6
0

How to build your own VPN if you're (rightfully) wary of commercial options


 invite response                
2017 May 26, 11:17am   2,582 views  21 comments

by null   ➕follow (0)   💰tip   ignore  

With a Congress that has demonstrated its lack of interest in protecting you from your ISP, and ISPs that have repeatedly demonstrated a "whatever-we-can-get-away-with" attitude toward customers' data privacy and integrity, it may be time to look into how to get your data out from under your ISP's prying eyes and grubby fingers intact. To do that, you'll need a VPN.

The scope of the problem (and of the solution)

Before you can fix this problem, you need to understand it. That means knowing what your ISP can (and cannot) detect (and modify) in your traffic. HTTPS traffic is already relatively secure—or, at least, its content is. Your ISP can't actually read the encrypted traffic that goes between you and an HTTPS website (at least, they can't unless they convince you to install a MITM certificate, like Lenovo did to unsuspecting users of its consumer laptops in 2015). However, ISPs do know that you visited that website, when you visited it, how long you stayed there, and how much data went back and forth.

They know this a couple of ways. First, if your website uses Server Name Indication (SNI) to allow multiple HTTPS sites to be served from a single IP address, the hostname is sent in the clear so that the server knows which certificate to use for the connection. Second, and more importantly, your DNS traffic gives you away. Whether you're going to Amazon.com or BobsEmporiumOfDiscountFurryMemorabilia.com, your computer needs to resolve that domain name to an IP address. That's done in the clear, meaning it's easily intercepted (and even changeable in flight!) by your ISP (or any other MITM) whether you're actually using your ISP's DNS servers or not.

This is already enough to build a valuable profile on you for advertising purposes. Depending on your level of paranoia, it's also enough to build a profile on you for blackmail purposes or to completely compromise your Web traffic if you aren't incredibly careful and observant. Imagine an attacker has the use of a Certificate Authority to generate their own (valid!) certificates; with both that and DNS, they can easily redirect you to a server of their own choosing, which uses a certificate your browser trusts to set up an invisible proxy between you and the site you're trying to securely access. Even without the use of a rogue CA, control of your DNS makes it easier for an attacker to use punycode domain names and similar tricks to slide under your radar.

Beyond that, any unencrypted traffic—including but not limited to HTTP (plain old port 80 Web traffic), much peer-to-peer traffic, and more—can be simply edited on-the-fly directly. Which, may I remind you, ISPs have repeatedly demonstrated themselves as perfectly willing to do.

You can't protect yourself from all potential attackers. Unfortunately, an awful lot of the critical infrastructure of your access to the Web is unencrypted and really cannot be secured. As a person with limited resources who can't afford to consider personal security more than a part-time job, you (and I) are unfortunately closer to Secret Squirrel than to James Bond. You can, however, move your vulnerable, unencrypted transmissions out of your ISP's reach. So that's what we'll aim to do here.

Full Article: https://arstechnica.com/gadgets/2017/05/how-to-build-your-own-vpn-if-youre-rightfully-wary-of-commercial-options/?comments=1

NOTE: Somewhat long read, technical and if you are not into this type of thing - nerdy and boring.

#VPN #Networks #Internet

Comments 1 - 21 of 21        Search these comments

1   NuttBoxer   2017 May 26, 1:12pm  

VPN is a start, private ISP's is the endgame. Leave their decrepit asses where they belong. Install a short range antenna in your backyard, and start your own internet. Or repeal government regulation that shuts down anyone else's attempt to start an ISP.

2   curious2   2017 May 26, 1:17pm  

Wouldn't it be simpler to use Tor?

3   NuttBoxer   2017 May 26, 1:23pm  

curious2 says

Wouldn't it be simpler to use Tor?

TOR is not completely untraceable. If you know the start and end times someone is using the network, you can figure out what they were doing. I don't think the internet's inventor pictured a world where Comcast throttles our downloads, and Cox red-directs our tor traffic to generate bad responses using their DNS. And yes, I verified the last actually does happen when I had to switch DNS to google to get my relay working.

4   jackieplatt   2019 Jul 6, 11:26am  

curious2 says

Wouldn't it be simpler to use Tor?



Actually it would make sense to simply use a reliable paid service like

expressvpn

or what not,
why all the hassle of setting up your own VPN?... I dont get it.
5   epitaph   2019 Jul 7, 1:14pm  

curious2 says

Wouldn't it be simpler to use Tor?



You can get flagged pretty easily for using a Tor exit node.
6   Patrick   2019 Jul 8, 10:25am  

jackieplatt says
why all the hassle of setting up your own VPN?... I dont get it.


The reason is so that commercial VPNs cannot spy on your if you set up your own VPN.

I think it would be very naive to think that commercial VPNs would not sell data about you.

So if you want real security, you have to go to the hassle of setting up your own.
7   Blue   2020 Jan 15, 8:38am  

Free VPN (basic).
https://addons.mozilla.org/en-US/firefox/addon/setupvpn/
It only works in firefox browser.
8   RWSGFY   2020 Jan 15, 11:55am  

Blue says
Free VPN (basic).
https://addons.mozilla.org/en-US/firefox/addon/setupvpn/
It only works in firefox browser.


How do we know this thing is legit? It's not even verified by Mozilla.
9   Hircus   2020 Jan 15, 6:58pm  

People have been writing scripts to make setup of a vpn server ez for years.

I've used this one a couple times: https://github.com/Nyr/openvpn-install but there's others if you search for "openvpn install script"

It's basically a 1 liner to install and setup your own vpn server:

wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh


It will prompt you for a few things, but it's very very easy. It will then generate a .ovpn file which you then download and import into your vpn client, and away you go.

I've been considering purchasing a commercial vpn service though. When I travel, I like to use public wifi when possible, but VPN is a total must when using other people's wifi unless you love being hacked. While my own VPN server has worked well for me, it's only a single node, and a commercial offering usually has tons of servers for you to choose from, which allows you to get better performance by using a geographically nearby server.

Soon, I will try wireguard - the new VPN protocol that has a very low encryption overhead, so a weak cpu (like the cpu in your phone) can support fast download speeds, which is a must for people like me who sometimes work on the road.
10   HeadSet   2020 Jan 16, 11:32am  

Is this worth anything? Or just another DuckDuckGo?

Verizon introduces privacy-focused search engine
Verizon has launched privacy-focused search engine OneSearch, which does not track or store personal or search data -- or share it with advertisers. OneSearch displays contextual ads based on factors such as search keywords and IP address location, rather than cookies and browsing history.
11   noobster   2020 Jan 16, 4:04pm  

HeadSet says
Is this worth anything? Or just another DuckDuckGo?

Verizon introduces privacy-focused search engine
Verizon has launched privacy-focused search engine OneSearch, which does not track or store personal or search data -- or share it with advertisers. OneSearch displays contextual ads based on factors such as search keywords and IP address location, rather than cookies and browsing history.


Verizon has no credibility in my book

https://www.forbes.com/sites/robertlenzner/2013/09/23/attverizonsprint-are-paid-cash-by-nsa-for-your-private-communications/#26ced24d43cb
12   NuttBoxer   2020 Jan 16, 4:29pm  

epitaph says
You can get flagged pretty easily for using a Tor exit node.


Running Tor browser, and running a Tor relay are very different. If you're just running the browser, you shouldn't get flagged at all, as the point of Tor is to hide your IP.
13   NuttBoxer   2020 Jan 16, 4:30pm  

Patrick says
I think it would be very naive to think that commercial VPNs would not sell data about you.


PIA has court cases proving they don't log, and removed all their servers from Russia a few years ago.
14   PeopleUnited   2020 Nov 19, 10:00am  

Ok, so we are looking to either set up, purchase or use a free VPN. Do any of the resident experts have a recommendation?

Might have to speak in simple terms, I’m not up to speed on tech jargon.
15   Tenpoundbass   2020 Nov 19, 11:21am  

Drag out my old MSDN subscription and install Windows Server 2000 or 2003 set up NAT and configure VPN.
16   NuttBoxer   2020 Nov 19, 1:22pm  

NOTHING FREE. Free VPN is worthless, they almost certainly will log everything. I've said PIA in the past, still using them, but they fucked up their DNS servers during their recent transition to Wireguard, and pretended like nothing happened. Had to switch to cloudflare, which is still not a bad option, but left a pretty bad taste in my mouth. When my subscription is up, will certainly check into alternatives, as a number of services no tout no logging, and even have 3rd party verification.
17   Eric Holder   2020 Nov 19, 1:59pm  

I don't pretend to be a big networking expert (although I did stay at Motel 6 once) but the whole idea of VPN somehow giving you control over your Internet privacy strikes me as bogus. VPN is basically a private channel between two ends - your browser and some server out there (a proxy in case of simple internet browsing situation). Unless you control the other end you're not as secure as you think you'll be. You are at the mercy of whoever controls the other end of that private channel. Yes, it won't be your ISP, but it will be somebody else. There is no way around it.
18   NuttBoxer   2020 Nov 19, 2:30pm  

Eric Holder says
You are at the mercy of whoever controls the other end of that private channel.


Not true, that's is precisely why Tor exists.

A VPN doesn't really provide a private channel from anyone but your ISP now that https is used universally. The biggest benefit besides hiding traffic from your ISP is hiding your public IP from sites.
19   Eric Holder   2020 Nov 19, 2:36pm  

NuttBoxer says
Eric Holder says
You are at the mercy of whoever controls the other end of that private channel.


Not true, that's is precisely why Tor exists.

A VPN doesn't really provide a private channel from anyone but your ISP now that https is used universally. The biggest benefit besides hiding traffic from your ISP is hiding your public IP from sites.


So sites don't see your IP, but Tor does. And whoever controls Tor does by definition. Exactly my point, no?
20   NuttBoxer   2020 Nov 25, 10:03am  

Eric Holder says
So sites don't see your IP, but Tor does. And whoever controls Tor does by definition. Exactly my point, no?


Tor uses a three hop system, each hop is an independent node in the network, each node only gets pieces of the request. The exception to this is the exit node. They get everything, but they only know where the traffic ends, not where it started. So no, not the same at all.

https://en.wikipedia.org/wiki/Onion_routing
21   richwicks   2020 Nov 25, 11:01am  

If you want your own VPN there's a few raspberry pi distributions just for this. All it's doing is allowing you to vpn to your internet service.

Please register to comment:

api   best comments   contact   latest images   memes   one year ago   random   suggestions