Mullvad, iVPN, Air: none "reliable" yet IMO

Discussion in 'privacy technology' started by Jules Verne, Mar 16, 2014.

Thread Status:
Not open for further replies.
  1. Jules Verne

    Jules Verne Registered Member

    Joined:
    Aug 12, 2012
    Posts:
    7
    Location:
    UK
    iVPN: new Beta client keeps allowing IP leaks in while some connections are dead. Much of the time the client is "authenticating" and not actually doing anything. Plus I don't like their use of UK2 and other ISPs with a terrible reputation for privacy.

    Air VPN: their client does not (yet) protect against DNS leaks and disconnection protection (otherwise, they would be the best).

    Mullvad: surely the best as their client offers everything but I didn't like their comment in the Freedom Hacker interview: "To our knowledge none of our data centers log our traffic." What do they mean by that?

    Please enlighten me if I have missed anything here but I would be pleased to hear which VPN is considered "safe" by others.
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Don't depend on custom clients.

    Use stock OpenVPN software, and specify the DNS servers that you want.

    Use routing and/or firewall rules to prevent leaks.

    For best security, run OpenVPN clients in pfSense router/firewall VMs.

    I don't know of any provider that hosts their own VPN servers (or all of them, anyway). Reputable VPN providers use dedicated servers, not VPS. But still, they must trust the hosting providers that they use. Sometimes that doesn't work out, as EarthVPN learned last year :(

    For best results, use nested VPN chains. That way, you're not trusting any one VPN 100%. See my "Advanced Privacy and Anonymity Using VMs, VPN’s & Tor" at iVPN <https://www.ivpn.net/privacy-guides>.
     
  3. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    Expanding upon Mirimir's post

    Even the best of the VPN providers (I have my favorites but the following comments apply to ALL) caution that you would be wise to activate a "partition of trust" in your scheme. Depending upon my security needs I am often on a 4-5 hop scheme. Sometimes a few less.

    You fill in the blank for what VPN provider is on your first hop (it may well be your only hop at this time). Lets further say that your VPN provider is trustworthy and their encryption software is flawless so that the traffic between the vpn server and your computer is never compromised. Still, there is one thing that will ALWAYS be a possibility. The datacenter hosting the vpn server might be logging connections. These logs are OUTSIDE of vpn control. The traffic within the vpn is encrypted and cannot be read, but what about logging the IP of everyone connected to the datacenter server. That is possible and further external destination analysis over time is possible. Enter "partition of trust" where multiple hops are used. This way an external logging would only yield a subsequent connection to hop 2, etc... When you use multiple VPN providers (or TOR) all of them in the chain would have to get compromised to trace from the destination website past the exit node back to your specific IP.

    If you "startpage" (my search engine of choice) the phrase partition of trust you will have substantial reading to entertain you. LOL!!
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    @Palancar

    Thanks :) That's a good explanation. OK if steal some bits?
     
  5. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    Fine. I feel like we are on the same team. LOL!!
     
  6. Paranoid Eye

    Paranoid Eye Registered Member

    Joined:
    Dec 15, 2013
    Posts:
    175
    Location:
    io
    That was so well said Palancar that one might steal the lot ;)

    Considering the current state of what I call illegal surveillance bodies (government/police/3rd parties) one must rename ones middle name to partition of trust.
     
  7. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    I agree with your top pick. But I believe the others are quality services too, and my experiences differed from yours. Though I would never trust a client to protect me from leaks... as Mirimir said.

    Have you tried/heard of PRQ? Or Boleh? They are generally considered good services as well, and at least worth a look though individuals results of course vary as you demonstrated so don't come looking to trash me if yours isn't satisfactory.
     
  8. Jules Verne

    Jules Verne Registered Member

    Joined:
    Aug 12, 2012
    Posts:
    7
    Location:
    UK
    Thank you all for your comments. I am not yet in command of how to do stuff manually regarding DNS and I know that to meddle could cause more security leaks. By the way, do we have any respect for Cyberghost? I find it a bit "commercial". Ideally, I would use 2x VPN services but apart from TOR plus VPN am not finding it very easy!
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    I don't know anything bad about their service.

    It's easy to chain two VPNs using a VM. Run one VPN (VPN1) in the host machine, and run a second VPN (VPN2) in the guest VM. Now you have a nested chain, with VPN2 tunneled through VPN1. Your traffic from the host machine uses VPN1, and your traffic from the VM uses VPN2 through VPN1.

    You can also run a Whonix instance aka the Tor gateway and workstation VMs. With that, your traffic from the Whonix workstation VM uses Tor through VPN1.
     
  10. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    Mirimir, that is exactly what I do and it works well.

    Where we differ in approach is the router. I suspect you pfsense a router for vpn1 and then run "wired" to your machine for future hops. I don't have that luxury so I still have a retail router and connect wireless with vpn1 encrypted inside my host OS. Future hops are VM's. Both methods run very well and are extremely secure as long as operator errors don't happen.

    I am currently building a new machine where my linux host will have no vpn and it will strictly host. The plan is for the host to never see online activity, not ever. Then I am going to create several different pfsense router VM's so I can quickly choose which VPN service as the "choice of the day" with a simple click. From there additional hops will be in other VM's and connected to its private internal network. This method should make switching vpn1 and even the country within that choice a simple click. Of course the pfsense VM's will all be pre-configured, which is why the "click" is really just picking the pfsense VM to launch on that day. Sound like a plan?
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    :)

    I do use pfSense in my perimeter router/firewall, but I don't run a VPN client in it. I don't use VPNs for everything, and neither does the rest of the household.

    However, I do occasionally route (bridge) a VPN/Tor chain to a second NIC, and connect another machine. For example, if I need a network installer for a server in XYZ, I build it using the VPN/Tor chain that I'll be using to access that server.

    Yes, that's basically what I do. It is important to keep track of which VPN has been, and so should be, routed through which other VPNs, and vice versa.
     
  12. fedupfred

    fedupfred Registered Member

    Joined:
    Nov 23, 2013
    Posts:
    13
    Location:
    USA
    Hello.

    I don't mean to change the subject but I'm very interested in the type of setups described by Palancar and mirmir, however I'm nearly completely ignorant of what I need to learn to set something like this up. I have been watching "Eli The Computer Guy" series on networking, but there is a great deal of information I'm learning that I'll likely never use and lots of information that I would like to learn, that I get the impression that he is skipping.

    So I'd just like to ask if someone could tell me what specifically I need to learn to setup VM's to chain VPNs/Tor and also on converted old PC's with pfSense on them?
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    I've written a series of guides on that. They're at <https://www.ivpn.net/privacy-guides> under "Advanced Privacy and Anonymity Using VMs, VPN’s & Tor". I also recommend reading up on Tor at <https://www.torproject.org/docs/documentation.html.en> and <https://www.whonix.org/wiki/Main_Page>.

    It might also help to read up on OpenVPN at <http://openvpn.net/index.php/open-source/documentation/security-overview.html>, <http://openvpn.net/index.php/open-source/documentation/howto.html> and <http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html>.
     
    Last edited: Mar 21, 2014
  14. fedupfred

    fedupfred Registered Member

    Joined:
    Nov 23, 2013
    Posts:
    13
    Location:
    USA

    Thanks very much mirmir. I'll be implementing it as soon as I've read it all.
     
  15. Alexandru

    Alexandru Registered Member

    Joined:
    Jan 18, 2014
    Posts:
    15
    Location:
    Netherlands
    I have a setup on my pfsense with some VPN gateways in it and pushing clients through the specific gateway and secured it against leaking in case of VPN drop.


    My personal computers are all runnnig with Linux and are secured with iptables rules against VPN drop as well.
    http://blog.devicex.biz/wordpress/?p=60

    Double VPN and SSH/SSL connections afterwards are fast enough for browsing. For speed downloads I have a special route on my linux machine to the first VPN hop.

    All clients here are using VPN except one machine for banking for example. And strictly using different DNS/DNScrypt server for VPN and non-VPN connections.

    AirVPN, BolehVPN, Torguard and ovpn.to are my first choice.
     
  16. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    @Alexandru

    That's a cool setup :)

    I'm not familiar with ovpn.to and Torguard. Thanks for the recommendation.
     
  17. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
    So the data center only sees connections and cannot see who you are communicating with or what you are saying etc? They only see an encrypted connection?
     
  18. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
  19. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    Let me make sure I try to be clear because this can be confusing.

    True = the traffic inside your VPN tunnel is sufficiently encrypted that monitoring the datacenter connection will yield ZERO plain text for them to actually read. They clearly would view your connecting IP, which could be significant in a one hop simple privacy setup. Still, one hop is fine for basic privacy and that is what a large majority use.

    I define the VPN tunnel (if setup correctly of course) as from my laptop all the way through to the last exit node of the final VPN. That statement is true for me/you whether you are using one vpn and/or TOR/multiple VPN's. Its covered up to the final exit node. The VPN/TOR protection stops at the exit node.

    Users need to be smart about their post exit node activity. Selecting https destinations such as here at Wilder's is smart.

    Back to the other part of your question: can an adversary see what you are doing while you use a VPN? No, but also Yes over time and with ample resources. They can sit outside of the tunnel setup and monitor where everyone on the server goes if they wanted to. At that point if 100 people are connected they don't know who is going where, but stay tuned. Now they start using other tools over time to isolate where YOU might be going. Some of the tools are simple like logging your IP and keeping records of the exact times you connect to the server. Over time that can yield results by cross referencing to sites they are "watching" past the exit node. I could write for pages but much is on the internet about this stuff. TOR users can be tracked over time with "packet staining" and other stealth means. Let me say that for Mr. average user the likelihood that an adversary would take the time to find YOU is not high.

    Just visualize the chain. If you connect to a vpn server and then to another, and then TOR. Wow the resources needed to track that chain would be significant. The destination sites you visit would never show the IP range of your vpn1 making correlation over time almost impossible.

    There are tradeoffs as always. The higher the security the more "hassle" and speed liabilities to deal with. I can't make a decision for anybody on their needs. Frankly many will sleep well at night with a one hop vpn just for simple privacy. That will eliminate "ads" and regular tracking for anything other than three letter agencies. If speed is not critical a simple one hop vpn and then a VM with linux and TOR is very very easy to configure and handle. That is four hops and the circuit rotates every few minutes. Just an idea.
     
  20. firefox2008

    firefox2008 Registered Member

    Joined:
    May 17, 2007
    Posts:
    125
    Mullvads Privacy Policy:


    Privacy policy

    Privacy is a universal right.

    We don't tell anyone anything.

    We don't log our users' activities.

    When Swedish law requires us to divulge information about our customers we make sure not to have that information stored, so that we have nothing to give out.

    However, credit card payments and bank transfers leave records. These are kept by the banks and card companies and can't be erased by us. To pay anonymously, use cash or Bitcoin with proper anonymisation.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.