPS instead of a small dedicated server.
@gonzopancho:
It's not that they won't bother, it's that, at that level, they can't. It would be like sampling a firehose with a test tube.
Agreed.
-
@jflsakfja:
@gonzopancho:
This was the original / genesis idea behind the "rack of NUCs". (http://imgur.com/6DNonNp)
Yeap, hardware prices have gone way down, there is (IMHO) no reason to shoot for a VPS instead of a small dedicated server.
in a datacenter, the limiting factor is not space, hardware or bandwidth.
It's power.