I’ve seen, courtesy of my Pi-hole application, that streaming services are rife with trackers, so I personally don’t consider it “unimportant.” I understand what you’re saying, though. (And of course, Pi-hole takes care of them without having to use a VPN.)
Fair enough. FWIW, Rob Braxman’s BraxRouter incorporates the Pi-hole and his BytzVPN offers -noAds VPN server profiles in each geographic pool which also filters VPN traffic through a Pi-hole.
That said w/ disciplined opssec, you would segregate your non-VPN accounts from the accounts you use for your private data over VPN. At least that’s Rob’s recommendations.
2 Likes
Part of the reason to use a VPN service also, is to mask your location. So unless you own your own global network with nodes spread around the globe, you’ll need to give away your location as soon as your encrypted traffic hits a real ISP, probably just a few miles from where you live.
Again, depends upon your threat model but at least 4G triangulation is around 1.5 sq. miles so if your your threat model was at the ISP level, then I’d stick to highly dense population areas; i.e. major cities.
For me, I’m happy just to neutralize the big tech evil empires, since I don’t break the law except for the speed limit (frequently!). 
You’ve almost touched on an example that illustrates two of the points!
-
You may well need to use a VPN in order to beat geoblocking (restricting access to content by clients in a particular country). All other parts of the VPN for that scenario are a complete waste of resources.
-
If you live in a country that is still more or less a democracy and are accessing mainstream video content, why exactly do you think you need to encrypt the e.g. Netflix video content as it comes to you? It’s all public content. Anyone can in theory access the exact same content as you are, and see what you are seeing. The greatest privacy risk by far comes from the provider of the content itself e.g. Netflix.
That can be difficult though. It is near certain that all the requests for a given TCP connection need to come from the same IP address. Some web sites may also deem that any prior authentication is only effective for requests from a given IP address. (It could also play havoc if you are using the VPN to bypass geoblocking.)
Another complication arises where the DNS is returning results that are dependent on the location of the client e.g. a CDN scenario. So if the source IP address varies ‘randomly’ then the DNS may return a result such that, when you attempt to make the subsequent TCP connection, the TCP connection will fail.
I have heard of a system where the IP address is spoofed on the other side of tunnel endpoint (which should address the above issues). However that may not work in the face of ingress filtering (and it is also a bit of red flag for your traffic even if not blocked).
It depends on your threat model i.e. whom you are trying to mask your location from.
From a web site? Even if your global network comprises just one VPN node, that node may be half a world away. So to the web site you are connecting to, you could appear to be anywhere in the world but if you only have one node in your global network then it will always be the same country.
From your government / your ISP? Then you are in practice correct. I guess if you are super-desperate, you could put in a dedicated point-to-point WiFi link and then you can throw your location to somewhere a hundred kilometres or so away from where you really are (best case).
Well, thankfully there never has been nor hopefully never will be a real democracy; i.e. where either the mob rules and/or the easily controlled sheeple can be used against the minority.
That said, there is still a benefit for the VPN to block ads bots and social profiling if the streaming service does not block VPNs. I disagree that the marginal additional resources used would be a waste.
Points well taken about the CDN factor though.
Again, per Braxman’s recommendation, I have a non-VPN router set up for streaming services and any other service that blocks VPNs, and another VPN router set up for everything else with range extenders for both zones.
When talking end-to-end it’s useful to identify the ends. A VPN can provide you-to-VPN encryption, not more. Since traffic usually doesn’t stop at the VPN: you-to-VPN-to-service, the VPN-to-service part enjoys no extra encryption due to the VPN.
This is not the same as the informal end-to-end definition where you care about the actual destination of the data, so in this sense a VPN offers no end-to-end encryption, and cannot possibly.
I actually like this definition. Otherwise people would claim that HTTPS offers end-to-end encryption when you chat to your Facebook contacts. It does not. It offers you-to-Facebook encryption, and few people actually care about that. Similarly, you-to-VPN should not be called end-to-end.
2 Likes
Sorry that I didn’t state the obvious, but yes, by end-to-end I meant from your device that’s running the VPN client to the VPN server which is EVERYTHING when your device is on a public network which you do NOT control; e. g. hotel, airport, college, work, etc.
Ideally, you run your own VPN server on the same server as the other services you control but obviously, if you do not control the service then you need to be using encryption from VPN server to that service.
That said if you’re using Facebook, Instagram, Twitter, etc., then you don’t care much about your privacy anyway unless you are following good opsec and are hiding your true identity there too by other means.
One other reason to use VPN with a service like Netflix or even YouTube, is to stream otherwise prohibited content. If I am in Arizona and my VPN portal is in Los Angeles, a content provider doesn’t really care where in the US that I am. But sometimes I hit content that can not be distributed in the US for copyright or for contractual reasons between providers. So it only takes a few minutes to bring up the VPN interface and switch from the tunnel input/output from LosAngeles to somewhere else on a different continent. Then I can stream that otherwise prohibited content. For all the streaming service knows, I am in the UK or in Germany. Sports games that stream and try to black out a specific geographic are foiled too.
I don’t know if this kind of streaming is illegal or just a civil matter between the person and the content provider. If it is illegal, are you breaking the laws of your own country, or those of the country where the VPN connection on the other end is?
I remember when C-band satellite dishes were new to the public. A family member of mine bought one. For him, Showtime, HBO, and a lot of premium TV channels were completely free back then. Then over time, the content providers started encrypting their brodcast signals. So he purchased countermeasures (black market hardware) to keep everything free. So the content providers made their signals more and more difficult to crack, as time went by. Eventually, this family member told me “one day I realized that it would just be cheaper to subscribe”. Maybe streaming content providers will do the same thing to their streams also. I don’t think that a VPN service can get you around a paywall. There are illegal streaming boxes that will do that. But it can get you around geographically blocked content.
1 Like
I’m not sure what you are driving at here. If the “service” is, say, cnn.com or puri.sm or amazon.com or … then you can’t possibly control it or run it on your server. So that means that there is still benefit in using a secure protocol (e.g. HTTPS) to access the web site - even though it actually means that the data (the entire HTTP session) is double encrypted (if you are using a VPN).
Truedat.
It may depend on what you agreed to in the Terms of Service. If you warranted that you are in e.g. the UK and thereby gained access to content that the distributor is only distributing in the UK (which you must have achieved by choosing a VPN endpoint in the UK) then maybe there’s some civil comeback. However if it’s not behind a paywall in your own country then they would struggle to demonstrate any actual loss.
A lot of the time there’s a disconnect between the distributor and the actual copyright owner, so the distributor has to make reasonable efforts to implement the licensing restrictions but so far noone is getting too hysterical.
e.g. Yes. The only scenario where I could even imagine not using encryption past the VPN server would be if you ran your own OpenVPN server collocated with your own NextCloud or something; otherwise, you can’t truly trust the service provider so you should be using encryption if given the choice.