[mirimir]

Well, never use free VPNs!

Also, don't choose a VPN based on some online review. Most of those are basically paid advertising. Either "pay if you want a good review" or "pay more for highter rank", or stuff by independent affiliates, who get paid for referrals.

Better, choose VPNs that have been recommended by consensus in relevant communities. Torrent users. Wilders. Me ;) And by the way, I do consult for IVPN, but my opinions are otherwise unbiased.

[tomaskafka]

And then you have stuff like AV companies' VPNs for which you pay AND your data gets sold.

(Basically, all AV companies listed on stock market sell your data.)

[mirimir]

well, I've suspected that. But can you point to evidence?

I wrote a post last summer for IVPN's blog. Bottom line, AhnLab and Emsisoft seemed to be the only commercial ones that don't share data.

AhnLab: “AhnLab will not collect any personal information other than [data collected during software use] and will not disclose such data to any third party.”

Emsisoft: “Any information we collect from you is only used by us to serve you better. Your information is never given to a third party.”

[btown]

What is your opinion on PrivateInternetAccess?

[godelski]

They've been recommended by a lot because they recently backed up their claims of no logging (FBI asked them for data, and they couldn't provide it). You'll see that they are ranked pretty high on this list, where there are some breakdowns. They are pretty cheap and popular too. Popular helps by making associations more difficult. That is seeing a VPN server accessed page X and that you were accessing the VPN server at said time. A college student was connected to a bomb threat by this method, being he was the only one on campus to be using TOR at the time the bomb threat was made (from TOR). You'll be fine with any VPN that is relatively popular and doesn't do any tracking.

[Odin78]

A relevant detail to that story is that he admitted his guilt under questioning. Had he continued to deny any involvement, they would not have been able to prove that he was sending the bomb threat, as it could have been from someone who wasn't on campus.

[godelski]

Very true. But there have been several instances of cases like this. And this thing doesn't matter if your VPN logs or not[+]. But what I was trying to point out is that these types of access collisions are important to understand. And why I don't think people should roll their own VPN.

[+] I'm not trying advocate crime here or advising how to avoid it. Just trying to bring to light a vulnerability.

[confounded]

> And why I don't think people should roll their own VPN.

People who are interested in not being identified probably shouldn't. But there are good security reasons to potentially do so.

[mirimir]

Criminals are great examples, because their OPSEC failures are often detailed in court records, reported in the media, and discussed online. One of my articles on IVPN's website uses several such OPSEC failures (Silk Road, Sheep Marketplace, etc) as examples.

[AsyncAwait]

It's also worth noting that PIA supports several free software projects.

[kuschku]

Or, to phrase it differently: PIA outright bought a great number of previously community-run projects, and is concentrating power.

Freenode and Snoonet, two major IRC networks, are now owned by them.

[calcifer]

Enough. You do this on every mention of PIA and you have been told to stop or get banned [0]. I don't know why you are on this crusade when there is not even the slightest hint of wrongdoing [1] so please, easy on the conspiracy theories.

Disclaimer: Happy PIA customer.

[0] https://news.ycombinator.com/item?id=14911509

[1] https://news.ycombinator.com/item?id=14911915

[kuschku]

It's not about conspiracy theories, but about concentration of power.

If control of PIA — for whatever reason, and be it that Andrew Lee dies and his heirs sell it, or that he can't finance it anymore, or that a three-letter agency forces him to — ends up in the wrong hands, then also all of Freenode and Snoonet end up under control of that entity.

It's not that I don't trust PIA, but that I fear that PIA itself may end up in the wrong hands.

And I'm not on a crusade against PIA — I won't complain about their donations without requirement to advertise in return to projects such as KDE, with a transparent funding process.

But I am on a crusade against centralizing any services, be it killing XMPP federation (thanks, Google), be it pushing a "secure" Messenger that is bound to a single social graph and server infrastructure controlled by one group in the US (thanks, Moxie), or be it a single compsny gaining significant control over several major IRC networks, clients, libraries, and over Matrix at the same time.

No matter the intentions, how good they may be.

[crankylinuxuser]

Wow, what's going on there? :/ Case of sour grapes for that user?

My only beef is I thought PIA would be a kickass gig to work at. Alas, never heard back from my resume. They post in the monthly thread.

Still interested, if any of you PIA people are watching :D

[godelski]

(not the person you were responding to)

To be honest, my only problem with them is their customer service. And their phone app. My connection is half speed on my phone. :( They also have some strange problems with the linux app (which I wish they would open source). Otherwise I'm really happy with them.

[barbs]

Just discovered - you can get a 63% off a 2-year subscription in (presumably) the next 24 hours https://stacksocial.com/sales/private-internet-access-vpn-2-...

[fapjacks]

Yes, and interestingly, the Freenode staff had previously disabled Tor access to the Freenode network for over a year or so because of "attacks" which they claimed they could not handle. This was a pretty flimsy excuse once I finally found someone that knew the technical details, and though I chased the "right" people down several times to ask why Tor access had not been enabled, I never got a good answer. Cue PIA taking over Freenode, and within a couple of weeks, Tor access to Freenode was once more enabled. I've been a happy PIA customer for some years now, but that left such a huge and positive impression on me. I'm not completely sure the two things are simply correlated, but after talking to all those Freenode staffers over the years about it, I can't imagine it wasn't pushed by PIA.

[AsyncAwait]

I was actually primarily talking about their donation to the Krita Foundation [1], but yeah, it's good to be aware of the above, even if thus far I haven't seen anything nefarious from them.

[1] - https://krita.org/en/item/krita-foundation-update

[rapind]

"A college student was connected to a bomb threat by this method"

This is why we can't have nice things...

[mirimir]

I'd use them. They're among the least expensive. And they don't seem to retain logs or detailed access records, based on testimony to a US court. But that was about an exit in the US, where there's no legal requirement for VPNs to log. Where there are such legal requirements, maybe they (or any other VPN) would retain and produce logs.

When I checked in mid 2016, their custom Windows client leaked while the VPN was reconnecting after uplink interruption. But then, only six of the 29 VPNs that I tested didn't leak: AirVPN, FrootVPN, IVPN, Mullvad, Perfect Privacy and SlickVPN. Strangely, FrootVPN didn't leak using open-source OpenVPN, suggesting that they're doing something unusual at the networking level. PIA's OS X client didn't leak, however.

They do tend to oversell their servers, however. So you'll often get less throughput than with AirVPN, IVPN or Mullvad.

[ideonexus]

I've been very happy with PIA. It's cheap with minimal impact to my bandwidth. The concern is that, like all VPNs, we are trusting them not to keep logs. PIA claims that they proved in court that they do not keep logs because they provided no useful data to an FBI request. There's a debate over whether this proves they don't keep logs or not here:

https://www.privateinternetaccess.com/forum/discussion/26284...

Is this semantics? I am uncertain. I do think that it's in PIA's best commercial interests not to keep logs. It's the core of their business model. The moment a PIA customer's identity is revealed through them is the moment they lose all business.

[kilroy123]

I think they're good, but there are some downsides. Sometimes traffic can really slow down because they're _too_ big.

Another issue is, all their IPs are well known. When browsing while connected to them, you can run into a lot of issues: captchas, blocked sites, etc.

The other day I was accidentally connected and made a purchase. What a giant headache. My purchase was flagged and blocked and it took a lot of my time to call the company and get it cleared up.

[programbreeding]

A few weeks back I ran in to the same issue with accidentally making a purchase while connected to PIA. Mine was also flagged and I had to jump through several hoops to prove I made the purchase. It was a pain but I completely understand why that happened and I'm still very happy with PIA.

I will mention that while it doesn't magically fix slow speed issues, they have the ability to report a slow server through the app (on Windows, I can't attest to any others). You just right click the icon in the notification tray and click "Send Slow Speed Complaint." They do add more servers in areas that are overloaded.

[pnutjam]

I've used PrivateInternetAccess, they are trustworthy, but US based so count on them rolling on you if someone has a good reason to be interested in you.

[mirimir]

Well, they apparently didn't roll for a US court, in a case involving harassment, as I recall. Would they roll for the NSA? How would they handle a NSL? I have no clue. Their founder has said that, although he lives in the US, none of their server admins do.

[fnord77]

I don't use PIA, but one advantage of them is you can use a Starbucks or Target gift card to pay. Buy the gift card with cash then there is no trail.

[zo1]

>"Buy the gift card with cash then there is no trail."

Until it's important-enough for them to track down the card, figure out when it was bought, go over the security footage of who was buying at the time, extract footage of you buying it. They can then extract your face and match against a DB. Or perhaps see what car you enter into, and extract its license-plate.

Heck, even if they don't have that, they can ask the cell-phone companies to see which phone-numbers were connecting to the nearest tower during that period. That already narrows down the list to say, 1000 people?

We're almost there. All the technology is already in place, and the only thing stopping it from happening is consolidation.

[mrarjonny]

I have been pleased with their service. It wasn't much hassle to set up, particularly. Was certainly a little trickier on my linux machine.

I find the speed has almost been completely acceptable. I have had only a handful of times where it seemed sluggish and bogged down.

I know there is a some question of whether they can truly be trusted? Do they truly not keep logs? And they are US based which are all things to consider. I weighed those factors against the customer reviews, price, and simplicity of their service, and I think my choice has served me well. Their rates are dirt cheap for what seems to be a reliable service.

[leadingthenet]

Would you recommend IVPN?

[mirimir]

Well, of course I would! They're one of the oldest. Except for the the first generation, anyway, such as Anonymizer (now basically owned by the CIA) and Cryptohippie (still very cool, but very expensive).

And they have great clients for Windows, OS X and iOS. I've found a few others that are just as leak-free.[0] However, the data there are old, and just about all VPN services have improved their clients. What's most relevant about the site is the testing protocol. There's more about that in an IVPN guide.[1]

I also recommend AirVPN, Mullvad and PIA. But not necessarily for their clients. I mean, IVPN doesn't have a custom Linux client. So in many cases, you need firewall rules. And you need to make sure that you're not using an ISP-assigned DNS server with the VPN.

0) https://vpntesting.info/

1) https://www.ivpn.net/privacy-guides/how-to-perform-a-vpn-lea...

[kakarot]

The great thing about Mullvad is you can use OpenVPN instead of their client if you want. And those guys really know what they are doing.

[rhblake]

Even better, with Mullvad you can now use WireGuard instead of OpenVPN, for considerably better performance and possibly better security. I've configured my EdgeRouter Lite to route all wifi traffic on my default home network through WireGuard for a couple of weeks and it has worked very well.

https://www.mullvad.net/blog/2017/9/27/wireguard-future/

[mirimir]

You can use open-source OpenVPN with any VPN service that offers OpenVPN connectivity. You can also use AirVPN's client Eddie, which has a pretty decent built-in firewall.

[DeathRabbit]

Just adding another vote for Mullvad. Tried a few others, have had the best luck with Mullvad (bandwidth, # of servers, rock-solid connection, etc.)

[fapjacks]

I use OpenVPN to connect to PIA both on my Linux machines and Android.

[accatyyc]

Same applies to IVPN, FWIW.

[tacon]

My VPN activities run on a old Windows box, and I did not want to trust the VPN clients to not fail and blast my data in the open for a day or two before I noticed. I ended up writing a SafeVPN Windows service that kills processes within 30 seconds of VPN failure.

I used PIA for a couple of years without issue, but then it went into some kind of decline for me, always driving network traffic to zero after a few hours. After changing hardware and reinstalling the OS with no effect, I finally tried AirVPN and things went back to normal. AirVPN is a bit more expensive, but their client is light years ahead of the PIA client.

[mirimir]

It's better to use Windows Firewall, because blocking is virtually instant. Basically, you set LAN as a private network, and the VPN as a public network. For LAN, you allow connections only to the VPN server(s) that you use, plus a DNS server that's not associated with your ISP. You can also allow connections to other LAN devices, if you like. For the VPN, you allow all output, but only input for established connections.

[j_s]

Can you point to a writeup of how to do this?

The only step beyond this that I have seen is a recommendation to use OpenBSD as a firewall in a virtual machine.

[mirimir]

No, sorry. I used to know a URL, but ... And most of your search hits will feature application-level blocking, which seems silly to me. Also, I don't use Windows much anymore. And I've forgotten the specifics.

But. It's basically what I described. For public VPN network, just use the default (all output, only established input). For private LAN, deny all output and input, and allow output to selected IP addresses (VPN and DNS servers).

[tacon]

Interesting feature of Windows firewall, thanks. As the AirVPN client connects, it checks several hundred servers for the lightest load, so for that default behavior, I don't know which IPs to configure locally.

[mirimir]

Well, the AirVPN client in Windows has its own firewall, which I didn't manage to make leak.

[sushid]

Various sites on the internet (e.g. Reddit, piracy sites, etc) will recommend either PIA and/or Torguard over anything else.

[mirimir]

That's because PIA and Torguard are willing to outbid others to get that ranking :) Or so I've heard.

That's why you generally ignore online reviews.

[sushid]

Well my Torguard license is expiring soon. Who would you personally recommend instead?

[mirimir]

AirVPN, IVPN, Mullvad or PIA. They've all been around for several years, and focus on privacy. And I've never heard anything bad about any of them. PIA is the least expensive, and IVPN costs the most. AirVPN and IVPN are probably the fastest. IVPN and Mullvad probably have the best technical expertise.

[jen_h]

Or just DIY if you're just a regular Joe or Jane, it's quick, cheap, and easier than most assume.

[needcaffeine]

I’m curious about your DIY solution and what that involves.

[msh]

Algo is quite easy to install and run

[EGreg]

Why do you think that just because a VPN isn't free, it won't ALSO sell you out on the other side?

[JamesBarney]

Basically how much they have to lose.

Say for instance there are two vpn services. Both have a 100,000 users. One makes $1,000 a year off of advertising, and the other makes $1,000,000 a year($9/month). Now both are approached by a nefarious gentleman who offers them $20,000 a year to harvest their user's information. But every year there is a 25% chance people find out and your service is shut down.

Who takes the deal? Maybe the free guy, but very few people would risk a 1M/year revenue stream to make a little extra cash, but someone might risks a much smaller revenue stream for a comparatively bigger payoff.

[thomnottom]

That's not what was said. "Free VPNs are not to be trusted" does not imply "All paid VPNs can be trusted".

[FooHentai]

But to flip that around, what about adding payment into the mix has any bearing at all on the trustworthiness of a VPN provider?

[macintux]

Payment means there may be a viable business model other than sharing private information. Realistically I don't know how you can ever be sure, but I'd absolutely never trust a free VPN service.

[blacksmith_tb]

It's not so much that they couldn't sell you out, but that if word got around that they had, it would be bad for business.

[midwife_cry_sys]

Everytime you turn around we heart of another free VPN selling data. How else do they stay in business.