The case for using private VPN

Whether you are an IT professional or just a regular internet user, if you don’t know what I mean by private VPN, then this post is just for you.

I’ve talked about using a Virtual Private Network (VPN) on this blog several times before. I finally decided to make a decision on it, and document my thoughts as well. I’ve primarily been on the fence because I couldn’t decide if I would build my own in Azure or AWS, or purchase a service… and if I purchase a service, there are a zillion, so how do you choose?

What is VPN?
Virtual Private Network is generally the idea of creating a secure network “tunnel” to a secondary location, typically over the internet. Your network traffic is traveling over public networks, but the contents of it is encrypted. This might be similar to building a physical, steel tunnel from your house to your favorite store in the mall: your connection would be visible to the public, but no one can see what is being transported back-and-forth inside of the tunnel. It’s in plain-sight, but it’s still secure.

You might already be familiar with this concept if you “VPN into work”. You create a secure tunnel over the internet, and then have access to the private network at work. But wait, if we are talking about VPN for internet privacy, what is that remote server? To what are we connecting to – we already have an internet connection!

VPN in this context is you paying for a service, so that you can come out onto the Internet in a different place. Instead of making connections directly from your internet router through your ISP (where they can and do observe you and your family), you connect to a remote server securely, and your requests come out onto the internet over there.

This is akin to a celebrity sneaking out of a side entrance to avoid the papparazzi. Except, your network traffic is the celebrity/valuable-thing, and the papparazzi is your ISP, and various organizations and government who want to know everything you do, online.

At home, when your network traffic enters Comcast or Time-Warner (or whomever), they log every DNS request, and glean every bit of information about you and your network traffic. This can include web searches, e-mail content, instant messages, and even the devices that are used in the home, etc. Even if you don’t care about this for you, they are also monitoring your spouse and your childrens network usage too – every single bit of it!

While mobile, when your network traffic enters Verizon, AT&T, etc, they also log every DNS request, and glean every bit of information they can about you too. In addition, if you are connected to public wi-fi, you are also potentially exposed to hackers – which can do even worse with this treasure-trove of information about you. This is because despite newer technologies, a vast majority of wifi hotspots make it so anyone else on that wifi network can monitor the network traffic of everyone else. So, a nefarious person can passively run a program like Wireshark while they drink their coffee and gather 2 hours of network traffic before heading home to decipher it – all while you are none-the-wiser.

With VPN, the primary thing you are paying for, typically just a few US dollars per month, is that they explicitly don’t log/track any of your network traffic. You are literally paying for discretion and privacy, which your ISP and mobile provider will not grant you.

Every ISP and mobile provider make no secret of this – they proudly and openly admit to gleaning every bit of data about you they can. You can read for yourself:

By the way, most of these say they won’t share your information with 3rd parties without your consent – but that is part of your initial contract. You need to explicitly write them a letter to “opt out” of these marketing preferences. So, unless you’ve physically sent them a letter asking to opt-out, they regularly share your data.

Why care (at home)?
I hear this one all the time. “Who cares? They are going to get a kick out of seeing the things I search for on Amazon!”, you say. Well, yes, they will actually. Those Amazon searches and every other piece of readable data will be associated and correlated with your marketing data. And to me, well, that really sucks. But that isn’t my prime concern.

One main concern should be about what happens when your ISP is inevitably hacked? Maybe you don’t care about your searches, but what about what your children have been searching? What about things your spouse has said over IM? What about the time that you teenager researched “herpes” on your computer because they were researching it in school, but you can’t explain that context when it’s made publicly available?

Put another way, there is no a single, positive reason for you to be OK with being monitored. There are only bad outcomes:

  • Marketing companies get a deeper profile of you, and each of your family members – which could lead to damaging or embarassing outcomes.
  • Once made public, your religious, political, sexual preferences, private interests and hobbies being exposed could lead to damaging or embarassing outcomes. Same for your spouse. Same for each of your children.
  • Hackers can use information gleaned from your home internet connection to steal the identity of you, your spouse, and/or your children.

It’s a really messed-up situation, but it truly just a matter of time before ISP data is exposed and searchable so that anyone can browse or search the online habits of you and everyone in your household.

Using a VPN service completely eliminates all of this.

Why care (while mobile)?
In addition to the concern for home – which apply in the same way, except we’re talking about different vendors – there are additional concerns. For example:

  • Whenever you use your phone or device as a mobile hotspot, the traffic for all of the connected-devices is captured and collated.
  • If you ever connect to public wi-fi, it is laughably easy for anyone to capture your network traffic.

So, using a VPN service while you are on the go, completely eliminates all of these risks too.

What are my options?
In short, there are three if you are an IT professional:

  • Build an OpenVPN server in Azure
  • Build an OpenVPN server in AWS (and there is even a template for it)
  • Pay for a service (non IT pros and everyone else)

So why would I even bring up building my own? Well, this is kind of a big deal. As discussed above, whomever can see your network traffic, has access to something valuable. That means they need to be reputable and trustworthy. So, if you created your own endpoint to connect to in Azure or AWS (which will be more expensive), you can be 100% certain that your network traffic is safe.

What if you are not an IT pro and/or if you just want to pay for a service, where do you start? Well, fortunately, I ran across this amazing spreadsheet which has pretty much every VPN I’ve ever heard of with all of the key things you’d want to know:

https://docs.google.com/spreadsheets/d/1FJTvWT5RHFSYuEoFVpAeQjuQPU4BVzbOigT0xebxTOw/htmlview?usp=sharing&sle=true#

Some of the key things to note is whether they log anything, and also things like which country they are in. For example, if you are in the United States and connect to an endpoint in Switzerland, ALL of your network traffic is going to go to Switzerland, and then likely all the way back to the United States (if you use American-based websites). This means that your internet speed will be dramatically reduced. If you are going to use this for everyday use, even if you pay for this service anonymously, you can still be identified – so just connect to something in-country and relatively close for best-performance.

There are other reasons for using a VPN – such as: you live in a country that blocks certain content, or Netflix isn’t allowed, etc. In those scenarios, you’d want to connect to VPN server outside of your country. Similarly, if you are an IT security professional, you might do penetration testing over the internet and want to mask your source. In that case, I would use use a free service from a dedicated machine for that (for example, VPN Book from Kali Linux), and not this, less-anonymous method!

My advice here, if you are feeling up to it and want to take on the effort and expense, build your own endpoint – that would be ideal, if not more expensive.

However, for everyone else or if you don’t want to take on the effort and expense, I’ve decided on www.privateinternetaccess.com – which is arguably the biggest/best/most-reputable mainstream provider I could find. Not only did I purchase a subscription, I also set up an affiliate account with them, so if you want, you can use this link as well, or click the logo below:

image

What are the downsides?
Well, there are several upsides to using VPN:

  • Your ISP will no longer be able to capture any meaningful information about you and your family.
  • Your mobile provider, same thing. And yes, VPN works with all phones and all tablets – with no exceptions that I know of.
  • When those ISP’s and mobile providers are inevitably hacked, your information will still be safe.
  • You can use “public wifi” with no worry at all, because no one on-premise will be able to decrypt your network traffic.
  • This costs, in the case of PIA, $3.33/month to protect up to 5 devices

As for downsides, from my perspective, there are really just two – or one for-sure, and one potential:

  • Internet speed – you will definitely lose internet speed. There is overhead when using VPN, and these services can only handle so much traffic.
  • Your VPN provider could be lying. It could be a honeypot, it could be funded by a government or other nefarious organization and they could be lying about not logging and no monitoring your traffic. To offset this, it is probably better to use a more-reputable service if you can. If this is your main VPN account for your personal internet usage, try to get the most established/proven vendor you can find. For me, PIA seems to be a valid one, at the moment.

Now, when I say you will lose internet speed, the next question is “how much?”. Well, it depends on many factors. However, just to give you an idea – I am in Florida, and normally, here is what I get for download and upload speeds (provided by http://beta.speedtest.net/):

image

then, when I connect to the closest (Florida) endpoint via Private Internet Access VPN, I then get:

image

I realize that this stinks, but this is part of the decision you have to make: is it more important to have extra bandwidth that you don’t really notice, or privacy. Arguably, it doesn’t even need to be that black and white. As you’ll see below, you can connect per-device or you can connect for the whole internet connection via your router.

If you want specific machines or at specific times to have max bandwidth, just turn off VPN for those times. In my case, my computers/phones/tablets use VPN, but the Amazon Fire, which I use for streaming, does not. Now, that means that my streaming habits are visible to my ISP, but I’m OK with some data leakage.

Actual setup
So let’s say you want to go for it. Where do you start? Well, believe it or not – that is the easy part. Let’s say you go with Private Internet Access (a.k.a PIA) – https://www.privateinternetaccess.com/pages/buy-vpn/ which is $39.95/year, or $3.33/month. Where do you start?

For most platforms they have a native application. See this page for how to install on Windows, MacOS X, iOS, Android, and Ubuntu.

Windows 10:
Install the Windows 10 application (from here), put in your credentials and click connect:

image

I also recommend clicking on the “Advanced” button and turn up the encryption to max (AES256 / SHA256 / RSA2096). You can tell you are connected because you’ll have a little green icon in the system tray in the bottom-right, by the clock.

image

You can also navigate to www.ipaddress.com and see what the internet sees as your location. Compare that to what it looks like when you are not connected to VPN.

LinuxMint/Ubuntu/any Debian-based Linux distribution:
Again, couldn’t be simpler – just follow the directions here: https://www.privateinternetaccess.com/pages/client-support/ubuntu-openvpn – you pull down the script, run it, and put in your username.

image

Then, to connect click on the network manager Connections icon and click on a region to which to connect:

image

and put in your PIA password:

image

and now notice the icon:

image

it now has a little lock next to it, and if you click, you can now see you are connected to the network, and you are connected to the VPN too.

iOS:
There is an iPhone/iPad app, but I couldn’t get it working – I kept getting one of two error codes. Apperently this is somewhat common. Luckily, Private Internet Access (and some other providers) also support the OpenVPN standard. So, on iOS, I installed the “OpenVPN Connect” app. Then, navigate to:

http://piavpn.com/ios

to download the profiles for whatever endpoints you’d want to connect to. Then, open the OpenVPN Connect app, choose a region and click connect.

Android:
I don’t have any Android devices at the moment, but it looks like the recommended way is the same as iOS: just download the “OpenVPN Connect” app and navigate to that same site above, to download the PIA VPN profiles.

Windows Mobile 10:
Believe it or not, this is the only platform where I had a problem. To be clear, it does work. If you swipe down from the top, you’ll see the 3rd icon over to the right for VPN:

wp_ss_20160222_0001

if you tap that, and then click connect:

wp_ss_20160222_0002

you’ll see that it connects AND the little WiFi symbol in the top-left now has a little lock:

wp_ss_20160222_0003

So what is the problem? Well, on Windows Mobile 10, when the screen times out or you lock the screen, it disconnects the VPN. So, while it’s locked, while it’s connecting, getting your e-mail, it is unprotected.

You have to unlock your phone and reconnect to VPN every-single-time!! This, for me is a complete showstopper, and for me, the final straw for me and Windows Mobile 10.

More on that in a future blog post, but just know that it does work, but it will not stay connected, you have to keep reconnecting VPN every time you unlock the phone. This is opposed to ALL of the other technologies that stay connected – and if you come back from sleep and reconnect your network, VPN automatically attempts to reconnect until you explicitly disconnect it.

Configuring your router:
My router doesn’t support, but some will allow you to make this VPN connection from your internet gateway/router. That means that ALL network traffic will connect over VPN. There are a few downsides:

  • When you connect on a per-device basis, you have control over when you are connected. For example, perhaps I have a large download. In that case, I can disconnect VPN, download the file, and then reconnect.
  • If your router was the one making the connection, then you wouldn’t know if something went wrong. For example, what happens if the VPN connection drops while they reboot the server? You could be operating for weeks or even months unprotected, without realizing that the VPN did not reconnect!
  • In my case, I have a work computer which connects via VPN to my work. If my router used a VPN, then my actual network traffic would be a VPN tunnel, within a VPN tunnel – and I’m sure performance would suffer greatly.

So for these reasons, and since PIA supports up to 5 connections, I prefer to connect to VPN from individual devices.

Bottom Line:
As technology continues to consume our life, and as our privacy vanishes right before our eyes, this is one of several steps you can take to retain some of the privacy and self-ownership. For me, it’s not a question of “why add VPN?” – it’s a question of “why NOT add VPN?”. It’s simple, cheap, effective, and in my professional opinion, it is truly just a matter of time before your ISP and mobile providers are hacked. There is not a single good outcome from your teenagers internet search history becoming public; or your spouses political or religious affiliations; or… well anything. There is not a single, valid, righteous, proper reason for these companies to track you, and then record everything you do – especially when you know it’s just a matter of time before it all becomes public.

image

So, if for $3/month you can completely eliminate this whole privacy mess by simply taking your ISP and mobile provider out of the equation – why wouldn’t you? If you have any experiences or have recommendations about VPN service providers, please leave a note below!

Posted in AWS, Azure, Best-practices, Computers and Internet, General, Infrastructure, Organization will set you free, Security, Uncategorized
2 comments on “The case for using private VPN
  1. […] The case for using private VPN | Rob Seder on Script for connecting to VPNBook from Kali Linux […]

    Like

  2. […] Using Kubuntu for an easy, secure, privacy-based workstation setup | Rob Seder on The case for using private VPN […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Archives
Categories

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 5 other followers

%d bloggers like this: