Jonni Bidwell casts doubt on the highly profitable VPN business, and explains how you can do better…

© MAGICTORCH

CONSUMER VPNs (virtual private networks) are big business. Indeed, if all the sponsored product placement and affiliate linking is anything to go by, then just a few bucks a month will bring you great security, privacy, and other nebulous benefits, while at the same time making you magically appear as though you’re in a country of your choosing.

What they don’t tell you is that while you’re holidaying, safely, in this faraway IP block, your traffic (albeit partly encrypted) is visible to the VPN provider. It might care more about your monthly subscription payment than what you’re using its service for, and it might well implement a ‘no-log’ policy, but the provider has the same insight into customers’ traffic as those customers’ ISPs did, up until the point it all vanished into a single VPN connection.

We’re not saying all VPNs are bad, just that it’s difficult to prove that they’re all good. So why not run your own? We’ll show you how to use the latest WireGuard technology to route your traffic through your home, or the region of your choosing via a Virtual Private Server. And if you don’t trust your ISP or VPS provider, we’ll look at Tor—the gold standard for privacy.

If your goal is to check out prices in different currencies or to mitigate the risks of public Wi-Fi, then a VPN will help you do that. If your goal is to access geo-blocked content (different Netflix regions or Steam prices, say), then a VPN might help you do that too, but it almost certainly goes against the provider’s Terms of Service. Believing a VPN will anonymize your browsing, protect you from tracking cookies, malware and the plague, however, is wide of the mark.

Your IP address is far from the only means companies have of identifying you. We’ll see that browser fingerprinting, DNS interception and even good oldfashioned spam can undermine any protections a VPN might offer.

The why and wherefore of VPNs

It’s not VPNs that are bad, rather people’s unrealistic expectations of privacy. And, in a pay-per-click age, honesty

SEARCH ONLINE FOR “why I need a VPN” and you’ll find flashy websites framing all sorts of shoddy prose on the perils of “unprotected” browsing. Such diatribes should be taken with a pinch of salt. Yes, there are companies that sell your data. Yes, there are brutal regimes that punish anyone caught browsing websites that go against their ideologies. Yes, Google is mostly blocked in China. And yes, a VPN might help you with this. But it’s perhaps not as essential as people think.

Anyway, we’re getting ahead of ourselves. A VPN is an encrypted tunnel between two, generally distant, machines. There are a variety of protocols by which one can achieve this, but they all enable the client machine to access resources (web pages, VOIP services, internal company resources) using the server as a proxy. Furthermore, established public key cryptography and key exchange protocols are leveraged so that anyone eavesdropping on the VPN connection has an extremely small chance of being able to make sense of the data. And anyone looking at the connection from the VPN server to the outside world (if it’s used that way) won’t be able to see the client’s IP address.

That all sounds quite good—and it is, as long as you trust your VPN provider. Ascertaining that trust, however, is hard. In 2016, a free VPN service called Hola breached user trust. It provided a browser plugin that enabled users to switch regions. However, those users were unwittingly becoming rather more involved in the VPN than they would have liked. Hola’s business model at the time was to tunnel traffic between users so that their machines became proxies. This potentially made users vulnerable to all kinds of lawsuits and investigations, since traffic is no longer encrypted after it has left the VPN tunnel. Most of the web is protected by HTTPS now, but that still reveals domain names and IP addresses.

Network Manager supports all kinds of VPN connections, but there are plenty of questionable operations out there.

We’d hope that such behavior is a thing of the past, and for the most part, it is. But that doesn’t mean we can trust what these fly-by-night VPNs are telling us. Many of them boast of a ‘no logging’ policy, for example, yet in 2020, seven such services based in Hong Kong accidentally leaked some 1.2TB of user logs. These included cleartext passwords, session keys, domains visited, browser user agent strings, and IP addresses. NordVPN, for a long time considered more reputable than other services, experienced a data breach in 2018, although no customer data was taken.