Consumer VPNs are a scam - here's a better way
Everyone's seen a sponsorship or two from a YouTube channel they like: they'll openly sponsor NordVPN or some similar VPN service with a large marketing budget. It catches their audience's eye -- after all, who doesn't want an extra layer of privacy and security? VPNs seem to be a great way to keep yourself safe from being taken advantage of online, right?
Nah. The problem with all of these VPN services is they fundamentally present an unnecessary privacy risk.
What really IS a VPN?
VPNs are a tool that basically allow you to route your traffic to a remote location's private network. Most decent VPNs implement forms of end-to-end encryption and protocols to avoid packet inspection.
So what's the issue with NordVPN, etc.
Most VPN services are just rely on you funneling all of your personal traffic to their servers. You're trading off feeding your data to your ISP vs. feeding it to a third party which you might not be able to trust nearly as much.
Even if a VPN service presents itself as having a "no-logs policy", there is absolutely no guarantee that it'll stand by it. You're putting all your trust in that provider to stand by their words.
There is very little privacy benefit, you're just putting the burden on a random provider rather than your ISP.
HTTPS
If security is the concern, most Internet traffic is sent through an encrypted protocol called HTTPS. If you see a padlock icon next to the URL of the website you're on, it's making use of the technology. While your ISP can see the top-level domain you're visiting (so, in this case, https://zandyne.xyz), they can't see any more information than that. HTTPS is a reasonable security measure that's "on" by default on any browser made in the last decade.
Secure DNS
A lot of browsers and services are also pushing a protocol called DNS over HTTPS, which just encrypts data between a client asking for DNS resolution and the resolver. If you don't know what DNS is, think of it as simply pointing domains on the internet to their corresponding IP addresses. A way to view it is having a list of employees assigned IDs, and having a service that points each employee name to their corresponding ID. DoH presents some privacy concerns and means it's harder to limit what content your devices can access, but considering DNS requests are mostly unencrypted and vulnerable to man-in-the-middle attacks otherwise, it's a reasonable tradeoff. Go check in your browser now to see if it's turned on.
VPNs are not a bad technology
With all that said, there's absolutely nothing wrong with VPNs as a concept. They're an incredibly useful tool, but they're most effective when they're used properly.
Here are some common real-world use cases for VPNs:
- Connecting to your small business/enterprise setting's network from home
- Avoiding forms of geoblocking
- Hiding specific kinds of traffic from your ISP (they can still tell that you're using one)
- Accessing your own devices like smart cameras and the like from home that might not be publicly exposed to the Internet
- Accessing potentially insecure self-hosted services or things you don't want to risk directly exposing to the Internet, and avoiding port forwarding for them
VPNs are an incredibly useful tool for these use cases. But you don't have to rely on a third-party to solve a lot of these challenges. There's a better way.
How to spin up your own
I want to make clear that none of the solutions I present here are foolproof ways to stay secure or private on the Internet. They're designed specifically to address the above bullet points.
Zero-config mesh VPNs
Mesh VPNs utilize a peer to peer system that basically spins up "nodes" or "instances" to connect to, rather than everything being funneled through a single server somewhere in the cloud. Here's Tailscale's article on it. There are a handful of options that you can use, and this can help in situations where you simply want your content accessible and reasonably secure remotely. The disadvantage with most of these is there is some level of trust you need to give for the services holding the authentication keys. Additionally, they offer a really useful service that is almost too good to be true -- they can enshittify in the future or charge you. Lastly, a lot of these tools come with the disadvantage of being somewhat slower than a barebones WireGuard connection, at the sacrifice of automagic configuration and DNS resolution and all that mess.
Here are some common options for mesh VPNs:
- Tailscale is the one I use nowadays. It allows you to access devices registered under your Tailscale network from anywhere, which is a godsend for small/medium-sized networks.
- Zerotier is another popular solution that uses their own in-house VPN protocol.
- Nebula is Slack's approach to the technology, but I've found that having to configure each node and firewall configuration can be a bit of a pain.
All of these services will allow you to access any device added to the mesh network, and they can be configured to allow you to route traffic to another node, making it more in line with a "traditional" VPN. Tailscale exit node article. This is also the most idiot-proof solution as a lot of the dirty work and configuration involved with VPNs normally is abstracted and everything can be hardened and is gated behind existing authentication technologies.
Traditional VPNs
There are two popular VPN protocols used nowadays: the more complex and mature OpenVPN and the simpler, faster, and lighter weight WireGuard. If speed is a concern, if you don't feel all that comfortable relying on third parties in general, or if your needs are very simple, this might be a good option. I'm going to write an article in the near future that basically walks you through a couple methods of setting up a simple VPN from your own VPS (a small virtual machine that you can access via the cloud). Take a look at Oracle's Free Tier cloud service for something that doesn't expect any kind of financial investment.
How to be "private"
Privacy is a really hard thing to gauge as a lot of people will falsely believe certain behavior is keeping their browsing data anonymous and safe. The best thing you can possibly do in order to preserve your privacy is be mindful of not just the service YOU use, but the way your friends and family utilize the Internet. You can utilize the smartest practices ever at home, but this doesn't matter too much if your mom and dad are openly posting photos and videos of you on Facebook. Privacy is a systemic challenge and not just something you as an individual need to address.
Additionally, a lot of the privacy measures you take don't help. Don't install privacy extensions on your web browser, and in general keep your web browsing close to default configuration. Every "weird" part of your setup, every extension or tweak or any divergence from the default plain-Jane Windows and Chrome setup increases your digital fingerprint. Fingerprinting is probably the most prolific way the modern web is able to track you, and a VPN isn't going to help with much there.
A light ad-blocker like uBlock Origin is all most people need. If you must hide yourself, Tor Browser and Tails are tools you should look into. Keep your usage of both very anonymous. Don't log into your Gmail account or something.
Stop buying into memes.
YouTubers will push a lot of technologies blindly. I don't necessarily have a problem with VPN providers, my issue is more the dishonest framing and marketing sponsors present. For a normal person, spending the $3 a month to comfortably torrent at home or access geoblocked content in a different country might make sense. Telling them they're "safe and secure from hackers" is not the case and I'm tired of hearing bullshit like that.