There are hundreds of different VPNs on the market – all of them promising to secure your internet connection, unblock websites, and make you anonymous online. Understand what a VPN isn't, a VPN doesn't provide privacy, with a few exceptions (detailed in this article) and they don't provide security.In essence, they are simply a proxy. With that in mind, you should never rely on a VPN to guarantee your anonymity. There is no one solution fits all, it's about diversifying your weapons cache to each scenario. As the case for fixing a leaky faucet, you wouldn't use a hammer, you would need a wrench, washer, and possibly a screwdriver.
In this article we are going to cover misconceptions, do they serve a purpose, and the fact of do you really need a VPN?
I want to get something out of the way first, that's a big issue, but not spoken of very often. You see many blogs, sites "recommending" VPN services. But you ask why does that matter. Well, it does matter because they make money off of those services through "affiliate links," that means they get a certain percentage out of each purchase. The sites making these recommendations are, in almost every case, paid by the companies they review and recommend. The technical term for this kind of marketing is "native advertising" and it's abuse is a huge problem in the VPN industry.
Let's say a VPN costs $5 per/month (recurring,) which is the most common pricing standard, the majority of VPN companies have affiliate programs that pay out at around 35% of profit the first month or 100% for the first month then lower their payout by around 5%, depending on the company. Now let's say you have a blog that has 1000 unique visitors monthly and roughly 20% of those visitors decide to buy a VPN, so how much profit was made that month?
Well $5 - 35% = 1.75 x 200 = $350 made for the month. Profitable right? Combine that with ads and other means of payout affiliations (amazon etc,) that would be a good months profit. The companies make out well themselves raking in the money from affiliates and the spread of misrepresentations of what the "all protecting VPN" actually does, bloggers promote the fiction. It's no wonder there's a VPN provider popping up every day now. It's easy money. Literally what VPN providers do is set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup. They can make every promise in the world because nobody can verify them. They are selling you 100% snake-oil. So in a twisted way, VPN services do serve a purpose - it's just one that benefits the provider, not you.
When those services allow their resellers to generate referrals by any means, be it attraction, lies, there are grounds for mistrust. If you see a service appear over and over again on the kinds of sites/blogs mentioned above, there is a good chance they are making money from, and are perfectly okay with these kinds of deceptive practices as a part of their business model. They often will claim that it's just the affiliate doing this and that they can't control what others do. This is false. Affiliates, like anyone entering into a business relationship with someone, agree to certain terms put forth by the service hiring them. If a company doesn't expect and enforce certain standards from their affiliates (not spamming, not breaking copyright, disclosing who they are, etc,) they are approving these methods, and are not worthy of your trust. If they are willing to lie to you before you even buy into their service, the stage is set for them to be dishonest with you when you interact with them on a normal basis as a customer.
If you choose a company with an affiliate program, choose one that expects and enforces good behavior from their reselling partners. You can usually read their affiliate terms on their site. If they are not publicly visible, they should respond with this information when asked. If not, or if they play games with you, look elsewhere.
Do I need a VPN? Will it protect me?
Let's first see how a VPN works. You start the VPN client. This software encrypts your data, even before your ISP or the public WiFi provider sees it. The data then goes to the VPN, and from the VPN server to your online destination — anything from your bank website to a video sharing website to a search engine. The online destination sees your data as coming from the VPN server and its location, and not from your computer and your location.
When you use a VPN, your data is encrypted, it goes in encrypted form to your ISP then to the VPN server. The VPN server is the third party that connects to the web on your behalf:
- The destination site sees the VPN server as the traffic origin, not you. Anything from the VPN provider on wards is vulnerable, just as you would be without a VPN.
- No one can (easily) identify you or your computer as the source of the data, nor what you’re doing (what websites you’re visiting, what data you’re transferring, etc.). Except the VPN provider you bought your service from can.
Like mentioned at the beginning of the article, a VPN is a proxy, it does not provide privacy or security, e.g. It won't protect your private data, such as bank passwords, credit cards, photos, and other personal information when online. And if you store that information on your desktop it won't protect it either.
So when should I use a VPN?
When you are on a hostile network (eg. a public WiFi access point, or an ISP that is known to use MITM) a VPN can work around that.
What about from ISPs and Governments. Surely they are useful to protect you against them? How do ISPs and Governments know you're using a VPN?
When you use a VPN connection, the majority of VPN protocols have encrypted data packet that contains two parts which are visible as VPN data:
- The first part is the header that includes the routing information and packet identification. The 'header' is like a fingerprint that can potentially allow a firewall to recognize traffic as VPN traffic.
- The second part is the Payload that represents the data that gets forwarded by the VPN server to the web address you want to access.
Most new to the whole VPN concept and technology, in general, are not aware that ISPs and Governments are set up to detect such things, one such tool used is called DPI(Deep Packet Inspection.) What DPI does, is analyze the types of internet traffic people use. When you download something from a secure website, like a photo or a video, DPI can be used to see that the packets of information you’re sending and receiving are HTTPS traffic. If you send an email, the people using DPI will see SMTP, POP3 or IMAP traffic. Organizations that want to target VPN traffic have to identify its unique signature with DPI first, then they can slow down, re-route or even block all VPN traffic on their network. Using DPI is an inexpensive and easy way for organizations to monitor their networks for unwanted traffic. So by default, the unsuspecting user is thrashed by a false sense of protection. In comes, Obsfproxy, SSH Tunneling, SSL/TLS (Stunnel) and SOCKS5 (Shadowsocks) are the best for staying undetected and are known as Tunneling. However, note these will cost you performance where it trumps in disguising your traffic. It makes the traffic look random so it doesn't match the fingerprint patterns DPI hardware looks for. It would be like cutting up a pie in slices, then putting each piece into a box, then wrapping and mailing those pieces at random intervals then the endpoint puts them together again, hence this process slows your connection down because it takes time to individually pack each slice of pie.
Some other methods of going undetected are port switching, beyond 1194 to port 443 (SSL) or 80 however these can still be blocked by most firewalls in public networks (WLANs, etc.) and not monitored by an IDS (Intrusion Detection System.)
But what about connecting to sites that don't have SSL, making a purchase, playing an online game, a VPN protects you by encrypting your traffic!
The truth is the web is transitioning to SSL (Let's Encrypt) you can also thank Google as well. In general use SSL/TLS and HTTPS (for centralized services), or end-to-end encryption (for social or P2P applications). VPNs can't magically encrypt your traffic - it's simply not technically possible. If the endpoint expects plaintext, there is nothing you can do about that. Also consider when using a VPN, the only encrypted part of the connection is from you to the VPN provider. From the VPN provider onwards, it is the same as it would have been without a VPN. And remember, the VPN provider can see and manage all your traffic.
But my provider doesn't log!
The VPN is a "man in the middle" who you are trusting with the traffic and connection data that is being generated in the background as you use the internet. Some VPN companies choose to log this data. There are many reasons for doing so, some more legitimate than others. Some services record this to protect themselves legally in the case they are approached by authorities. Some companies keep minimal connection logs to aid them in maintaining servers. Some will even sell your data to third parties as part of their business model. If your concern is privacy, you most likely do not want your browsing habits and connection data being recorded. Many services claim to not keep logs but are vague, and upon closer inspection actually do keep certain types, so be wary of such promises until you've confirmed it for yourself in their respective terms and privacy policies. There is no way for you to verify that a provider isn't logging, and of course, this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs. And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer if they ever were to get into legal trouble. The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over. This is especially true with 5 Eyes, 9 Eyes, 14 Eyes countries.
Choosing a VPN that is outside the 5/9/14 Eyes surveillance countries may offer further protection. Nonetheless, this is no silver bullet. As we saw with PureVPN, being operated in Hong Kong does not mean they won’t cooperate with US authorities.
How to protect yourself from a provider that you think may be keeping logs, compromising your data:
- One way to protect yourself if a VPN server is compromised is through a multi-hop VPN configuration. A multi-hop configuration will help to mask incoming and/or outgoing traffic.
- Using more than one VPN service at the same time will also provide more anonymity. A simple way to implement this setup would be to use one VPN on a router and then connect to that network through another VPN on your computer/device. Implementing this technique with virtual machines is another option. (The main drawback will be performance.)
- Don't use them
But I want/need a VPN!
If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own. I always recommend hosting your own if you can do so, there are many tutorials on how to host software, and most of the time you just set it up and leave it, no maintenance involved. In the end, you save a little money as you can get a VPS for as little as $1 per/month with sufficient bandwidth, no need to justify a high markup cost. Understand a VPN is not the only tool in your tool belt and certainly not the first line of defense, you have other means of protecting yourself online.
Have a look at Nyr OpenVPN and Angristan OpenVPN install scripts, there's plenty of these installers around, look for those that pertain to your prerequisite list of features, such as RSA, AES, ECDH etc..
Furthermore have a look at open source decentralized VPN options such as Sentineland Mysterium built on blockchain, still in its infancy. Plenty of people use VPNs for fairly mundane things, like circumventing content blocks or hiding their identity/browsing history. For those people, the blockchain VPN may be for you. For users with serious privacy concerns and threat models, this solution is not for you, at least not at the moment. I believe it still needs work to circumvent a few issues, namely government-censorship, MITM attacks (which is still a big problem with centralized VPN Services,) and some other privacy concerning matters. It could be a far better option than entrusting your data to VPN services when it matures.
What about free VPN services?
Do not go near free VPN services, they take advantage of the desperate and hold no pity towards the bold. I'm talking desktop, android app anything free don't touch it, some of the risks involved with a "free" VPN/Proxy are:
- embedded malware (quite common with free VPN apps)
- hidden tracking (many popular VPN providers hide tracking in the apps to collect your data)
- third party access to your data
- stolen bandwidth (yours not theirs)
- browser hijacking
- traffic leaks (IP address leaks, DNS leaks)
- fraud (identity theft and financial fraud)
A VPN may well be worth it if you have a serious threat model or are greatly concerned about your privacy — i.e., looking to maximize every aspect of your online presence. Other than that, I believe it's not worth $5/mon for a VPN service, when you can accomplish much more with a decent VPS for $5/mon, host a VPN, an instance of SearX, DNS, mail server, even use it for extra storage.