[lisk1]

Solution for this is to tunnel the traffic through encrypted connection to servers in countries that respect persons privacy(if that is true nowadays). The easiest way is to use WireGuard, easy to set up uses only one port and have clients for many devices.

[jgaa]

> ... countries that respect persons privacy

May be a long time ago, in a galaxy far away, such a thing once existed. It's a sweet thought though.

[bigiain]

You don't even need that to be useful though.

In my tinpot banana republic (Australia) ISP metadata retention is required by law, and warrantless access to that is granted to organisations involved in fighting terrorism, child abuse, and other serious crimes - and those agencies include local councils, animal control, the taxi commission, and various horse racing oversight organisations... :sigh:

Even moving your meta data to a different legal jurisdiction makes it less likely to be abused. My local nosy dog catcher is unlikely to attempt to get hold of any useful internet meta data when my ISP hands over their records and say "Ahhh, yes - bigiain's metadata here shows about 2TB of bandwidth for May, all to the ip address of a VPN endpoint in <checks ip geolocation> Belize... I can look up the Belize police phone number for you, do you speak creole?"

[arno1]

Isn't the official language in Belize is English? Aren't South America's routers accessible by the agencies collaborating with the US Govt.?

[bigiain]

Maybe, and quite likely. I considered using Moldovia as my example jurisdiction instead, but Belize has some nice cachet and backstory to add appropriate colour and context to a rant.

Still gonna put off the local dog catcher who's trying to work out if I'm video chatting with his ex girlfriend...

(If _actual_ FVEY or equivalent national security agencies are curious about me, I'm pragmatic enough to know none of my tradecraft live action role playing is gonna make any difference at all. I could buy some magical amulets, fake my own death, and live in a submarine. I am still gonna be Mossad'ed upon... I'll avoid running shipping containers full of drugs/weapons/children across international borders, and try to keep my harshest criticism of the Saudi/Trump Royal families to myself...)

[jgaa]

Oh. It's quite enough to express your opinions.

[nurettin]

If you trust your vps dns, easiest way would be autossh -D<port> <user@host> and set your browser's socks5 proxy to localhost:<port> and tell it to use remote dns when resolving domains. This requires no wireguard setup, no certificate generation or anything.

[bouncycastle]

I've been doing both and have to say Wireguard is much more performant and stable than an ssh tunnel. Besides, it shouldn't be too hard to set it up on a VPS.

[GordonS]

As a counter point about reliability, I've been tunnelling my HTTP traffic (and DNS) through SSH (to get around corporate restrictions and monitoring) for 10 years or so - I don't think I've ever had any reliability issues.

[bouncycastle]

I've had a lot of problems: latency, ssh tcp connections dropping packets and whole connection becoming unstable, manually configure proxy / browser each time & also sometimes you may forget to start the tunnel. You also need to start a new ssh connection for each port you want to forward, so you end up managing a bunch of ssh connections if you want to expose some services for example. Wireguard is more deeper down the layers and just works without jumping through hoops - none of the apps are aware of it and when it's on, it just stays on). Of course, when all you have is ssh to get around pesky restrictions, then I guess that will do fine too! ;-)

[GordonS]

A good point about switching proxies and apps that don't support SOCKS natively.

I guess I've been dealing with those issues for so long they don't bother me anymore!

Also, I use a great extension for Firefox, so I can switch to/from the proxy in 2 clicks, "Proxy Switcher and Manager".

[lisk1]

WireGuard doesn't use certificates it works similar way to SSH with keys, also they have open source clients for Android and iOS a few clicks configuration

[nurettin]

You don't generate a key pair to share with the client? How does that even work when you want to disable a key or set a password?

[lisk1]

What i meant generating keys is not equal to generating certificate in the common sense of this word, it only works with randomly generated keys , passwords are not save way to encrypt data unless you can remember random sequence of characters for every client you have. If look at WireGuard protocol will get all the answares.

[nurettin]

I got my answers, it is pretty much openvpn with a different wireprotocol and there are key pairs.

[peteretep]

Thailand has some new and strong privacy laws:

https://www.insideprivacy.com/data-privacy/thailand-passes-p...

[KayEss]

Which have been delayed for a year due to C19.

All Thai constitutions have had strong privacy requirements, but that has never been important for what actually happens.

It's really not clear what compliance will be like. If it's anything like most things here then it'll only be if the government gets annoyed that a company will be in any danger of prosecution.