IvyMike.devVPN Advice (November 2021 Edition)
By Michael Gebis, Tue 16 November 2021, in category Vpn
By Michael Gebis, Tue 16 November 2021, in category Vpn
I had a short discussion with a friend about his VPN needs; here's a summary of that discussion.
Some VPN providers are a little sketchy. Especially for the "free" VPNs, you should ask yourself "How are they making money?" The answer might be that they make money selling your metadata to advertisers. Ugh.
Don't trust search engines, either: the "top 10 VPNs of 2021" lists search engines show to you all feel like astroturf campaigns. Shady VPN companies are pretty good at SEO.
Don't even believe me or this blog post. I swear I'm not a shill, but that's exactly what a shill would say. Double-check everything anyone tells you about VPNs, even me.
Without VPN, your ISP (Comcast, T-Mobile, Starbucks, the WiFi at your work) can see the data "going over the wire"--but most of that data is encrypted nowadays, so they don't get that much. The ISP can see metadata; specifically, they know destination server of your requests. In other words, your ISP can tell you're going to Facebook, but not which page on Facebook, nor the contents of that page. Still, this metadata is valuable, and some ISPs make money selling it.
But remember: When you turn on your VPN, your data is encrypted to the VPN who then sends it over the internet... thus the VPN provider can see which websites you're going to. So you're swapping one trusted entity for another. Choose wisely.
Advice for specific VPN use cases:
This question is easy for me to answer: just use Tailscale. It's amazing--every computer you install Tailscale on gets a new 100.64/10 address. Any of your computers running Tailscale can communicate to any other computer running Tailscale using this new IP address. It's like they are all on the same ethernet hub. All NAT traversal and key management is handled by their software (that's the magic!). It's so easy that if you had started setting it up at when you started reading this paragraph, you would already be done.
Another option is to see if your router (Netgear, TP-Link, whatever) has a VPN server you can enable. But this is a pain to configure, is error prone, and if your router firmware isn't patched, you might be enabling a VPN service that has serious bugs. Some past examples of bad router VPN firmware: Netgear, TP-Link, Linksys... really, every big router company has had a problem at some point. It's embarrassing. If your router gives you a choice as to which VPN protocol to use, Wireguard VPN is easier to set up than OpenVPN.
Update 3/29/2002: A friend mentioned he does not want to trust a third party, and he doesn't trust his router. So as an easy way to set up OpenVPN, he uses PiVpn. It also supports Wireguard. It is very easy to install on Linux, including Raspberry Pi boxes. This does come with additional risk as you have to open up a port and have a working Linux box.
If you're worried about someone sniffing your internet traffic: This once was a concern, but in 2021 you probably don't need a VPN at all. All the big websites have turned on TLS (in web browsers, look for "HTTPS" in the location bar), which encrypts the contents of your traffic. Google properties (including Gmail, YouTube, Drive, everything), Facebook, Twitter, Yahoo, etc., all of them use TLS. What TLS does NOT do is hide the metadata of exactly where your traffic is going... read on:
While TLS encrypts the content, it does not hide the destination. If you are going to OnlyFarmers dot com, the ISP doesn't know which pages or the contents, but they still know it's OnlyFarmers. This is true of apps you may have on your phone as well--the OnlyFarmers app probably phones home without you knowing it multiple times a day. This may be something you would like your employer to not know.
You might unknowningly have a VPN with your phone plan that you're already paying for; both Google (VPN by Google One) and Apple (iCloud Plus) have a VPN that you can use. Double check.
If you don't have one of these, and want a cheap solution: try the free ProtonVPN plan. I have distruct of all free plans, but ProtonVPN seems the least sketchy to me.
If you prefer a more robust paid VPN, right now the VPN subreddit rates both Mullvad and NordVPN pretty highly. But check the subreddit out for yourself; things may have changed since I published this article.
A lot of VPNs advertise that they can bypass regional content restrictions. Good luck with that. The reality is it's a cat-and-mouse game. Content providers are constantly blocking known VPN servers, VPN providers are constantly moving their IP addresses. I think "intermittent" is the best you're gonna do. The NetflixViaVPN subreddit can probably let you know what's working best at the moment.
Update 3/29/2022: Based on feedback, try to find a VPN provider that specializes in this use case--apparently, if they get blocked, they can usually circumvent the block in a few minutes with a call/chat with support. One example (recommended by a couple of people) is "unlocator". YMMV.
Find a provider that doesn't keep logs. It's also a good idea to have a VPN client with an automatic kill switch: if the VPN goes down, all internet traffic should stop, rather than reverting to a non-encrypted connection.
Most free VPNs block all P2P traffic, so you'll almost certainly have to use a paid solution. The VPNTorrents subreddit has good advice about how to choose a paid VPN. I'm currently on a multiyear Private Internet Access plan, but when that expires I'll probably switch to Mullvad. (Why will I switch? Because PIA was purchased by company that has a checkered past).
This is above my pay grade. In general, the Tor browser is your best bet, either standalone or as part of Tails OS. But Tor traffic can be slow and is blocked by a lot of websites, so using Tor for everything is not a good daily driver. Good luck.