How to set up a VPN in 10 minutes for free(medium.freecodecamp.com)
medium.freecodecamp.com
How to set up a VPN in 10 minutes for free
https://medium.freecodecamp.com/how-to-set-up-a-vpn-in-5-minutes-for-free-and-why-you-urgently-need-one-d5cdba361907#.dmfa744uf
51 comments
I use Streisand:
https://github.com/jlund/streisand
You can choose your provider and location. It includes detailed client side instructions.
It is recommended by HN:
https://hn.algolia.com/?query=jlund%2Fstreisand&sort=byPopul...
https://github.com/jlund/streisand
You can choose your provider and location. It includes detailed client side instructions.
It is recommended by HN:
https://hn.algolia.com/?query=jlund%2Fstreisand&sort=byPopul...
I actually advise against digital ocean if your privacy is your main concern, as they mention in their terms[0] they will pretty much hand over anything requested.
[0]https://www.digitalocean.com/legal/terms/
plus, remember when they took out 38,000 websites because the Yes Man made a parody site?[1]
[1]https://www.techdirt.com/articles/20160629/23462634866/nra-t...
regardless, DO is known for shooting first and asking questions later, does this seem like the type of provider you want to use for a VPN?
[0]https://www.digitalocean.com/legal/terms/
plus, remember when they took out 38,000 websites because the Yes Man made a parody site?[1]
[1]https://www.techdirt.com/articles/20160629/23462634866/nra-t...
regardless, DO is known for shooting first and asking questions later, does this seem like the type of provider you want to use for a VPN?
>they will pretty much hand over anything requested //
It sounds from https://www.digitalocean.com/legal/enforcement/ like they don't really have much to hand over though. If you bring up an instance use it for a VPN, delete the instance. They claim to not have connecting IP addresses, nor the contents of deleted instances (which can be encrypted), nor indeed much beyond your payment & contact details.
But then they could just be claiming that.
Aside, their terms include this gem - after the para noting that "content" covers all "data" and "information":
>You represent that all User Content provided by you is accurate, complete, up-to-date, and in compliance with all applicable laws, rules and regulations.
So, if you give them any data or information you have to give them all the information, and it has to be accurate and up to date! Cue data dump of all facts in the known universe!! Hang on, that fact was only up to date when you sent it, now it's out of date ... can ... not ... comply ... must ... send ... more ... data ...
It sounds from https://www.digitalocean.com/legal/enforcement/ like they don't really have much to hand over though. If you bring up an instance use it for a VPN, delete the instance. They claim to not have connecting IP addresses, nor the contents of deleted instances (which can be encrypted), nor indeed much beyond your payment & contact details.
But then they could just be claiming that.
Aside, their terms include this gem - after the para noting that "content" covers all "data" and "information":
>You represent that all User Content provided by you is accurate, complete, up-to-date, and in compliance with all applicable laws, rules and regulations.
So, if you give them any data or information you have to give them all the information, and it has to be accurate and up to date! Cue data dump of all facts in the known universe!! Hang on, that fact was only up to date when you sent it, now it's out of date ... can ... not ... comply ... must ... send ... more ... data ...
Ive actually heard a horror story with DO where someones deleted instance was recovered[0]
the link is dead though :/
[0]https://news.ycombinator.com/item?id=7498861
EDIT: Webarchive has it: https://web.archive.org/web/20140331054458/https://gist.gith...
the link is dead though :/
[0]https://news.ycombinator.com/item?id=7498861
EDIT: Webarchive has it: https://web.archive.org/web/20140331054458/https://gist.gith...
Its just a guide, and DO guides are one of the best floating around. You can use any provider; the pre-reqs is literally 'a' server running Ubuntu.
[deleted]
This is incredibly bad advice. Opera has the worst security track record of every other major browser, and clicking that ad blocker button routes all your traffic through a single endpoint at a Chinese-owned company. Hello surveillance! Even the routers... haven't there been enough remotely exploitable flaws in those archaic router vendors to recommend against using them at this point? You might get a VPN in name but you'll get none of the security that comes with them that way.
You should setup your own personal VPN server if you can. We wrote Algo VPN, a set of ansible scripts that automates the process as much as possible. It contains the most secure defaults available, works with common cloud providers, and does not require client software on most devices.
https://github.com/trailofbits/algo
You should setup your own personal VPN server if you can. We wrote Algo VPN, a set of ansible scripts that automates the process as much as possible. It contains the most secure defaults available, works with common cloud providers, and does not require client software on most devices.
https://github.com/trailofbits/algo
>Does not install Tor, OpenVPN, or other risky servers
Can you explain how ipsec differs from openvpn ? All the major vpn providers seem to use openvpn right now.
Can you explain how ipsec differs from openvpn ? All the major vpn providers seem to use openvpn right now.
Yes! We cover that in the FAQ in detail:
https://github.com/trailofbits/algo/blob/master/docs/FAQ.md#...
https://github.com/trailofbits/algo/blob/master/docs/FAQ.md#...
thank you guys! I installed Algo on AWS EC2 last week. easiest set up ever using your ansible scripts.
any ideas on how to get around Netflix's block? use a different VPS provider?
any ideas on how to get around Netflix's block? use a different VPS provider?
Yes, choice of VPS provider matters if that's what you're going for. I would bet that Netflix has a fairly complete inventory of all the IP addresses that Amazon owns at this point...
> This is where the EFF’s HTTPS Everywhere extension comes in handy. It will make sure traffic to non-HTTPS websites is also encrypted.
Is it just me, or this paragraph is completely wrong? HTTPS Everywhere's job is to HTTPS when available but not explicitely used.
Is it just me, or this paragraph is completely wrong? HTTPS Everywhere's job is to HTTPS when available but not explicitely used.
It's wrong, and wrong beyond a simple mistake in phrasing. The author has no idea how HTTPS operates or what this extension does, despite plugging Let's Encrypt in the preceding paragraph.
the author must be watching; already changed the content to more closely match what HTTPS Everywhere actually does
"How to cut-and-paste your way into a VPN setup for free without having any idea WTF you're doing, let alone how to adapt these instructions when the underlying technologies inevitably roll over in the next 24-48 months" would have been a more descriptive title.
> Hijack your searches and share them with third parties
What does it mean to "hijack" a search? If the ISP is modifying your data in flight then that'd qualify though I don't think this bill gives them that power.
Also, most (all?) searches go over SSL which would not be susceptible to MITM fiddling.
At most it gives them access to log the number of bytes sent per customer to each destination and the DNS lookups you've performed. I'd be concerned if they are selling that information but there's no need to make up fake lingo to sell this. It's crap enough as it stands.
What does it mean to "hijack" a search? If the ISP is modifying your data in flight then that'd qualify though I don't think this bill gives them that power.
Also, most (all?) searches go over SSL which would not be susceptible to MITM fiddling.
At most it gives them access to log the number of bytes sent per customer to each destination and the DNS lookups you've performed. I'd be concerned if they are selling that information but there's no need to make up fake lingo to sell this. It's crap enough as it stands.
The EFF explains how this was done here:
Back in 2011, several ISPs were caught red-handed working with a company called Paxfire to hijack their customers’ search queries to Bing, Yahoo!, and Google. Here’s how it worked.
When you entered a search term in your browser’s search box or URL bar, your ISP directed that query to Paxfire instead of to an actual search engine. Paxfire then checked what you were searching for to see if it matched a list of companies that had paid them for more traffic. If your query matched one of these brands (e.g. you had typed in “apple”, “dell”, or “wsj”, to name a few) then Paxfire would send you directly to that company’s website instead of sending you to a search engine and showing you all the search results (which is what you’d normally expect). The company would then presumably give Paxfire some money, and Paxfire would presumably give your ISP some money.
In other words, ISPs were hijacking their customers’ search queries and redirecting them to a place customers hadn’t asked for, all while pocketing a little cash on the side. Oh, and the ISPs in question hadn’t bothered to tell their customers they’d be sending their search traffic to a third party that might record some of it.
Source: https://www.eff.org/deeplinks/2017/03/five-creepy-things-you...
Back in 2011, several ISPs were caught red-handed working with a company called Paxfire to hijack their customers’ search queries to Bing, Yahoo!, and Google. Here’s how it worked.
When you entered a search term in your browser’s search box or URL bar, your ISP directed that query to Paxfire instead of to an actual search engine. Paxfire then checked what you were searching for to see if it matched a list of companies that had paid them for more traffic. If your query matched one of these brands (e.g. you had typed in “apple”, “dell”, or “wsj”, to name a few) then Paxfire would send you directly to that company’s website instead of sending you to a search engine and showing you all the search results (which is what you’d normally expect). The company would then presumably give Paxfire some money, and Paxfire would presumably give your ISP some money.
In other words, ISPs were hijacking their customers’ search queries and redirecting them to a place customers hadn’t asked for, all while pocketing a little cash on the side. Oh, and the ISPs in question hadn’t bothered to tell their customers they’d be sending their search traffic to a third party that might record some of it.
Source: https://www.eff.org/deeplinks/2017/03/five-creepy-things-you...
Okay that sounds completely illegal and the exact definition of digital hijacking. Any type of modification of the packets themselves outside of dropping them for network control is a clear violation in my book.
I don't see that working for connections over SSL. I wonder how the companies that operate these questionable "services" deal with the rapid rise of SSL the past few years.
I don't see that working for connections over SSL. I wonder how the companies that operate these questionable "services" deal with the rapid rise of SSL the past few years.
I think this type of attack being described was (is) actually done by hijacking requests that should have returned DNS NXDOMAIN. You tried to visit a URL that did not exist, but your DNS server failed to make that clear in the standard way to your browser, and now your traffic is sent somewhere else, instead of sending you to the familiar (or ugly, they might argue) NXDOMAIN browser error page.
So there aren't really any packets being modified, since you already get your DNS from your ISP. They're just returning bad information to requests that your browser naturally had directed at them.
So there aren't really any packets being modified, since you already get your DNS from your ISP. They're just returning bad information to requests that your browser naturally had directed at them.
The NXDOMAIN hijack isn't as bad as this. It involves replacing the response from the resource you requested with the ISPs preferred response.
It can happen either through DNS hijacking (nslookup for google.com goes to isp-fake-google.com) or they can just sniff all the traffic and MITM HTTP traffic for "GET /q=?" with a "Host: google.com". In either case they send you to whatever they'd like rather than the original request (and of course sell the data that User X searched for Y).
It can happen either through DNS hijacking (nslookup for google.com goes to isp-fake-google.com) or they can just sniff all the traffic and MITM HTTP traffic for "GET /q=?" with a "Host: google.com". In either case they send you to whatever they'd like rather than the original request (and of course sell the data that User X searched for Y).
NXDOMAIN hijacking is closely related, but Paxfire had another service (at least in 2011, when fewer searches were done over SSL) that was sending all traffic directed to the major search engines through its proxy servers.
https://www.eff.org/deeplinks/2011/07/widespread-search-hija...
https://www.eff.org/deeplinks/2011/07/widespread-search-hija...
Don't mean to hijack the thread; but speaking of Tor...If some entity ran enough nodes wouldn't they be able to get a pretty good idea of the traffic sources and destinations?
You should never trust an exit node.
https://nakedsecurity.sophos.com/2015/06/25/can-you-trust-to...
https://nakedsecurity.sophos.com/2015/06/25/can-you-trust-to...
The "O" in TOR stands for "Onion". The name comes from having many layers with traffic routing between them. Each node only knows enough to go to the next node. You'd have to control the entire chain to track a packet from source (TOR client on end user's machine) to target (i.e. TOR-exit).
It's definitely possible but with an increased number of hops it becomes harder and harder.
It's definitely possible but with an increased number of hops it becomes harder and harder.
You can correlate traffic without the middle node thanks to timing and packet sizes. You just need the entry and the exit nodes.
Hence why they introduced entry guards. To make things a little more difficult for an adversary that manages to bring up a lot of nodes.
Hence why they introduced entry guards. To make things a little more difficult for an adversary that manages to bring up a lot of nodes.
It's Tor* not TOR.
https://www.torproject.org/docs/faq.html.en#WhyCalledTor
https://www.torproject.org/docs/faq.html.en#WhyCalledTor
[deleted]
I've used https://www.tinfoilsecurity.com/vpn/new several times to quickly set up a new VPN on a DigitalOcean droplet. Takes ~5 minutes.
Lately I had it set one up for me and have just let it run constantly since then. I effectively have my own personal VPN for $5 month.
Lately I had it set one up for me and have just let it run constantly since then. I effectively have my own personal VPN for $5 month.
So 50 Republican senators, and not a single Democratic senator, voted for CRA, but also won't permit the FTC to regulate ISPs when it comes to preserving user privacy. Is this coincidence or is it a "market opportunity" for ISP's to bring back privacy as a product? Disallow VPN at the standard pricing level; and only permit it if you upgrade?
I don't know much about VPNs, so please forgive my ignorance. But doesn't using a VPN basically throttle you to whatever internet speed the VPN server has? I pay for 100mb at home, I don't really want to artificially throttle that down to 10mb or pay some exorbitant price for giving the endpoint 100mb.
> If you want to take things next level, you can try Tor, which is extremely private, and extremely hard to de-anonymize
I don't think Tor would eliminate the need for a VPN; wouldn't your ISP still be able to see the requested URL?
Edit: I was thinking of DNS leaks, but that's really not an issue if you use Tor Browser.
I don't think Tor would eliminate the need for a VPN; wouldn't your ISP still be able to see the requested URL?
Edit: I was thinking of DNS leaks, but that's really not an issue if you use Tor Browser.
The entire HTTP request, including the destination, is bundled into the TOR packet, AFAIK. Only the exit node on the tor network can know where the destination is. But even then, when using HTTPS, the exit node only knows the host of the HTTP request, not the entire URL.
No, the isp could see that you're connected to TOR, but that's just an SSL connection and they cant see anything inside it.
A friend recently setup openvpn to run in his router (I'm going to guess it was MIPS based), and his download bandwidth went from ~100Mbps to about 10Mbps; so a 10x drop. Why? Is a MIPS CPU in a consumer off the shelf router ($200) itself just too underpowered for this task?
Opera doesn't provide a true VPN in its browser, it's just a proxy.
Learn more about VPNs and all privacy related things here: https://www.reddit.com/r/privacytoolsIO/
Learn more about VPNs and all privacy related things here: https://www.reddit.com/r/privacytoolsIO/
Here is a link to setup VPN Server on AWS.
https://www.webdigi.co.uk/blog/2015/how-to-setup-your-own-pr...
https://www.webdigi.co.uk/blog/2015/how-to-setup-your-own-pr...
There is no privacy without open source software.
This article with the recommandations to buy Netgear stuff or commercials VPN services is just a farce.
The author don't know shit, writing this type of false articles will lead to another privacy disaster.
The author don't know shit, writing this type of false articles will lead to another privacy disaster.
Whether the server is free / open source software is irrelevant to the matter of privacy with a VPN. It's running on someone else's computer, so you have no way of proving what is running, or more importantly, what isn't running - the service provider can run OpenVPN and also tcpdump, both of which are free software. You need to trust the provider not to monitor your traffic, and perhaps not to be easily compelled to monitor your traffic on someone else's behalf.
(The same is true of Tor exit nodes, incidentally, and it's very easy for an intelligence agency to run Tor and tcpdump.)
If you actually want a VPN, one of your best options is to use a commercial service that has a reputation to uphold. Some fly-by-night "non-profit" is probably a front for a miscreant running tcpdump. (And there is no conflict with a commercial service running open source code, as I'm sure you know!)
(The same is true of Tor exit nodes, incidentally, and it's very easy for an intelligence agency to run Tor and tcpdump.)
If you actually want a VPN, one of your best options is to use a commercial service that has a reputation to uphold. Some fly-by-night "non-profit" is probably a front for a miscreant running tcpdump. (And there is no conflict with a commercial service running open source code, as I'm sure you know!)
Having source isn't necessary, nor is it sufficient to determine what the software on a device is doing.
It's often convenient, but just having some source doesn't actually ensure that is the code running on the device.
It's often convenient, but just having some source doesn't actually ensure that is the code running on the device.
I could have sworn the link changed from its original submission.
I don't know about the link, but the content has clearly changed to address concerns brought up in this HN thread.
Any commercial vpn recommendations from this crowd?
Setup your own in 10 mins. Here is a link to setup VPN Server on AWS. Free tiers also apply for new accounts in 1st year.
https://www.webdigi.co.uk/blog/2015/how-to-setup-your-own-pr...
https://www.webdigi.co.uk/blog/2015/how-to-setup-your-own-pr...
Look at setting one up yourself, either on a cheap VPS or the free offering from AWS or Google. Various people have posted OpenVPN setups used on these.
As far as commercial VPN providers, I like ones that tell users to use the mainline OpenVPN client rather than assuming you're cool with trusting their homegrown frontend.
As far as commercial VPN providers, I like ones that tell users to use the mainline OpenVPN client rather than assuming you're cool with trusting their homegrown frontend.
ExpressVPN worked well for me, particularly in China where most commercial and self-hosted VPNs fail. They accepted bitcoin payments and had a Linux app.
Mullvad
how is this "free" when you have to pay for the cloud instance?
If you actually are looking to set up your own VPN, I recommend this guide on Digital Ocean[1] If privacy is your main concern for using a VPN, and you are technically inclined, then it would make sense to be in control of the server acting as your VPN.
[1] https://www.digitalocean.com/community/tutorials/how-to-set-...