[earenndil]

Why not just use a trusted solution like openvpn and only use providers who provide openvpn servers? That immediately gets rid of one half of your problem; and as for the other half, vpn services that allow for connections via openvpn are likely to be more trustworthy. In addition, the vpn company can't MitM connections which are already on an encrypted channel outside of the vpn conneciton.

[gowld]

> use providers who provide openvpn servers

how can you prove what the provider is using? people can lie

[wyldfire]

This suggestion is intended to solve the "free VPN app installs malware" problem and not solve the "VPN provider who actually logs/is in league with govt/MPAA/etc" problem.

[FooHentai]

Indeed. Threat models are crucial here.

[ghostly_s]

OpenVPN is a protocol. If the VPN provider supports it, you set it up in your own client that supports OpenVPN. Using a VPN provider that requires you use some proprietary app is madness.

I recently signed up for such a service, in order to get my Nintendo Switch online for multiplayer gaming. My home internet connections sub-let from the landlord and could be considered semi-hostile -- not able to connect to peers on the Switch due to triple NAT, and I suspect some QoS throttling as well. The VPN solves my routing problems, but if anyone has a suggestion for another option here I'm all ears.

[benchaney]

It is irrelevant what software the provider is using as long as they use the openvpn protocol. This will be obvious to anyone who tries to connect using openvpn.

[thinkloop]

Can you explain further, how can you be sure things weren't aded to the software?

[flavor8]

When you use a VPN service that supports openvpn, you:

a) Install OpenVPN yourself (open source)

b) Download an OpenVPN profile from the VPN company

c) Configure OpenVPN with the profile

Specifically, you don't have to install any binary software from the company itself.

[benchaney]

To the client side or the server side? On the client side, you should download the code from a location you trust. On the server side, it is irrelevant if something is added to the software for the attack we are discussing.

[thomnottom]

You can use your own OpenVPN client.

[hultner]

Isn't openvpn kind of a hack and a IKEv2/IPSEC based strongswan solution to prefer?

[mirimir]

It's arguably no more a "hack" than TLS is one. Right?

Re OpenVPN vs IKEv2/IPSec, this IVPN FAQ seems accurate.[0] But then, I helped edit it, so I'm biased. Still, if anyone can point to inaccuracies, I'll recommend fixing them :) The major weakness is pre-shared IKE keys.

On the other hand, I get from IVPN that the IPSEC implementation in iOS is very secure.

0) https://www.ivpn.net/knowledgebase/160/Is-using-L2TPorIPSec-...

[joecool1029]

Don't see why you're getting downvoted. From a user standpoint, IKEv2 doesn't require a secondary client and integrates with most major OS better.

For example: It's way easier for a client to install a mobileconfig to ios that supports on demand VPN than it is to have them download and configure openvpn. Fairly set and forget.

[JetSpiegel]

IKE is a nightmare to admin, only for Cisco level bureaucracies.

[MichaelGG]

OpenVPN protocol is sorta weird (I wrote a clean room client and server impl). But IPSec stuff is such a pain to deal with that it is not worth it despite it having better OS integration.