Does VPN really hide your location? How?

Depending upon what you are trying to do (anonymity or privacy), the answers can be different. I am trying to maintain privacy so I have my own VPN server in the cloud, on amazon, digital ocean, etc, where I control the server. Of course, my VPN server ip address is associated with my account so it is not completely anonymous, but at least until it exits the VPN service is it private. The question to what is the cloud provider doing? They are certainly doing monitoring, but are they tracking? Given that their business model is to provide cloud services and not necessarily selling data of the businesses that use their service, the risk of data theft appears lower to me.

The question to what is the cloud provider doing? They are certainly doing monitoring, but are they tracking?

Using a personal VPN for privacy or geo-relocation can work well. I’ve used one to have a “virtual presence” on client networks, which was the original point of VPNs.

That is a fair assessment. There are a few likely failure modes. If you scratch around online, you can find examples.

The most common is the VPN service has a server (or multiple servers) get compromised. Users who hit a compromised server then have their data stolen by the third party. Unfortunately, we’ve got examples of the VPN providers finding out about these issues, and not responsibly disclosing them.

Another issue is a rogue employee of the VPN starts collecting data, either on their own initiative or due to outside pressure. Similarly, a “secret warrant” can be used to compromise a server targeting a specific user (or not so specific…).

There’s also the risk of the VPN provider holding onto too much data for internal analytics. They must monitor their network to determine when they need to add capacity, identify DDOS attacks, and similar administrative purposes. If they collect too much data, or don’t properly anonymize the data the collect, then that data can get compromised in a variety of ways.

Finally, many VPNs are owned and operated by parent companies. While the VPN provider itself is not in the business of selling data, they may well have sibling companies that are. It’s likely that whatever (anonymized?) data they collect gets given to these sibling companies for marketing purposes.

1 Like

Those are failures that one has to worry about if one uses a commercial VPN. Any ideas of failure modes if one uses a private vpn such as algo vpn on one of:

  1. azure;
  2. digital ocean;
  3. ec2;
  4. gce;
  5. lightsail;
  6. scaleway;
  7. hetzner;
  8. openstack;
  9. cloudstack;
  10. vultr; or
  11. linode.

I have been known to change cloud providers, just to mix things up.

There’s a tradeoff to spinning your own VPN. You’ll avoid lots of scrutiny since it’s harder to tell that you’re running a VPN (especially if it really is a Virtual Private Network, with no outside gateway). On the other hand, if it can be identified as a VPN, that puts you into the relatively tiny demographic of people running their own VPN. That’s the “metadata” level issue.

Regarding failures of the VPN itself, if you are the only one on the VPN, and the server has a unique IP address, then it doesn’t anonymize you at all. Someone with a complaint need only force the hosting company to disclose your information. Additionally, you are susceptible to the same “host attacks” that other VPNs are. If someone compromises the physical box hosting your VPN, they can spy on the network traffic for your VPS, and depending on the technology involved, on the VPS itself. Sidechannel and timing attacks from other VPSs hosted on the same physical machine are also a threat.

Personally, I would stay well clear of AWS, as it’s pretty well established that they snoop on the contents of their VPSs. At the very least, their virtualization technology doesn’t make such snooping more difficult, so rogue employees could trivially do so. More dedicated hosting companies (Digial Ocean, et al) may be more reliable.

3 Likes

Agreed, but being in a small minority means that for a company involved in Surveillance Capitalism, the return on effort to find out who I am might be so small that I escape their horrible gaze:

1 Like

Yes, VPN hides your location and not only your location it provides you security from data theft, hacking, other ransom attacks. Actually, I’m not a professional in this regard but you can read: https://www.knowtechmag.com/benefits-of-using-a-vpn/ If you wanna go in deep understanding of VPNs.

1 Like

Another benefit of using a VPN at all times is that it might keep you off the 6 o’clock news. Example:

“In the three weeks before she is alleged to have robbed the bank, an FBI spokesperson reported that she did Google searches for ‘scariest guns,’ ‘cutest furry sex costumes,’ ‘how to rob a bank and not get caught,’ and ‘how to launder money.’ Her attorney said in a statement that she was only researching material for a novel she planned to write.”

But you don’t have to be a criminal to want to avoid public condemnation or misunderstanding.

2 Likes

Are the furry costumes relevant to the bank robbery, or did they just throw that in there?

Also using a VPN doesn’t do a damn thing for you if the FBI gets ahold of your computer.

My example is merely hypothetical. :slightly_smiling_face:

Unfortunately, the FBI doesn’t need to get physical custody of the computer (although they will get it), as they can just fax a signed court order to Google (or any other business or provider of services) to get what they need.

This is the biggest downer I’ve had all week.

2 Likes

Don’t know why but I pictured Allison Brie in a chipmonk costume holding a bag of cash and a shotgun :slight_smile:

1 Like

Speaking of using multiple vpn providers/servers, is there any vpn client software that does the functional equivalent of frequency hopping? i.e. a pool of vpn providers/servers can be selected which the vpn client software switches randomly on some scheduled frequency thereby changing your effective ip address?

1 Like

It seems like, if you’re using just one VPN provider, it could potentially reveal your real IP address to connected websites every time the VPN server changes. Assuming that the VPN provider has no protection against accidental disconnection… Mine does. I normally have to restart the browser after a server connection loss.

I don’t know if there’s a provider or pooling client that automatically pauses activity and switches to a different random server. I can imagine that some websites might flag such as suspicious activity and either reject a connection or force you into endless annoying recaptchas.

An article on chaining VPNs: https://proprivacy.com/privacy-news/chaining-vpn-servers-double-vpn /

The IPVanish client on Windows had this feature. (I left mostly because Linux was only supported through Network->VPN. They had no Linux client.) When this change occurred, everything stopped until it was completed.

1 Like

@amarok Please elaborate how hopping vpn profiders/servers could potentially reveal your real ip address? How is that possible if I’m using Brave browser which does a pretty good anti-fingerprint defense and each auto-hop to new vpn server provides a new ip address.

@Wayne I guess I’m missing something fundamental, but if I’ve thought of it, then usually many others have already thought of it and developed a solution, but I at least don’t see an option via OpenVPN client or even the ProtoVPN app.

The scenario I was thinking of, and probably not explaining very well, is:

You connect to your VPN service.
You open a browser and visit a website.
While you’re on that website, you (or the client) disconnect from one server, then connect to another server.
If your VPN service has protection against data exposure during a lost connection, no problem. But you may have to restart the browser.
If your VPN service does not have protection against data exposure during a lost connection, then I would think that your real IP is exposed momentarily.
Add in switching between providers while the browser is open, even more so.

I’m not familiar with Brave’s protections.

1 Like

I am not familiar with ProtoVPN; there is not a way to do this with OpenVPN of which I know. (I used that too in the past.)

Maybe I misunderstood, but I thought you asked if any client did this in general. IPVanish (Windows) does, and I used it when I was their customer, so I chimed in. They implemented that function within their particular client. As I mentioned, at least functionally, everything was suspended when this happened. I did not see an IP address exposure, but I could have missed it. (I was not on the network continuously, so I eventually got annoyed when this happened, and I turned it off.)

My current service does not implement the function. When I was searching for a new service with proper Linux support, the field narrowed and I did not see this feature anywhere else.

1 Like

That’s one way a VPN helps. Assume the FBI knows your IP address (they got it from your ISP). They fax Google for a list of searches conducted from your IP address. Result: empty (because all the searches will show up to Google as coming from the IP address of the VPN service provider endpoint, which could be in another country and which could change from time to time).

That is not the whole story though if you are really a person of interest.

Now about that cute furry sex costume …

1 Like

And because your ISP-provided IP address will only show connections to the VPN provider’s servers. If your VPN provider doesn’t keep logs, then the FBI can’t acquire any relevant data from the VPN provider. (And if the VPN provider is based in another country, it’s an even more difficult process.)

The FBI can go to Google to acquire the IP addresses of any device that performed searches of whatever, at this or that time, but if the subject didn’t use Google’s search engine (and didn’t allow any Google scripts to run in their browser), they won’t get the right subject. The FBI can demand information directly from the website owner, but at most they will get the VPN server’s IP again and perhaps activity conducted on the site from someone connected to that VPN server .

The FBI can serve court orders on Apple or Google for your phone activity and cloud data. Or they can serve the mobile carrier for location data and call/text metadata. (Silly amateur bank robber!)

Of course, law enforcement/government agencies can seize your devices if they have justification that will convince a judge, or if you’ve been arrested. Then they can use forensics to try and recover what you were doing and when on all your devices.

If you were a serious person of interest before, then the FBI or other government agency could put some kind of authorized intercept mechanisms in place, or try to compel providers to send your digital activity to them in near real time.

So if you do want to rob a bank, don’t be the typical clueless internet user. And leave your phone at home when you go to another town to buy that furry sex costume… and pay with cash, of course. :wink: (You still might get caught, though.)

2 Likes