VPNs

[Neo-Nazi Rich Evans]

They sold out to a sketchy Israeli company called Kape that not only was associated with malware in the past but also had a CEO from Israel's Unit 8200, their version of the NSA. Also they appeared to be trying to buy up all their competitors which is suspicious as well.

thanks for the reply. that does sound a bit fishy to me. i think ill just let my subscription expire and find a different provider.

 

[MarvinTheParanoidAndroid]

They sold out to a sketchy Israeli company called Kape that not only was associated with malware in the past but also had a CEO from Israel's Unit 8200, their version of the NSA. Also they appeared to be trying to buy up all their competitors which is suspicious as well.

Are there any alternatives that have a proven no-log keeping record?

 

[TheSkoomer]

Are there any alternatives that have a proven no-log keeping record?

Tor and I2P.

Also, I2P recently added a new outproxy (exit node) so it's possible to clearwebpost from I2P again.

 

[Kaoss Edge]

I've been test-driving Mysterium VPN for a while, it's an interesting service that relies on a node-based network a little like Tor. I'd say it's worth a look but I can't vouch for how private it is as you're essentially trusting the person/entity running the exit node with your internet traffic.

 

[1996 Toyota Camry]

My VPN currently is just a openvpn instance on a server i installed at my old employer, i dont use it for anything excessively illegal as it would be stupid to (probably way too easy to track the instance back to me), just for things im IP banned from with my home IP

 

[The Intern]

Are there any alternatives that have a proven no-log keeping record?

I really like Mullvad, they have a tor site and accept monero they have not been tested in court to my knowledge, but theyre better then PIA who was tested in court twice. and mullvad has a better model

 

[Morethanabitfoolish]

Eyeing over VPN options, I took a quick skim of the thread and unless I am reading wrong the feelings are that Mullvard and Proton, Express VPN is good but shilled more than it trumps any of its competitors for the higher price and Nord used to be alright but doesn't seem as reputable these days. That a decent approximation?

 

[Fomo Hoire]

Eyeing over VPN options, I took a quick skim of the thread and unless I am reading wrong the feelings are that Mullvard and Proton, Express VPN is good but shilled more than it trumps any of its competitors for the higher price and Nord used to be alright but doesn't seem as reputable these days. That a decent approximation?

First regarding price: whatever you go with, I'd just get a month for now on the off chance you can do better for Black Friday / Cyber Monday. Mullvad markets as being the same monthly price no matter what, Proton I think usually does some VPN/Email bundle, and I've heard people mentioning picking up Express VPN on sale (but I'm not sure if they're BF/CM sales)

Second regarding selection:

• I can't say about the KF consensus, it's been a while since I've been on this thread, but I personally...
• I am wary of Proton VPN because it is affiliated with ProtonMail, which bans accounts for hate speech. ProtonMail doesn't need to read your emails to perform such a ban - high profile individuals often leave a contact address somewhere in the open and if Proton is alerted to it then they can ban the handle without inspecting the account contents. I would not feel comfortable browsing with that over my head. Their black Friday Mail/VPN bundles are great for plausible deniability if you're using a regular credit card however; just claim you really wanted the email service and that gosh darned cable company mail merchant would only give you the cheapest deal if you bundled services. (Just, never give anyone that email address or you might get both your email and your VPN shut down).
• I think highly of Mullvad because it is on the r/VPNTorrents list. I think that for any American user who is not in a serious life or death espionage scenario, the VPN Torrents list is a great place to start because rich litigious corporations are actively out to get pirates, so that list is based on survival of fittest instead of just documented policy.
• All I've heard about Express VPN is that it is very China friendly. Not my use case, I would just do a cursory check that the people who like it aren't just chinks who need to get past the GFW. Nothing wrong with that use case but I want to make sure there's more to it than speedy connections to Asia.

Now a question of my own: what's the problem with lifetime VPNs, usually? Is it that the usage limits are prohibitively low in order to force you onto a real plan, or that the companies just cease to exist? I would not trust my entire browsing history to such a cheap VPN but I've considered maybe getting one and leaving it in stasis just in case I ever get in a chicken and egg situation where I need to buy a VPN but I need to be using a VPN while I do it so I can't be monitored buying a VPN. A shitty 100MB/year quota would be more than enough for that purpose, provided I know the company is likely to exist 2 years from now.

 

[AnOminous]

IMO the main feature you want with a VPN is kill switch, i.e. if you are not connected to the VPN it flat out turns off Internet access.

If you are even more paranoid, consider only using a VM running TAILS or something like that. The tor instance on the Farms is actually pretty stable lately.

You might also want something more feature-rich and configurable, and stuff like Mullvad and Windscribe, and generally lesser known VPNs have more geeky features if those are to your interest, but your security is more or less up to you at that point. The more configurable VPNs will be capable of doing stuff like letting you connect through your actual router so if you are into custom firmware and fun stuff like that, they're more capable of accommodating your needs.

At the point you're doing that stuff, though, you're probably capable of figuring it out yourself.

 

[Morethanabitfoolish]

@Dergint I believe Nord actually already started its Black Friday deal, sure I saw something about it in casual searching, thanks for the advice. Between the latest posts and other stuff in the thread I'm leaning to Mullvad.

@AnOminous Appreciate the advice. Kill switch standard for all VPNs or do some of them not provide it? I can obviously check it when I am looking at specifics but curious if it's fairly standard.

To both I'm not majorly paranoid. Even my posts on the Farms I am not especially demented about real world stuff, outside of this place I'm even more milquetoast. I am however aware that increasingly efforts are stepping up across the world both on the criminal side and the ostensible crime prevention side so further steps to make myself more aware and secure are advisable.

I am hoping to get more aware of the cyber security side of things, heck when work is not so insane and I'm not also trying to get my fat ass into shape I might start a thread asking for more general advice to supplement what else I can dig up elsewhere. At the moment though I am starting low down to work it into bite sized chunks for myself.

 

[Fomo Hoire]

@Dergint I believe Nord actually already started its Black Friday deal

Ahaha you're right! Top of their home page, 59% off, valid for the next ~10 hours! (for me anyways, I bet that's the kind of skeevy deal with a different timer for each person).

I've been autistically peeved at seeing grocery stores sell holiday decorated bakery goods that go off the day before the holiday in question before, but that's reasonable if you consider people won't actually wait until the holiday to consume product and even if they did its probably a "sell" by date (not "best" or "eat" by).

But, a black Friday deal with a counter that hits zero in October! That's hilarious.

I've seen a BF Email sale up too, but that's marketed as pre-BF rather than BF proper.

 

[AnOminous]

@AnOminous Appreciate the advice. Kill switch standard for all VPNs or do some of them not provide it? I can obviously check it when I am looking at specifics but curious if it's fairly standard.

If they have it it's usually obviously available under that name. You can also ensure it by simply going entirely through a VPN on a separate machine, so that it's impossible not to have it, or running a virtual machine with TAILS.

 

[Morethanabitfoolish]

@Dergint - it's tied to your IP address I think. I tried off an unsecured and a TOR one, the unsecured was still counting down from around 10 hours and the TOR one started at around 09:40. I'd be unsurprised if it resets daily.
I could try another device to check further but I am not that frantic especially when others might have similar deals. I've a couple of reality based associates more heavily into some internet stuff than me that I likely want to check in with too.
You are right, it does smack a bit of that sort of thing. But stores always need to sell, plenty of stuff sold for the many holidays coming will go off well before them. Not too surprising to see VPNs doing the same.

@AnOminous - thank you. I did look at the virtual machine stuff, it's a possibility. I need to get another computer at some point soon, this one's a fairly clunky refurbed base unit that only set me back a hundred odd. But it did replace a 10 year old device so in comparison it runs like a dream.

Weirdly part of this was prompted by my barber asking me about them recently. When a man in his late 60s who lives a fairly normal life with minimal internet presence by all accounts is asking about that sort of thing they probably need to become a way of life. Or maybe he's selling organs and will Sweeny Todd me any day now.

 

[Roland TB-303]

I run my VPN on a router but I’m capped at 50mb/s because of the router’s hardware capabilities. Does anyone know of a beefy router than’s capable of better speeds that can run DD-WRT or OpenWRT?

 

[AnOminous]

@AnOminous Appreciate the advice. Kill switch standard for all VPNs or do some of them not provide it? I can obviously check it when I am looking at specifics but curious if it's fairly standard.

Usually there's a highly visible option for it in most of the noob-friendly clients with GUIs. The ones that don't have a GUI should be able to set up to work that way though it might take some actual figuring out.

 

[Alligator Alcatraz]

Apologies if this was posted already.

Android leaks some traffic even when 'Always-on VPN' is enabled

Mullvad VPN has discovered that Android leaks traffic every time the device connects to a WiFi network, even if the "Block connections without VPN," or "Always-on VPN," features is enabled.

www.bleepingcomputer.com

Android leaks some traffic even when 'Always-on VPN' is enabled

archived 12 Oct 2022 03:33:49 UTC

archive.ph

Android leaks some traffic even when 'Always-on VPN' is enabled​

By Bill Toulas
October 11, 2022

Spoiler: ARTICLE

Mullvad VPN has discovered that Android leaks traffic every time the device connects to a WiFi network, even if the "Block connections without VPN," or "Always-on VPN," features is enabled.

The data being leaked outside VPN tunnels includes source IP addresses, DNS lookups, HTTPS traffic, and likely also NTP traffic.

This behavior is built into the Android operating system and is a design choice. However, Android users likely didn't know this until now due to the inaccurate description of the "VPN Lockdown" features in Android's documentation.

Mullvad discovered the issue during a security audit that hasn't been published yet, issuing a warning yesterday to raise awareness on the matter and apply additional pressure on Google.

VPNs on Android​

VPNs (virtual private networks) are protected network connections that encrypt internet traffic over public networks. When connected to a VPN, all your Internet connections will use the IP address of your VPN service rather than your public IP address.

This allows users to bypass censorship and throttling, and maintain privacy and anonymity while browsing the web, as the remote hosts will never see your actual IP address.

Android offers a setting under "Network & Internet" to block network connections unless you're using a VPN. This feature is designed to prevent accidental leaks of the user's actual IP address if the VPN connection is interrupted or drops suddenly.

Unfortunately, this feature is undercut by the need to accommodate special cases like identifying captive portals (like hotel WiFi) that must be checked before the user can log in or when using split-tunnel features.

This is why Android is configured to leak some data upon connecting to a new WiFi network, regardless of whether you enabled the "Block connections without VPN" setting.

Mullvad reported the issue to Google, requesting the addition of an option to disable connectivity checks.

"This is a feature request for adding the option to disable connectivity checks while "Block connections without VPN" (from now on lockdown) is enabled for a VPN app," explains Mullvad in a feature request on Google's Issue Tracker.

"This option should be added as the current VPN lockdown behavior is to leaks connectivity check traffic (see this issue for incorrect documentation) which is not expected and might impact user privacy."

Unfortunately, a Google engineer responded that this is intended functionality for Android and that it would not be fixed for the following reasons:

• Many VPNs actually rely on the results of these connectivity checks to function,
• The checks are neither the only nor the riskiest exemptions from VPN connections,
• The privacy impact is minimal, if not insignificant, because the leaked information is already available from the L2 connection.

Mullvad countered these points and highlighted the significant benefits of adding the option, even if not all issues will be addressed, and the case remains open.

Potential implications​

The traffic that is leaked outside the VPN connection contains metadata that could be used to derive sensitive de-anonymization information, such as WiFi access point locations.

“The connection check traffic can be observed and analyzed by the party controlling the connectivity check server and any entity observing the network traffic,” explains Mullvad in the blog post.

“Even if the content of the message does not reveal anything more than "some Android device connected", the metadata (which includes the source IP) can be used to derive further information, especially if combined with data such as WiFi access point locations.

While this isn't easy for unsophisticated threat actors, people who use VPNs to protect themselves from persistent attackers would still find the risk significant.

Furthermore, Mullvad explains that even if the leaks are not fixed, Google should at least update the documentation to correctly indicate that 'Connectivity Checks' would not be protected by the "Block connections without VPN" feature.

Mullvad is still debating the significance of the data leak with Google, calling them to introduce the ability to disable connectivity checks and minimize liability points.

Notably, GrapheneOS, Android-based privacy and security-focused operating system that can run on a limited number of smartphone models, provides this option with the intended functionality.

TL;DR: Android by design purposely leaks data even if you use a vpn.

 

[Aidan]

Mullvad also said how you can fix it yourself using adb.
Link | Archive

This guide explains how users of Android 8 or newer can configure connectivity checks, which are used primarily for captive portal detection. For more information regarding why this might be relevant for you, please check out this blog post.

Prerequisites​

First you need to install adb (Android debug bridge) on your computer, and enable it on your Android device. The process varies depending on computer OS and Android device so we suggest to either follow the official documentation or other guides available online, such as the guide by xda-developers.

When you are done changing the settings below, we recommend that you disable adb on your Android device again, to protect it from being accessed by others when you plug it in later. See above links for this also.

How to set the captive portal mode​

Connectivity checks are controlled by the captive portal mode, which can be one of the following values:

• 0 - Don’t attempt to detect captive portals. This means connectivity checks are disabled.
• 1 - When detecting a captive portal, display a notification that prompts the user to sign in. This is the default setting.
• 2 - When detecting a captive portal, immediately disconnect from the network and do not reconnect to that network in the future.

The following command can be used show the current mode:
adb shell settings get global captive_portal_mode

The following command can be used to set the captive portal mode:
adb shell settings put global captive_portal_mode <mode>

So for example, to disable connectivity checks, run the following command:
adb shell settings put global captive_portal_mode 0

How to set a custom captive portal server​

If you rather keep the captive portal detection enabled, but want to avoid sending traffic to Google, it is also possible to change which servers are used for captive portal detection. Please note that it might be better or worse in terms of privacy. Less data might be collected, however the traffic might be more identifiable as it is more unique.

These are the commands to run to set custom connectivity check URLs:
adb shell settings put global captive_portal_http_url http://example.com/generate_204 adb shell settings put global captive_portal_https_url https://example.com/generate_204 adb shell settings put global captive_portal_fallback_url http://fallback.example.com/gen_204 adb shell settings put global captive_portal_other_fallback_urls http://fallback.example.com/generate_204


----
Used inline code because code block was broken for me.

 

[totse]

kill switch

Is there something I don't know about this "feature" or can't it be replicated in the form of a persistent static route with lower metric than the default route? That should survive setup/teardown of routes during VPN disconnect/reconnect, and if you set it to use an exit interface (the VPN interface) instead of a next-hop address, then transmissions should reliably fail when there is no tunnel.

 

[AnOminous]

Is there something I don't know about this "feature" or can't it be replicated in the form of a persistent static route with lower metric than the default route? That should survive setup/teardown of routes during VPN disconnect/reconnect, and if you set it to use an exit interface (the VPN interface) instead of a next-hop address, then transmissions should reliably fail when there is no tunnel.

If you can roll your own solution and trust yourself not to screw it up somehow, that doesn't really apply to you, but I think more people are actually depending on built-in features like that in user-friendly clients.

Also this solution would probably not work with something like split tunneling in any event, which a lot of people also want and which depends on an ability to access Internet directly.

If you're both paranoid and also don't trust your own networking ability, there are also solutions like Whonix and Qubes, where you can have one computer's sole access to the world be through another virtual machine (or actually separate physical machine) running tor, i.e. the client doesn't even know its own "real" IP address.

Or run custom firmware on your router and use a VPN or tor, so again, the machine you're on doesn't even know its own real address (so can't be tricked by malicious scripts into revealing it).

 

[Nostalgic]

I'll speak for the P2P question and say that Mullvad supports port forwarding right off the bat. I currently have an open port for use with Soulseek and it works just fine for sharing my own files, though it is only using OpenVPN for now. I don't remember if I was able to get a WireGuard one working last time I tried but I'll probably have a look some other time.

E: WireGuard also works just fine, was actually no different from forwarding it using OpenVPN. No clue why I assumed it would be more involved.

You got mullvad to work with slsk? Is the obfuscated port mandatory or not. How do you have it setup?