The Flat Earth Society

Other Discussion Boards => Technology & Information => Topic started by: Dr Van Nostrand on December 15, 2020, 06:47:48 PM

Title: Who loves or hates their VPN?
Post by: Dr Van Nostrand on December 15, 2020, 06:47:48 PM
Who do you use and do they suck or not?
Title: Re: Who loves or hates their VPN?
Post by: Pete Svarrior on December 15, 2020, 06:54:20 PM
I run a couple of my own OpenVPN servers, mostly for circumventing weird access restrictions, and to act as a gateway to my own stuff that I don't necessarily want open to all of the Internet. My mobile phone provider won't let me access p̶o̶r̶n̶ cybersecurity research papers, wtf?

I guess the main question is what you want a VPN for. If you just want a bunch of proxy servers to easily access Netflix from another country, then it really doesn't matter who you're using (there are better ways of accomplishing the same goal, but meh, it'll work, so why not?). However, if you're one of the people who bought into the YT advertising talking about how PenisVPN will protect your privacy because they have no logs™ and use military-grade encryption, then you're probably wasting your money, and likely making yourself more at risk of compromise, not less. There might be other use cases, and your mileage may vary.

tl;dr: you probably don't want a VPN, but if you do, it honestly doesn't matter who you choose.
Title: Re: Who loves or hates their VPN?
Post by: Dr Van Nostrand on December 15, 2020, 07:11:11 PM
Setting up my own server might not be a bad idea. I have pretty badass broadband with lots of bandwidth and speed.

I'm expecting Santa Claus to buy me a bunch of new computer gear this Christmas.

My Girlfriend plays World of Tanks on the European servers. But I think using a VPN to be present in Europe will add the same amount of ping time as as crossing the ocean with regular internet.
Title: Re: Who loves or hates their VPN?
Post by: Pete Svarrior on December 15, 2020, 07:25:08 PM
But I think using a VPN to be present in Europe will add the same amount of ping time as as crossing the ocean with regular internet.
Usually more. It would make your route less direct, in most cases.
Title: Re: Who loves or hates their VPN?
Post by: xasop on December 15, 2020, 07:30:05 PM
I've been playing with tinc. My main reason for using it is that it is the only VPN that will run on every OS I use, but it's also a lot easier to set up than OpenVPN. Also, it's a mesh VPN, which means that once you connect to any node in the network, it will automatically route traffic along the most efficient route it can.
Title: Re: Who loves or hates their VPN?
Post by: Dr Van Nostrand on December 15, 2020, 09:59:07 PM
However, if you're one of the people who bought into the YT advertising talking about how PenisVPN will protect your privacy because they have no logs™ and use military-grade encryption, then you're probably wasting your money, and likely making yourself more at risk of compromise, not less. There might be other use cases, and your mileage may vary.

tl;dr: you probably don't want a VPN, but if you do, it honestly doesn't matter who you choose.

This is something I've also wondered about. Even a amateur geolocator can tell you're on a VPN. There are all kinds of fingerprints from the originating computer and application layer in a deep packet analysis. Can a civilian VPN really hide all that shit?
Title: Re: Who loves or hates their VPN?
Post by: xasop on December 15, 2020, 10:18:54 PM
This is something I've also wondered about. Even a amateur geolocator can tell you're on a VPN. There are all kinds of fingerprints from the originating computer and application layer in a deep packet analysis. Can a civilian VPN really hide all that shit?

Using a VPN as a proxy to the public Internet can't hide anything except network addresses — and even then, some application protocols may provide ways to elicit this information from the client (https://security.stackexchange.com/a/179699). Whether a VPN will be sufficient for your requirements, or be able to form part of a solution that is, depends on what your requirements actually are.
Title: Re: Who loves or hates their VPN?
Post by: Pete Svarrior on December 16, 2020, 10:29:32 AM
This is something I've also wondered about. Even a amateur geolocator can tell you're on a VPN. There are all kinds of fingerprints from the originating computer and application layer in a deep packet analysis. Can a civilian VPN really hide all that shit?
The short answer is "basically, no". Most commercial VPN advertising relies on being Technically Correct™, just enough that you couldn't easily sue them, but any practical implications are overstated to the point of being meaningless.

There are scenarios in which using one can lead to improving privacy. For example, if you're accessing an unencrypted website (http:// rather than https://), the information you send and receive is easily visible. So, let's say you're sat in a cafe using their public wifi and you sent a PM to someone on a forum. If I'm sat in the same cafe, I can easily intercept that message as you read it. A VPN would do two things here:


If the website is already using transport layer encryption, then only the second point stands (since your data would already be encrypted without a VPN). If the attacker is not a nerd in your local cafe, but rather a nation-state actor, a police department, etc, then neither point stands (since these actors will be able to monitor traffic from the VPN end if they really want to).

Another thing worth mentioning is that VPNs are vulnerable to timing attacks. I might not know that you accessed our forum via some VPN, but I will know that you accessed a VPN, and that the VPN accessed our forum at the same time. With enough data points, a committed attacker can easily determine your traffic. Plus browser fingerprinting, plus xasop's point on application-level workarounds, etc. etc.

So, is FjordVPN useful from a privacy standpoint? Eh. My personal opinion is "no". Terms like "military-grade encryption" are just an insidious way of saying "the same encryption that literally everyone on the Internet is using" (I think they want you to imagine burly men in tanks protecting your e-mails or whatever, and I guess it's working since pretty much every company is using this term), and the change in IP address alone won't stop someone from tracking you for so, so many reasons.

Privacy aside, it might be useful if you want to access Netflix in other countries (until Netflix bans that specific node, at which point your VPN provider will spin up a new one, which Netflix will then ban, at which point your VPN provider will...), or for me to access Trump's newest CALL TO ARMS (this is a thing that happened - our general enquiries e-mail received a message from the Trump campaign asking to become an OFFICIAL TRUMP TEXT MEMBER SUPPORTER, but they outright reject connections from outside the USA). Same goes for US local newspapers, which decided that banning Europe is preferable to following their data protection standards.

In short: the ads are telling you that you need a VPN, but fail to explain (truthfully, at least) what problem it would solve. My suggestion would be to identify a problem first, and look at what solutions there might be to it. If a commercial VPN happens to be the answer - that's chill. For me, that was my mobile provider being weird, but even then I decided that I'd rather run my own server than trust a corporation.
Title: Re: Who loves or hates their VPN?
Post by: Dr Van Nostrand on December 19, 2020, 09:56:05 PM
ok, so yes, I want to hide my IP address as much as I can but not because I'm trying to hide the fact that I'm looking at porn. Everybody knows I look at porn, everybody's grossed out and we've all moved on.

I am thinking about buying or renting some old IP addresses and setting up my own proxy server (a lot of issues with that plan but doable.)

Anyway, I was doing some tinkering with different browsers and what the webhost sees. I launched test attacks ... I mean connections to a website on my webhost and looked at Cpanel reports to see what IPs were recorded.

Firefox on Windows 8 - webhost recorded the IP address and the location of the modem at my desk
Firefox on Windows 8 from within a virtual Linux Kali client - webhost recorded the IP, the location of the modem at my desk and that I was on a Windows 8 machine with a virtual Linux Kali client
Tor browser on Windows 8 - webhost got a random IP everytime and nothing about my system.

So if you just want to hide your IP from pornsters, Tor seems the way to go.

While I was doing this I noticed that one of my other sites was getting a weird traffic pattern. It's a one page information site, no ecommerce. A rotating IP address is sending a GET (HTTP 1.0) to one specific site. Every few minutes, the IP would change by one and present a different operating system.
WTF, for days, they have been using different IP addresses and different operating systems trying to connect!

Of course, the traffic is from Russia.

WHY IS THIS HAPPENING TO ME!  WHY CAN"T THEY JUST LEAVE ME ALONE!?!?
Title: Re: Who loves or hates their VPN?
Post by: xasop on December 19, 2020, 10:47:08 PM
Of course, the traffic is from Russia.

WHY IS THIS HAPPENING TO ME!  WHY CAN"T THEY JUST LEAVE ME ALONE!?!?

Russians sending out dodgy requests to random web servers? Must be a Tuesday.
Title: Re: Who loves or hates their VPN?
Post by: Dr Van Nostrand on December 19, 2020, 11:56:11 PM
Of course, the traffic is from Russia.

WHY IS THIS HAPPENING TO ME!  WHY CAN"T THEY JUST LEAVE ME ALONE!?!?

Russians sending out dodgy requests to random web servers? Must be a Tuesday.

Those bastards!

Holidays are coming so I'll have some time off. I may set up a honey pot with a hole that's shaped like a pussy. When they stick their dick in it, steel teeth will bite their dick off and it will fall into a basket of dicks that I will sell on eBay.
Title: Re: Who loves or hates their VPN?
Post by: Pete Svarrior on December 20, 2020, 11:50:25 AM
ok, so yes, I want to hide my IP address as much as I can but not because I'm trying to hide the fact that I'm looking at porn.
The "why" makes a big difference here. Tor will be great for some applications, and terrible for others.
Title: Re: Who loves or hates their VPN?
Post by: Toddler Thork on December 26, 2020, 04:11:54 PM
If you want to watch pron, you can just change your DNS settings and circumvent your ISP.
If you don't want to be tracked by Facebook, Google and other advertisers ... some kind of adblock.

I'm not really sure why you would want to use a VPN unless you want to commit a crime?
A VPN will put you in a different tax domicile and you can pay less tax on purchases, but that's evasion, not avoidance.
A VPN will put you a few nodes from the source which might stop you being identified for the horse pron you enjoy but that's illegal too.
A VPN will give you access to football games or movies that are cheaper in other regions ... but that's a form of theft.
A VPN will make it harder to identify that you are downloading things without paying for licenses etc but also theft
A VPN will allow you to circumvent bans on particular websites. ¯\_(ツ)_/¯

If someone is using a VPN, they are probably up to no good.
Title: Re: Who loves or hates their VPN?
Post by: Pete Svarrior on December 26, 2020, 05:55:27 PM
If you want to watch pron, you can just change your DNS settings and circumvent your ISP.
This is absolutely horseshit advice that you shouldn't follow, unless you want to actively compromise your privacy by providing yourself a sense of false security.

If you don't want to be tracked by Facebook, Google and other advertisers ... some kind of adblock.
This is also terrible advice, written by someone who doesn't understand how tracking works. Use an ad blocker to no longer see ads. An ad blocker does not, however, enhance your privacy - it diminishes it ever so slightly.

I'm not really sure why you would want to use a VPN unless you want to commit a crime?

[...]

If someone is using a VPN, they are probably up to no good.
This is almost correct (let's not split hairs, it's at least not as horseshit as your previous two points), although it ignores the crux of the matter. Many if not most everyday users use commercial VPNs because they saw an ad on YouTube about how it will protect them from EVIL HAX0RZ. This is dumb, but being dumb is not a crime yet.

tl;dr: I strongly recommend you do not follow Thork's technical advice.
Title: Re: Who loves or hates their VPN?
Post by: Toddler Thork on December 26, 2020, 06:55:52 PM
VPNs are mainstream. And my advice would always be not to swim with the crowd. If you are going from site to site via Tor nodes or some popular VPN ... you are painting a target on your back. You are suddenly way more interesting than someone using adblock or cloudflare.

VPNs do not deliver any of the promises they make. You aren't anonymous, you can be tracked ... and you did that to yourself at the expense of slower page load times and performance issues.

tl;dr: I strongly recommend you do not follow Pete's technical advice.

VPNs are gay and will increasing attract the interest of HMRC, IRS etc as they start to wonder why all their sales tax / VAT is disappearing online and why QATAR has the 7th biggest economy on the earth.
Title: Re: Who loves or hates their VPN?
Post by: Pete Svarrior on December 26, 2020, 07:25:44 PM
I don't think any further comment is necessary. Thork provided an excellent exposé on why he's wrong, without even understanding the position he's arguing against.

Back on topic: Unless you tell us what use case you're trying to use a VPS for, there's not much we can do.
Title: Re: Who loves or hates their VPN?
Post by: Dr Van Nostrand on December 26, 2020, 11:00:15 PM
If someone is using a VPN, they are probably up to no good.

Ok, So here's the deal. I'm getting a new computer and I'm looking to harden the network defenses. The workstation (not an Apple) will be more about video editing and digital publishing but I do enjoy some light recreational cybercrime (hacktivism, scambaiting, no bitcoin, etc...) I'm looking to anonymize the IP address, plug ports, monitor traffic yada yada. So Thork was kind of right.

Part of the problem is that I share a normal household network with people and peripherals that want a normal internet experience.

VPNs are gay and will increasing attract the interest of HMRC, IRS etc.


Yes, they are gay. And they could just as easily give away the donkey porn they are supposed to protect by getting breached themselves. But even Cloud flare had a leak so we take our chances with anyone. I'm not as worried about attracting attention from the government by using a VPN. In America, it's like a gun permit, no big deal.

They offer the minimal protection of the front door of my house. Someone could break it down with no problem but it does keep out stray dogs and lost elderly women suffering from dementia who wander up.

I'm thinking maybe the whole house needs to be behind some kind of firewall proxy server thing. I saw an ad for some of Michael Jackson's old IP addresses from Neverland Ranch.

BTW Doesn't it bother any of you that the admins can geolocate you, read your OS, possibly access your files and camera, start an online romance with some friend or family from your contact list, marry into your family and seriously own you?
Title: Re: Who loves or hates their VPN?
Post by: Pete Svarrior on December 27, 2020, 12:15:01 AM
Ok, So here's the deal. I'm getting a new computer and I'm looking to harden the network defenses. The workstation (not an Apple) will be more about video editing and digital publishing but I do enjoy some light recreational cybercrime (hacktivism, scambaiting, no bitcoin, etc...) I'm looking to anonymize the IP address, plug ports, monitor traffic yada yada.
If you're comfortable getting your hands a little dirty with VMs (sorry, no idea what your background and experience is - I'm happy to adjust to any level if you let me know) I'd recommend playing with Whonix. In a nutshell, you run 2 VMs: one acting as a Linux box that routes all network traffic through the other - a gateway that routes all Internet traffic through Tor. This is a pretty strong setup for most de-anonymising attacks, it doesn't cost any money, and the set up is relatively simple once you know how the different parts work with one another. If you use it diligently, it means that your Naughty™ stuff goes through the VMs while keeping the rest of your home/family using the Internet as normal.

This is almost certainly overkill for your requirements, but honestly a bit overkill might be good for peace of mind. If you'd like, you can always shoot me a DM. I used to train people on these tools, so I should be able to answer most basic questions.
Title: Re: Who loves or hates their VPN?
Post by: xasop on December 27, 2020, 12:17:25 AM
In a nutshell, you run 2 VMs: one acting as a Linux box that routes all network traffic through the other - a gateway that routes all Internet traffic through Tor.

Is there a good reason to use two VMs instead of just using network namespaces to isolate the client and gateway on one Linux system?
Title: Re: Who loves or hates their VPN?
Post by: Pete Svarrior on December 27, 2020, 12:21:58 AM
Is there a good reason to use two VMs instead of just using network namespaces to isolate the client and gateway on one Linux system?
I don't know about "good", but the reasoning is that if you manage to compromise the client/workstation (or otherwise leak any information about the client), you still have very little information about its network setup - all you'll see is a local network with one other machine on it. The gateway is not meant to be used interactively by the user, which arguably mitigates some routes of compromise.
Title: Re: Who loves or hates their VPN?
Post by: xasop on December 27, 2020, 12:59:21 AM
I don't know about "good", but the reasoning is that if you manage to compromise the client/workstation, you still have very little information about its network setup. The gateway is not meant to be used interactively by the user, which mitigates some routes of compromise.

I'm very sceptical of such arguments because any network clients on the workstation VM should be running unprivileged, so escaping a network namespace sandbox would require a root privilege escalation vulnerability in the kernel. It's difficult to imagine a scenario in which consumer virtualisation software is trusted, but the Linux kernel is not. To me, just throwing more VMs at a problem seems like security by people who don't understand security, which is why I'm very wary of such off-the-shelf solutions.

An alternative to consider is OpenBSD, which I've been using as my daily driver for the past 5 years now. Without diving deeply into details (there are plenty on the website (https://www.openbsd.org/events.html)), OpenBSD has two complementary mechanisms to restrict process access — pledge(2) (https://man.openbsd.org/OpenBSD-6.8/pledge.2) for system calls, and unveil(2) (https://man.openbsd.org/OpenBSD-6.8/unveil.2) for filesystem paths. Firefox on OpenBSD makes use of these to severely restrict what things it can do, so even without network isolation, it should not be able to inquire about hardware details or network interface configuration, nor read any of your files other than those necessary for it to function. (It is, of course, possible to add or remove capabilities to/from the default set, if you need it to access some specific files or want to remove the ability to play sound, for example.) It is straightforward to couple this with rdomain(4) (https://man.openbsd.org/OpenBSD-6.8/rdomain.4) and pf(4) (https://man.openbsd.org/OpenBSD-6.8/pf.4) to block any network access from Firefox to the outside world, forcing it to proxy via Tor (or wherever else you may want it to go).

Of course, that approach involves a bit more work, and probably a lot of learning if you are not already familiar with Unix, but the great benefit is that you end up with a system you understand, rather than a product somebody else created with dubious design choices. The other bonus, if you run it on bare metal, is that instead of accessing all hardware via a virtual machine — which tends to make things like hardware-accelerated graphics difficult or impossible — Firefox has direct access to only the hardware it needs. But the extra work involved means it may or may not suit you, so consider carefully whether it's a trade-off you want to make.
Title: Re: Who loves or hates their VPN?
Post by: Dr Van Nostrand on December 27, 2020, 01:29:56 AM
If you're comfortable getting your hands a little dirty with VMs (sorry, no idea what your background and experience is - I'm happy to adjust to any level if you let me know) I'd recommend playing with Whonix. In a nutshell, you run 2 VMs: one acting as a Linux box that routes all network traffic through the other - a gateway that routes all Internet traffic through Tor.

I run a small herd of VM on the ranch and I read about running a sandbox within a sandbox within a sandbox etc. But....

I'm very sceptical of such arguments because any network clients on the workstation VM should be running unprivileged, so escaping a network namespace sandbox would require a root privilege escalation vulnerability in the kernel.

There is a lot of opportunity for me to fuck up permissions and own myself even without any inherent architectural issues.

I run a couple of my own OpenVPN servers, mostly for circumventing weird access restrictions, and to act as a gateway to my own stuff that I don't necessarily want open to all of the Internet.
I've been playing with tinc.

But still, don't you need IP addresses if you don't want people to see your face?
Title: Re: Who loves or hates their VPN?
Post by: xasop on December 27, 2020, 01:52:54 AM
There is a lot of opportunity for me to fuck up permissions and own myself even without any inherent architectural issues.

If we aren't taking user caution for granted, there is also a lot of opportunity for you to send personal information over Tor or a VPN, which applies no matter what technical solution is used.

But still, don't you need IP addresses if you don't want people to see your face?

Well, this thread was asking about VPNs in general, and my initial reply was in response to that. It only became clear later that you meant using a VPN as your gateway. Also, I don't understand your question.

Also, to clarify my previous post: No work is needed to use pledge and unveil for privilege restriction, that happens for Firefox on OpenBSD by default. The work involved is to set up routing domains and pf to block non-Tor traffic, if that's a thing you want to do.
Title: Re: Who loves or hates their VPN?
Post by: Toddler Thork on December 27, 2020, 08:47:53 AM
What a mess . The tl;dr

@Dr Nostrand ... spent $30 and do it right.
https://www.comparitech.com/blog/vpn-privacy/raspberry-pi-vpn
^ Will work on your PC, phone, xbox and anything else you like to stream your donkey pron through.
Same solution, different guy
https://www.youtube.com/watch?v=15VjDVCISj0

Right, the tl and nobody should read ....

So Thork was kind of right.
This is a recurring theme on this website.

In America, it's like a gun permit, no big deal.
If you'd like, you can always shoot me
Sorry, my mind wandered.

An alternative to consider is OpenBSD
You should consider this for no more than 2 seconds before realising that this is the most convoluted solution available to you, requiring the most research and the greatest technical barriers to entry suggested so far.
Title: Re: Who loves or hates their VPN?
Post by: xasop on December 27, 2020, 09:45:27 AM
What a mess . The tl;dr

@Dr Nostrand ... spent $30 and do it right.
https://www.comparitech.com/blog/vpn-privacy/raspberry-pi-vpn

This does not address all of the concerns raised in this thread, but thanks for trying. It turns out that "just throw a VPN at it" is not a complete solution to privacy online.
Title: Re: Who loves or hates their VPN?
Post by: Toddler Thork on December 27, 2020, 10:21:01 AM
What a mess . The tl;dr

@Dr Nostrand ... spent $30 and do it right.
https://www.comparitech.com/blog/vpn-privacy/raspberry-pi-vpn

This does not address all of the concerns raised in this thread, but thanks for trying. It turns out that "just throw a VPN at it" is not a complete solution to privacy online.
And memeing OpenBSD as the answer to every problem is hardly much help either.  ::)
Title: Re: Who loves or hates their VPN?
Post by: xasop on December 27, 2020, 10:31:04 AM
And memeing OpenBSD as the answer to every problem is hardly much help either.  ::)

Irrelevant.
Title: Re: Who loves or hates their VPN?
Post by: Pete Svarrior on December 27, 2020, 12:57:00 PM
It's difficult to imagine a scenario in which consumer virtualisation software is trusted, but the Linux kernel is not.
You're massively overthinking this and consequently missing the point. By the time you need to ask yourself which software you "trust", you already have problems big enough that you should be wiping your entire computer and moving to Argentina. This design decision can be, arguably only slightly, beneficial in case of user error. If you install malware on your computer, it doesn't matter how much you "trust" your kernel.

To me, just throwing more VMs at a problem seems like security by people who don't understand security, which is why I'm very wary of such off-the-shelf solutions.
With due respect, you're not a security expert, unlike many of the people involved in the project - you have a tendency to hyperfocus on small aspects of projects and to dismiss them when you don't like a single detail, missing out on the bigger picture.

This, by the way, is why we generally teach people not to reinvent the wheel when it comes to security. It usually ends very, very badly, because a single person, no matter how smart, is more likely to miss some holes than a team of dedicated people working on a solution for years.

You're also making this assessment based on one short remark I've made about a single design decision, without having read anything else about the project. This is extremely unhelpful to this discussion, and you're potentially scaring people away from a tool which appears to be a near-perfect match to their needs. The approach has flaws (though I disagree that you identified one), but it's the least-worst option available for a relatively competent computer user who doesn't do professional-computer-somebody work for a living.

Also, can we please just agree that, regardless of our disagreements, Thork shouldn't be further engaged in this thread?

But still, don't you need IP addresses if you don't want people to see your face?
Short answer: you DO NOT want a VPN for your use case. If you run it yourself, it will always be tied to you. If a corporation runs it, you're at the behest of a corporation which Definitely Doesn't™️ have multiple ways to break the promises they made to you at the behest of law enforcement. (Those, in turn, can also be exploited by people who aren't law enforcement).
Title: Re: Who loves or hates their VPN?
Post by: xasop on December 28, 2020, 02:05:12 AM
You're massively overthinking this and consequently missing the point. By the time you need to ask yourself which software you "trust", you already have problems big enough that you should be wiping your entire computer and moving to Argentina.

The very existence of such a setup is contingent on not trusting some of your software, otherwise you could just trust the web browser (or whatever other tools you're running) not to leak information about your client.

This design decision can be, arguably only slightly, beneficial in case of user error.

For certain classes of user error, which I'm still not convinced are significantly more likely than the user revealing personal information directly over the "private" transport.

If you install malware on your computer, it doesn't matter how much you "trust" your kernel.

It does if you are running that malware as an unprivileged user, which should always be the case in this scenario.

This, by the way, is why we generally teach people not to reinvent the wheel when it comes to security. It usually ends very, very badly, because a single person, no matter how smart, is more likely to miss some holes than a team of dedicated people working on a solution for years.

Agreed. I can't tell if you're implying that I've suggested reinventing the wheel or not.

You're also making this assessment based on one short remark I've made about a single design decision, without having read anything else about the project. This is extremely unhelpful to this discussion, and you're potentially scaring people away from a tool which appears to be a near-perfect match to their needs.

Indeed — I don't know anything about the project and I had never heard of it until you mentioned in this thread. My reaction was based on the all-too-common approach of "put it in a VM, then it will be perfectly secure" from people with no understanding of what they are talking about, and that does make me initially sceptical of projects which rely heavily on virtualisation for isolation. I accept that it may not be warranted in this specific case — I simply don't have enough information to express anything more than wariness.

The approach has flaws (though I disagree that you identified one), but it's the least-worst option available for a relatively competent computer user who doesn't do professional-computer-somebody work for a living.

I would not go so far as to say I identified a flaw. I have concerns — and I would not personally use this project without more research to answer the questions that come to mind. But it also doesn't seem to run on my OS — actually, it doesn't have instructions to run on any system I use, since its Linux instructions assume that you use either Virtualbox or libvirt (while calling libvirt "KVM") — so there is no sense in me doing that research. This, by the way, is one of my concerns about using VMs for this, as it means they can only feasibly target a fairly narrow range of host system configurations.

Also, whether or not it is the best option depends on exactly what you want to isolate. I still think that restricting a web browser's access to OS resources is a better approach to improving privacy on the web specifically, but Whonix seems to aim for isolation of a complete OS. Depending on user needs, this may be overkill if they just need a privacy-enhanced Firefox, or it may indeed be a perfect fit.

Also, can we please just agree that, regardless of our disagreements, Thork shouldn't be further engaged in this thread?

That much is patently obvious.
Title: Re: Who loves or hates their VPN?
Post by: Pete Svarrior on December 28, 2020, 02:26:08 AM
For certain classes of user error, which I'm still not convinced are significantly more likely than the user revealing personal information directly over the "private" transport.
The software addresses the aspects of user error which can be addressed through software. It does not serve as a replacement for other means of reducing user error.

It does if you are running that malware as an unprivileged user, which should always be the case in this scenario.
It very often isn't, regardless of what you think should be the case - people make errors, and those errors can be as severe as running dodgy software as root (or falling prey to some yet-unknown escalation vector). Reality doesn't care about what should be, and addressing that reality is beneficial.

Don't get me wrong - I don't actually disagree with you here. It's just that... Yeah, things that shouldn't happen happen all the time. I see no merit in just saying "but it shouldn't happen" - I'd rather mitigate the effect of it happening. It is extremely important to address these flaws in the general use case as they crop up, but the paranoid use case of "I'm doing something I shouldn't be doing" warrants a few more layers of hardening.

Agreed. I can't tell if you're implying that I've suggested reinventing the wheel or not.
You explicitly stated that you don't like pre-made solutions in the field of security. I know you, and thus I have a good idea of what you meant, but I am going to be relatively unique to see your meaning despite your choice of words.

Indeed — I don't know anything about the project and I had never heard of it until you mentioned in this thread. My reaction was based on the all-too-common approach of "put it in a VM, then it will be perfectly secure" from people with no understanding of what they are talking about, and that does make me initially sceptical of projects which rely heavily on virtualisation for isolation. I accept that it may not be warranted in this specific case — I simply don't have enough information to express anything more than wariness.
That's fine - but what you expressed looked like confident dismissal (which could have likely been misread as an educated rebuttal), and not a general doubt. This distinction needed highlighting, and now it has been.

Mind you, Whonix doesn't rely on virtualisation. You could just as well deploy the gateway and workstation in real hardware. It's the separation between the two that (arguably) helps boost privacy, so separate hardware would only make things better. The standard deployment assumes VMs as a good combination of "easy to do", "probably good enough", and "hasn't yet been publicly broken by a nation-state attacker".

But it also doesn't seem to run on my OS — which is one objection I have to using VMs for this, as it severely limits where you can run it — so there is no sense in me doing that research.
I suppose the 5 users of OpenBSD might indeed be restricted there. I know for a fact that OP is not one of them, so I didn't concern myself with it when making my recommendation. Though, given that virtualisation is not actually required for this, I'd probably just recommend that MemeOS users just buy two rPis to run it.

Also, whether or not it is the best option depends on exactly what you want to isolate.
Yeah - I am working with limited information, and I filled the gaps in what OP told us with my own experience with similar activities. I have some confidence in my guessed, but it obviously does not replace a well-defined spec. However, I also suspect that OP doesn't exactly know what he wants yet - hence my suggestion of looking at a tool and seeing if it feels right.
Title: Re: Who loves or hates their VPN?
Post by: xasop on December 28, 2020, 02:44:32 AM
Don't get me wrong - I don't actually disagree with you here. It's just that... Yeah, things that shouldn't happen happen all the time. I see no merit in just saying "but it shouldn't happen" - I'd rather mitigate the effect of it happening. It is extremely important to address these flaws in the general use case as they crop up, but the paranoid use case of "I'm doing something I shouldn't be doing" warrants a few more layers of hardening.

That's fair, I suppose. I guess where I differ is that I don't consider this protection to be worth the added complexity, but then I was also looking at it as a way of running a web browser, where elevating privileges to root is basically never needed.

You explicitly stated that you don't like pre-made solutions in the field of security. I know you, and thus I have a good idea of what you meant, but I am going to be relatively unique to see your meaning despite your choice of words.

Well, to be more specific for the benefit of others: I prefer general-purpose tools that can be easily configured and composed to work the way I want them to, rather than tools that come pre-configured the way someone else thinks they should work. I don't think of configuration to suit your needs as reinventing the wheel, and I would never in any situation advocate reinvention of wheels in security. (Reinvention of wheels in other fields is sometimes, though rarely, justified.)

I suppose the 5 users of OpenBSD might indeed be restricted there. I know for a fact that OP is not one of them, so I didn't concern myself with it when making my recommendation.

OpenBSD is but one example. I actually edited my last post while you were replying, so to expand upon that, the Whonix installation instructions for Linux provide options for Virtualbox and what they call "KVM" (which is actually libvirt managing KVM guests). My Linux systems with VMs do use KVM, but they do not use libvirt, in part because libvirt does not support using the isolation features of QEMU that I use to mitigate the risk of VM escape attacks. It is a tad ironic that a project based on security by isolation would force me to reduce the isolation of my system in order to install it.

Other situations in which this is limiting are that you cannot use it on non-x86 hardware, or on old x86 CPUs without virtualisation extensions, or on a VM without nested virtualisation support (which is its own can of worms). In case you think I am contriving scenarios that will not arise in practice, I have personally encountered users who wanted to run VMs for isolation but could not for all three of these reasons.

Granted, this likely does not apply to the OP, but it is one of my concerns about using multiple VMs for this. (If it were a single VM, it could — at least in principle — be installed onto bare hardware as a workaround.) Even if we accept that the approach improves security, it does so at the cost of portability, which reduces the number of users that can take advantage of the improved security.

Yeah - I am working with limited information, and I filled the gaps in what OP told us with my own experience with similar activities. I have some confidence in my guessed, but it obviously does not replace a well-defined spec. However, I also suspect that OP doesn't exactly know what he wants - hence my suggestion of looking at a tool and seeing if it feels right.

Agreed on that point, which is why I suggested OpenBSD as well, as an option that comes with a privacy- and security-enhanced Firefox installation by default (albeit without Tor). Hopefully one of these options will suit.
Title: Re: Who loves or hates their VPN?
Post by: Toddler Thork on December 28, 2020, 07:42:05 AM
Who do you use and do they suck or not?
Asking which provider ... and
Setting up my own server might not be a bad idea.
So I suggest the cheap, tried and tested Raspberry Pi Solution


Pete
Short answer: you DO NOT want a VPN for your use case.
No alternative provided

la xasop ... change your Operating System.

And then
Also, can we please just agree that, regardless of our disagreements, Thork shouldn't be further engaged in this thread?

You so called technical experts are useless. The OP has wandered off as you continue to squabble over things he's not interested in.  ::)

I've been playing with tinc.
I'll bet your monitor looks like a plaster's radio.
Title: Re: Who loves or hates their VPN?
Post by: Pete Svarrior on December 28, 2020, 11:38:34 AM
Thork, I'm sure you'll read the thread one day. Until then, please stop trying to derail it.

xasop - nothing you said is here technically incorrect, but it is too far removed from any likely use case OP (or most computer users) might have. The use cases of "I use OpenBSD, but despite that I somehow still care about portability", "I want to run VMs but refuse to run any of the most popular hypervisors, nor do I want to adapt a solution to the narrow set of hypervisors I do accept", or "what if you're not using a relatively modern and common PC?" are exceptionally rare, if I may be so bold (even if you claim to have observed them with someone other than yourself). They dilute a thread which could otherwise be useful and well-targeted.

As mentioned before - I made this suggestion for (my interpretation of) a very specific use case. I wouldn't make it for a general case, because it would be too complicated and wouldn't offer tangible advantages to most users. However, once you reach the stage of "I wanna go scambaiting but don't want the nice Nigerian mafia to knock on my door", hardening the entire environment in which you do that starts to become necessary.
Title: Re: Who loves or hates their VPN?
Post by: Dr Van Nostrand on December 28, 2020, 02:57:04 PM
You so called technical experts are useless. The OP has wandered off as you continue to squabble over things he's not interested in.  ::)
I haven't so much wandered off, just consumed by weekend partying. I'm sober now.

The thing is that when you post a technical question like this on a flat earth forum, you take your chances. But you will get a broad swath of opinions along with the possibility of being trolled off the grid. That's cool, I want to hear it all. I read it all. There has been some good info in this thread.

I think it's within my tech abilities to set up some kind of proxy server but there's still the issue of IP addresses....
Short answer: you DO NOT want a VPN for your use case. If you run it yourself, it will always be tied to you. If a corporation runs it, you're at the behest of a corporation which Definitely Doesn't™️ have multiple ways to break the promises they made to you at the behest of law enforcement. (Those, in turn, can also be exploited by people who aren't law enforcement).

If I buy IP addresses outright, it would be like having them tattooed on my ass. I might be able to cover them but they would follow me forever. (Doesn't the Thorkian hardware solution require having some kind of rogue IP address to hide behind?)

A couple of you recognized that I don't have the issue completely mapped out yet but I'm closing in on it.
However, once you reach the stage of "I wanna go scambaiting but don't want the nice Nigerian mafia to knock on my door", hardening the entire environment in which you do that starts to become necessary.

Yeah, the Nigerians are one thing, but I also want to go after the Russians attacking my webhost. Those people have absolutely no sense of humor.

I'm starting to think that maybe I'm looking at a workstation solution rather that a network solution. Maybe some kind of an anonymized, fortified, VM on a flashdrive... If I want to play in the mud, I could just plug it in and make it disappear when I'm done.

 
Title: Re: Who loves or hates their VPN?
Post by: Pete Svarrior on December 28, 2020, 03:37:10 PM
If I buy IP addresses outright, it would be like having them tattooed on my ass. I might be able to cover them but they would follow me forever. (Doesn't the Thorkian hardware solution require having some kind of rogue IP address to hide behind?)
Thork's "solution" doesn't even attempt to answer the problem. It's instructions on how you could connect your devices to a provider (without naming one), and/or how you could access your LAN from outside. It doesn't attempt to answer the privacy question, because he never read your question, nor the discussion that followed.

It doesn't even attempt to answer your question, because he never read it. A network like Tor is pretty much your best hope for what you're describing.

I'm starting to think that maybe I'm looking at a workstation solution rather that a network solution. Maybe some kind of an anonymized, fortified, VM on a flashdrive... If I want to play in the mud, I could just plug it in and make it disappear when I'm done.
If only I had described something like that earlier in this thread... ::)

If the two-VM approach of Whonix (https://www.whonix.org/) scares you (it really shouldn't), you could also consider Tails (https://tails.boum.org/) - a live-bootable flash drive which avoids persistent storage of data, and also routes your traffic through Tor.

Yeah, the Nigerians are one thing, but I also want to go after the Russians attacking my webhost. Those people have absolutely no sense of humor.
Err, you might want to think about that one a bit. Russian botnets hammer every IP on the Internet - you should probably just automatically ban them (have a look at tools like fail2ban). They have no idea who you are, and there's nobody to "go after". If your whole idea is to investigate some botnets, you probably don't need to hide yourself at all, nor are you likely to find anything of interest.
Title: Re: Who loves or hates their VPN?
Post by: Dr Van Nostrand on December 28, 2020, 04:22:33 PM
If only I had described something like that earlier in this thread... ::)

yep, it's coming around.

(have a look at tools like fail2ban).

Very interesting. I've tried the IP Blocker in the Cpanel to block the IPs and their ranges but it does nothing to stop the hits. They're not really hurting anything but these 'GET's are consuming bandwidth and showing up in my metrics as traffic. It's annoying.

Years ago, some Ukranians managed to get a malicious javascript into one of my hosted webpages (dumbbitchwebhosting dot com). Those spam emails that ask people to log onto their bank was sending traffic to Ukraine through one of my webpages. I haven't forgotten. Now that Russia annexed part of Ukraine, it's personal.

If I was a real asshole, I could hack into the neighbor's wifi and launch attacks from their modem. But I like my neighbors and would feel bad if the Nigerians showed up at their house and I wouldn't want them to get sprayed with Russian nerve gas either.
Title: Re: Who loves or hates their VPN?
Post by: xasop on December 28, 2020, 07:58:42 PM
Very interesting. I've tried the IP Blocker in the Cpanel to block the IPs and their ranges but it does nothing to stop the hits. They're not really hurting anything but these 'GET's are consuming bandwidth and showing up in my metrics as traffic. It's annoying.

Speaking as a professional computer somebody for the past decade, this is just the Internet. If you are going to put services on the public Internet, you will need to get used to the fact that this happens.
Title: Re: Who loves or hates their VPN?
Post by: Pete Svarrior on December 28, 2020, 09:14:20 PM
If I was a real asshole, I could hack into the neighbor's wifi and launch attacks from their modem.
I mean no offence, but given the level of expertise you hinted at so far: do you even know what "launching attacks" would entail?
Title: Re: Who loves or hates their VPN?
Post by: Dr Van Nostrand on December 29, 2020, 12:50:54 AM
Very interesting. I've tried the IP Blocker in the Cpanel to block the IPs and their ranges but it does nothing to stop the hits. They're not really hurting anything but these 'GET's are consuming bandwidth and showing up in my metrics as traffic. It's annoying.

Speaking as a professional computer somebody for the past decade, this is just the Internet. If you are going to put services on the public Internet, you will need to get used to the fact that this happens.

I've just got to do something.  Going to curse and shake my fist in the air....

I mean no offence, but given the level of expertise you hinted at so far: do you even know what "launching attacks" would entail?

just basic scambaiting and social engineering...  Nothing sophisticated, I just don't want it coming from my address and want to minimized my DNA on it.