VPNs: why trust anyone?

Submitted by Cyrus on Sat, 12/29/2018 - 07:19

I was reading Deep Dot Web, forgive me, but I noticed an article on VPNs. It was alright on its reasoning for using a VPN to hide that you're using Tor. Though, it has a stupid list of good providers. I'll tell you a closely held secret: there are none. Something is yours if you control it as root/superuser. Every VPN provider for the general public is putting your data in the trust of someone else. Considering the important purpose, and risk, that the VPN covers one should just make their own VPN from a Virtual Private Server. The good news about doing this is you can be peer reviewed and FOSS all the way on the path to true anonymity.

It isn't hard to administer a *NIX system for basic things like running OpenVPN. You deploy a Debian server with your host, you install OpenVPN, you create a CA and keys for server/client with easy-rsa (get a guide for installing OpenVPN, this is not one) and configure it to get everything connected (the keys are the authentication). Provided you picked a reliable guide you should have things working. There are some other things to check with your distros community, such as if gateway just goes back to your LAN when the VPN is unavailable.

There is a new trust issue with your own VPS doing the VPN: is your VPS legit or shit? The good news is you've got an open source system and a mountain of market competition removing the incentive for malice with your server. I recommend Kaizushi's recommendation of VPS.ag which doesn't take ID and sells in Bitcoin. There is also libertyvps of course, but I find their jurisdiction depends too much on the force of law to have its freedoms. It is of course your decsision, though don't just use libertyvps because it virtue signals liberty, which I guess is the bit with them that costs extra compared to everywhere else.

You should learn to use tools like unhide and rkhunter for administering your VPS to check them for malware. You shouldn't use this VPS as your SOCKS proxy which is another reason to have a VPS I've previously mentioned. Your VPN gets you privacy to go where you want online. So its VPS should be independent of your identity on the deep web. Having the SOCKS proxy to give you a sort of private tor exit would of course compromise things here. You can use it for anything relating to the real you, so you could use it as an XMPP server if you wanted and host your own personal website.

A VPS is cheap, but it might cost a little doing nothing while you learn to set it up. If you want support setting it up, Kaizushi would probably be helpful if you give her a little XMR as a tip. She loves helping people with the practical side of what I like to explain. Though, I do wonder if she is getting busy these days with more customers. You can of course get free support from online communities. It is worth covering your entry to the deep web with your VPS based VPN and isn't even expensive. Though strangely, it would probably cost a lot more compared to a third-party VPN provider.

 

Comments

I would not recommend OpenVPN as WireGuard is far better. It's being adopted now by IVPN, Mullvad, ProtonVPN and there are probably others as well. I would agree that setting up your own VPN server would be the safest option but that's if you have the technical expertise required to properly harden the server to the point where it's incredibly challenging to exploit. And using a VPS is not a good idea at all, seeing as how VPS's are running inside of VM's which can be monitored by the software that's being used to create them, along with your hosting provider. I would recommend using ServNet as they are an established Dark Web hosting provider who offer dedicated servers and accept Bitcoin for payment. After purchasing one of their dedicated servers, I would be sure to install a hardened kernel and if you're able to use Parabola GNU/Libre-linux for the operating system, I would use the Xtreme kernel with the Nonprism packages and require Onion SSH access with mandatory 2FA (Yubikey or Gooogle Authenticator with PAM) so that bruteforce is impossible.