I just got a VPN connection working on all of my devices. When it comes to my Android phone, I had to ask myself what value there is to using a VPN tunnel installed there.
As soon as I saw the VPN on my phone working, I realized that all of the Google Spyware on my phone was using my secure anonymous connection to phone home to Google, give my advertising ID to them, and then upload all of the latest information about me to them. Does anyone here know what good having a VPN on your Android or Apple device can do?
security if accessing a public WiFi service or other untrusted internet source
bypassing some geoblocking
obscuring some data collection done by web sites you use
It is true that the one thing that the VPN can’t help with is spying by the phone itself. More generally, no secure connection can deal with insecurity on either endpoint.
You can still justify using a VPN on a spyphone but you just have to be realistic about what it does and what it does not protect against.
There are tracker blockers available in F-Droid, but unfortunately they need the one VPN slot to function. Still a good idea to have one installed, in case you decide to run without your VPN occasionally. Check out Netguard, Blokada, or TrackerControl.
I did some research about VPN since my last post here. There are two types of VPN. There is VPN service used to prevent anyone from spying on your packets as they travel through the internet. Then there are VPN routers which allow port forwarding via the VPN service. Unless you own your own global IP address on your home server, you can’t login to a home network from the public side of your router without both VPN service and a home VPN router. If you use a VPN router, all of your devices can share a single VPN tunnel. So each device on your network won’t need its own VPN connection to use the VPN encrypted service if you have a VPN router. Most VPN service providers only give you between 4 to 10 tunnels. Some banks and other types of login services won’t work via VPN. My banks all seem to work via a VPN tunnel.
I see only two differences when using a VPN service as opposed to surfing the web without it turned on: 1.) The little annoying pop-ups on my phone don’t happen anymore. I still get some ads, just not the pop-up ones. 2.) The ads that I do see are targeting me in Los Angeles (where the tunnel emerges) instead of in Arizona where I am.
So my plan now is to: 1.) install DDW-RT on my home router to allow VPN port forwarding on it. 2.) Find a VPN provider that allows port forwarding. Most VPN providers don’t also allow port forwarding. If the VPN provider doesn’t support port forwarding, it might still work. But if your VPN connection disconnects in that case, your router will be unprotected from the outside world, letting everyone in to your exposed server.
This is a common misconception. VPNs can’t do that. They may prevent anyone from getting some information about your packets between you and the VPN. They will not prevent the VPN from spying in your packets. Anyone between the VPN and the other end of connection will also see most properties of the packet, except possibly the end point.
A “VPN router” is just a regular router with a VPN client BTW. Any VPN service can be used to do that, when configured properly.
A VPN provides is nothing else but an ISP, they just package their connection differently (VPN client rather than cable or radio waves). Same considerations apply: are they giving you a public IP? Are they doing NAT? If they are in control of the NAT, do they do port forwarding for you? Do they have firewalls that may block your connections? Etc.
If your router is vulnerable when the VPN disconnects, it was also vulnerable when the VPN was in place. Use a correctly configured firewall.
The “Private” part of “Virtual Private Network” has been sooo abused by marketing.
Private, in this context, has no relation to privacy. It’s “private” in the context of “private” vs “public” networks, or networks that are not exposed to the internet vs networks that are internet-accesible. “Virtual” in the sense that this private network is made up using software between 2 computers, rather than using network cables and switches.
This of course is never part of the marketing material…
All true, but at least you can hide your physical location (i.e. obfuscate ip address triangulation) from the Evil Empire (Google, Apple, Amazon, Microsoft, etc.) and encrypt your all your data in transit (not just https requests).
That said, if you want to take it to the next step then you could spin up your own VPN server for about the same monthly cost of the average VPN provider; e.g. OpenVPN, WireGuard).
Private in the sense that 1) encrypting all network traffic in transit (not just https) from your devices, and 2) hiding your actual physical location from all except your VPN provider.
As I said, a VPN does not necessarily encrypt any data. Most of them do, but even then, it’s not all transit. Your data will happily (and necessarily) get revealed to the VPN and travel unencrypted from the VPN to the endpoint.
While VPNs indeed hide your IP (so physical location) to those endpoints who don’t care a lot, many will happily reveal it to law enforcement – and there’s nothing preventing them from selling the data in some parts of the world.
VPNs are far from a slam dunk, they come with tradeoffs as anything else.
Why would a VPN not encrypt data? Why else would you even use a VPN then? Name one VPN that doesn’t encrypt?
Although we live in a ZERO trust world now, if you can’t trust Rob Braxman, then you can’t trust anyone surely. He could be a liar and an agent, but then he’d have to be a helluva actor; fwiw, Rob is adamant that he doesn’t log customer ip addresses so even if law enforcement would ask, he could not provide the information.
As with all service providers, not all VPN service providers are created equal. Until proven otherwise, I highly recommend Rob Braxman’s BraxRouter and BytzVPN service both of which can be acquired from the BraxStore along w/ his De-Googled Android phones and new privacy-focused Braxmail Email service.
To break out/into a network, or present a different IP to the end points. The unpublished VPN I made when discovered my dorm ISP did not actually expose the internet, but only a HTTP proxy.
You don’t need a VPN to do that: you could have done the same with simply your own router. That said, anyone on using a dorm ISP should be using encryption via VPN client AFAIC.
You can’t connect to the internet with your own router if, uh, the router has no connection to the internet. You need a bridge outside the private network, and into the internet, and that’s what the VPN was for.
I don’t really care if law enforcement has the ability to track me. It’s not ideal to be tracked by anyone, including law enforcement. But they have much bigger crimes to go after than anything I might have accidentally done wrong. It’s not even realistic to attempt to have secure communications over the internet to the degree that even law enforcement can’t track you or decrypt your communications. I can’t think of anything that I might do on the internet that would get me in trouble with them. It’s just easier to assume that law enforcement might read or hear everything you type or say while online. If advertising can be blocked and advertisers can’t get any information about me (an ideal but not completely achievable), I’ll be completely satisfied. But the first step is to just keep the criminals out of my networks. If I stay somewhat hidden and my identity somewhat obscured, the bad guys and corporate profiteers will go after easier prey. It’s like getting a dog. When a burgler hears a barking dog, it’s just easier for them to find a different house to break in to.
My next step is to flash dd-wrt on to my router. I bought a dd-wrt supported model with that plan in mind. The manufacturer’s firmware has a child-like simple interface that forces you to register with them and that charges a monthly fee for several features that were free of charge on past routers that I have owned. I am anticipating a lot of advanced features with dd-wrt too. I have never done a dd-wrt upgrade previously though. Has anyone else here done that before?
Something that may have got lost in this discussion: your typical VPN architecture takes your original traffic (which may or may not be encrypted) and tunnels it from one endpoint (your computer or your router, whichever is the actual endpoint) to the other endpoint (the VPN server provided by the VPN service provider).
Beyond the other endpoint, as the original traffic makes its way to the actual host that you wanted to communicate with, if the original traffic is not encrypted then it can be intercepted by any party who can insert themselves into the route from the VPN server to the final destination.
Even if the original traffic is encrypted, metadata can be gleaned by the malicious party. A sophisticated malicious party may even be able to perform traffic analysis to correlate outgoing traffic from the VPN provider with incoming traffic to the VPN provider e.g. if it is not very busy and does not take countermeasures.
All of this assumes that the VPN provider is completely trustworthy and does not reveal any information.
This all still applies when you spin up your own VPN server.
Many security protocols would allow you to negotiate a null cipher on a tunnel. I don’t know what the exact state of play is with applicable VPN clients but in an ideal world you would configure your VPN client to demand a minimum specification of cipher.
One legitimate reason to have a secure connection but not have encryption is if you only want integrity (not confidentiality) on the connection. So you care to ensure that a malicious party cannot alter the traffic in transit but you don’t care whether the malicious party can intercept the traffic. This could make sense if the content is public anyway, and is not sensitive enough that the fact of accessing the content needs to be kept confidential.
Again, perhaps I’m dense, but if you are going to bother using a VPN I don’t understand why you would use anything less than the strongest end-to-end encryption 100% of the time UNLESS an app or service (e.g. Netflix, Hulu, etc.) doesn’t allow it which is why the ideal home setup is to use non-VPN router for all the unimportant traffic like content streaming, and VPN router w/ the strongest end-to-end encryption configured for ALL OTHER traffic.
Sure, given unlimited resources of a nation state, a world view of metadata traffic analysis could theoretically be done, so it all depends upon your threat model.
I would think someone would have taken the radio frequency-hopping concept and come up w/ a similar multi-VPN provider/server concept where by you could select a pool of VPN provider servers and have your VPN client send requests randomly across that pool of ip addresses which would make it more difficult to correlate. Let me know if there’s a solution out there that I missed before it’s my next pet project.
That said, again, if YOU are your own VPN server provider then hopefully you can trust yourself not to spy on you.
