A Defensive Computing Checklist    by Michael Horowitz
NOTE: I gave a presentation on Defensive Computing at the HOPE conference in July 2022
HOME | Full Site Index | Domain Names | VPNs | iOS | Android | About | Rules of the Road | DC Presentation |

VPNs

Topics below: Introduction   Is the VPN working?,   Choosing a VPN - Software Features,   Choosing a VPN - Other Criteria,   Blocking Ads and Tracking while using a VPN,   An FYI on Location Hiding,   Double VPNs,   Advanced Techie Stuff,   My User Experience with some VPN client programs

 INTRO

At the simplest level, a VPN is an encrypted connection between two computing devices. The data that flows between the connected devices is encrypted by the software that created the connection. One of the devices is referred to as the VPN server. Like any other type of Server (web, email, etc) a VPN server sits and waits for computers to connect to it. The other device is the VPN client. It is the client that initiates the VPN connection between the two devices.

Software running on a computing device is what determines if it functions as a VPN client or a VPN server. Devices such as phones, tablets and personal computers are usually the VPN clients. Routers are interesting in that many can be either a VPN client or a VPN server. Then again, many routers can do neither. Oftentimes a computer is dedicated to function as a VPN server, so the hardware and software are thought of as one and the same.

There are different flavors of VPNs and both the client and server must be the same flavor. Popular flavors are OpenVPN, WireGuard and IKEv2.

In addition to flavors, there are also different categories of VPNs. Perhaps the biggest category is Consumer vs. Business. Business VPNs are run by large companies for their employees. Typically they connect remote employees to the head office, and they may also be used to connect different buildings in different cities to form one big company-wide network. This page is about consumer VPNs, employees of a large company have their own tech support and don't need anything from me.

With Consumer VPNs, the VPN servers are provided by a VPN company such as Mullvad, ProtonVPN, NordVPN, IVPN, ExpressVPN and hundreds more.

Google's Jigsaw division provides a free VPN called Outline. It differs from Consumer VPNs in that they provide the VPN server software that you have to install, configure and operate. They do their best to make setting up the VPN server as easy and cheap as possible. As to easy, they provide desktop software to install and configure the VPN server. As for cheap, the point out that the VPN server can be run on cloud-based Linux Virtual Machines for as little as $5 US/month. They also claim that their VPN is harder for bad governments to block. Again, this page is focused on Consumer VPNs. Maybe someday, I will get to kick the tires on Outline. Techies, as a rule, are disgraceful at explaining and documenting things, so whether a newbie to the software can actually get it to work will be interesting. In October 2022, the Washington Post said that nthLink offers a version of Outline that is easier to install and more flexible. I took a look at the nthLink website and found it totally devoid of information; a useless site chock full of buzzwords.

The connection between VPN client software on your device and a VPN server, somewhere on the Internet, is referred to as a "tunnel". When it is working as designed, all data entering and leaving the device running the VPN client software travels through the tunnel and is encrypted/decrypted by the VPN software at each end. The term tunnel is quite good, as it illustrates that only the two devices at each end of the tunnel can see the data. To anyone/anything outside the tunnel, all they see is encrypted useless junky bits.

NOTE: There are times when a device running VPN client software does not want all the data coming/going to travel through the VPN tunnel. This, however, is the exception. The official term for this is Split Tunneling. For example, there are some websites that test for the presence of a VPN connection and refuse to work with a VPN. In that case, the computing device running the VPN client software might want to make that one website an exception and let it travel outside the VPN tunnel. The alternative would be to shut down the VPN tunnel when accessing that website.

Who is outside the tunnel? Your ISP for one. Blocking spying by an ISP is especially important in the US, where ISPs are allowed to spy on their customers and sell that data. For details on this see, Internet Service Providers Collect, Sell Horrifying Amount of Sensitive Data, Government Study Concludes by Karl Bode (Oct. 2021). If you are in a public coffee shop, your fellow coffee drinkers are outside the VPN tunnel. If the VPN client software is running on your phone or tablet or computer, then the router is also outside the VPN tunnel.

That a VPN hides everything from the router and the ISP is how people in China can interact with the rest of the world. It is also how students in a school can bypass restrictions and see websites that teachers try to block.

As noted above, routers are computers and some can function as VPN client, some can function as a VPN server, some can do both and some can do neither. The advantage to using VPN client software in a router is that all the devices connected to the router are protected by the VPN tunnel created by the router. This can protect devices, such as a Smart TV that are not able to run VPN client software on their own.

There are two reasons to use a VPN server in a router. The first is to provide a secure way to access the devices in your home when you are away from home. The other is to use your home router as a free replacement for paid consumer VPN providers. Again, when away from home, you can connect to the VPN server software in your home router and use that secure, encrypted tunnel to hide your activities from the devices near you. Note however, that this does let your home ISP spy on you.

Some people have argued that since a "secure" website (using HTTPS) prevents others from reading the content of web pages, there is little need for a VPN. However, others can still tell which websites you visited. In some cases, just the website name gives away too much information. And, websites are not the only thing on the Internet. With mobile apps, for example, you can not tell if data is being transmitted securely or not.

In addition, a VPN will change your public IP address, so you can pretend to be in a different physical location.

Picking a VPN provider is mind bogglingly difficult. See one attempt and another and another and another and another and another and another and another. Even agreeing on the criteria to judge them with is impossible. I have my opinions on good/trustworthy VPN providers, email me for my suggestions. The big danger in picking a VPN provider that is not trustworthy is that they can spy on you, in the exact same way that an ISP can spy on you when you are not using a VPN.

If you are using a VPN on a device capable of both Wi-Fi and 4G/LTE/5G (pretty much every smartphone) it is best to disable the network connection that is not connected to the VPN. There is always a chance, especially on iOS, that data can leave the device on the network without the VPN.

New to VPNs? See my article An introduction to six types of VPN software from 2017. I also wrote A Defensive Computing term paper on privacy: VPNs, Tor and VPN routers in 2016 which offers an introduction to VPNs and Tor.

DOWNSIDES TO VPN

On rare occasions a website will refuse to load when you are using a VPN. This screen shot is an example. It says "Access Denied", but the actual problem was the VPN. The error message is very likely not to say that the VPN is the problem. Note that while a website can detect a VPN, this is not always perfect. It may well be that one VPN server is blacklisted but another, from the same VPN provider, is not. Trial and error is needed. Instead of being completely blocked, some websites may just require extra identification when using a VPN.

A VPN will slow down your Internet connection, but it should be quite rare that the slowdown is noticeable. If the speed is noticeably slower, try connecting to a different VPN server, one that is physically close to you. Some VPN software handles this automatically, that is, it tries to find the fastest available server for you automatically. If you prefer manually picking a city or country that you would like to connect to, some VPN software will show you how busy each available VPN server is, in that city/country.

I suppose just having to turn the VPN on and off is a downside for some people. There are some VPNs that can be configured to start automatically when the computing device boots up, but I am not a big fan of the concept. For devices, like all of mine, that are frequently off-line, the VPN client software should be able to wait patiently until the device goes on-line again and then automatically re-connect. Sometimes this works, sometimes not.

VPN tunnels can break, even when the Internet connection is alive and well. So, if you are doing something sensitive, you need to watch the icon that indicates that the VPN is currently connected.

  IS THE VPN WORKING?

If you are using an iOS device (iPhone, iPad) then it is fairly certain that the VPN is not working. This is a long story that boils down to not trusting any VPN on iOS because they all leak data outside the VPN tunnel. This was first reported by ProtonVPN in March 2020 for iOS version 13. See VPN bypass vulnerability in Apple iOS. I blogged about this in May 2022: VPNs on iOS are a scam and kept updating my blog through October 2022. Security company Disconnect wrote about the problem in March 2022. See Leak advisory: Apple and *All* iOS App Developers Are Able to Unmask VPN Users. In August 2022, VPN company IPVanish wrote an excellent article that went into three different types of leaks in iOS VPNs: iOS VPN leaks: why they happen and how to prevent exposure.

Things to test before and after connecting to a VPN:

 

 Choosing a VPN - Software Features  top

 The tech press generally evaluates a VPN based on speed, price, logging and the number of servers. All of these criteria are wrong.

 

 Choosing a VPN - Other Criteria  top

There is more to choosing a VPN provider than just software features.

WHO OWNS THE VPN COMPANY?

  1. Kape: In September 2021, Kape Technologies purchased ExpressVPN. They already owned CyberGhost, ZenMate and Private Internet Access (PIA). See Former Malware Distributor Kape Technologies Now Owns ExpressVPN by Sven Taylor. Kape also owns VPN review websites vpnmentor.com and wizcase.com. Speaking of ExpressVPN, there is also this: Edward Snowden urges users to stop using ExpressVPN (Sept. 2021).
  2. J2Global owns IPVanish, StrongVPN and PC Magazine and Mashable, both of which, review VPNs. They also own Ziff Davis which, in turn, owns the encrypt.me and Internet Shield VPNs.
  3. Some VPN companies are very clear about their ownership:
    IVPN: Who owns your VPN? You should find out (March 2021)
    Mullvad: The ownership and future of Mullvad VPN (September 2021)
    ProtonVPN: Who owns ProtonVPN (undated)
    OVPN: Who are the people behind OVPN? (undated)
    Windscribe: Can a commercial VPN still offer true privacy? (Feb. 2022)
    AzireVPN: About Us (undated)
  4. Clearly, security company F-Secure runs the Freedome VPN.
  5. The About Us page for Surfshark avoids the issue of ownership.
  6. The About us page for Astrill says "We are a registered Seychelles company". It does not mention anything else about the company and it says nothing about any of the people involved.
  7. The About Us page for TunnelBear has just cartoon pictures of bears. As of March 2018, TunnelBear was owned by McAfee. This despite McAfee offering their own VPN. In November 2021, McAfee agreed to sell itself to a group of Private-Equity investors (Advent International, Permira Advisers, Crosspoint Capital Partners, Canada Pension Plan Investment Board, GIC Private Limited and a subsidiary of the Abu Dhabi Investment Authority).
  8. NordVPN and SurfShark are both private companies. In February 2022 it was announced that they are merging, as per this article in PC Magazine: NordVPN's Parent Company Is Merging With VPN Provider Surfshark. Why are they merging? They said "...the merger will open new technical knowledge-sharing opportunities and enable more focused market diversification." Is that what you want in a VPN provider? It was unclear who will run the combined company which will be called Cyberspace. It was registered in The Netherlands.
  9. 3 companies control many big-name VPNs: What you need to know by Attila Tomaschek of CNet (Feb 2022)
  10. Hidden VPN owners unveiled: 104 VPN products run by just 24 companies by Jan Youngren of VPN review website VPNpro (Oct 2021).

Many VPN companies rent their servers. It is more secure if the VPN provider owns their own servers. Many VPN companies use a VPS (Virtual Private Server). It is more secure to not use virtualization (called a bare-metal server or a dedicated server). It is also more secure if a VPN server runs totally in RAM and never writes to the hard disk (called RAM-disk mode). Most VPN companies are mum on these points. A good survey on these two points is at Restore Privacy. It says: ProtonVPN and VPN.ac use dedicated bare-metal servers, all ExpressVPN servers use RAM-disk mode, Perfect Privacy uses bare-metal servers running in RAM-disk mode, OVPN uses dedicated bare-metal servers running in RAM disk mode, that they own. Mullvad owns some of their servers but most are rented. AzireVPN also uses dedicated servers running in RAM disk mode, that they own. They blogged about this in September 2022: Why we Own our Own Servers.

Marketing honesty: Many VPN companies make vague promises of security, privacy and anonymity. This is stretching things. Look for a VPN company that is very clear about exactly what a VPN can and can not do.

Installation instructions: Most of the time, you have to install software to use a VPN. The instructions provided by the VPN companies differ greatly. I have seen companies that document every step of the install and others just say run the file you downloaded. You should be able to find the installation instructions on the website of the VPN company.

WARNINGS

Finally: You don't see this every day. In April 2022, the Windscribe blog featured a puff piece on the founder of the company: Who is Yegor Sak? The Man Behind The Meme by Catt Garrod. The article included this: "I started using VPNs in 2009 for my daily Internet activity ... This led me to learn all about what VPNs can and cannot do ... The one that stood out as different and I personally used for years was IVPN. Windscribe was very much inspired by how that company was operated: solid apps, no marketing speak, brutally honest information on capabilities and limitations.".

 

  Block Ads/Tracking While Using a VPN   top

As a rule, the job of blocking ads and/or trackers falls to your web browser and its extensions. But some VPNs can do this too. One advantage of VPN blocking is that it applies to the entire operating system, not just one web browser. If you connect to one of these VPNs from a router, it can block ads/tracking on any device connected to the router. The downside of any such blocking (in a browser or a VPN) is carving out exceptions to the rules.

These VPNs do blocking:

  1. IVPN calls their tracker blocking feature AntiTracker.
  2. ProtonVPN calls their ad/tracker blocking feature NetShield. It uses DNS filtering to protect you from malware, blocks ads, and prevent website trackers from following you around the web. It is only available to paid customers.
  3. Mullvad added support for custom DNS server configuration on macOS, Windows, Linux and Android in April of 2021. This can be used with an assortment of DNS providers that block ads/trackers. In May 2021, they introduced ad blocking How to set up ad blocking in our app. In June 2021, ad and tracker blocking was a new feature in their iOS app (How we’re knocking down ads and tracking). In March of 2022, they added malware blocking. See Adding another layer: Malware DNS blocking. Their customers can enable or disable each type of blocking individually. They also offer ad blocking for free to anyone, not just their customers, via their secure DNS service. DNS over HTTPS and DNS over TLS (last updated November 2021).
  4. OVPN added ad/tracker blocking to their Android and iOS apps in November 2021.
  5. At Perfect Privacy, their TrackStop feature blocks ad-tracking and phishing.
  6. The Disconnect Privacy Pro SmartVPN blocks trackers on iOS. Their Premium VPN blocks trackers on iOS, Android and macOS.
  7. Windscribe VPN offers what they call a "One-of-a-kind customizable server-side domain blocking tool" that blocks ads and trackers. And, you can customize it. They call the feature R.O.B.E.R.T. Their big advantage is that you can easily customize the blocking with your own block list and allow list - much like NextDNS.
  8. The Freedome VPN from F-Secure blocks trackers on iOS, Android, Windows and macOS.
  9. The Guardian Firewall + VPN app on iOS "blocks digital trackers from secretly collecting your information." It is from the Sudo Security Group. For free, their VPN service alerts about tracking but does not block. I wrote about it in August 2019.
  10. On Android, there are three versions of the Blokada ad-blocker. The free version that blocks ads is not allowed in the Play Store. It installs a VPN, but only to block ads by intercepting DNS requests. There was a trivial version in the Play Store that also installed a VPN but all it did was modify the DNS servers. Currently (Feb.2020) the version in the Play Store is called Blokada Slim and it combines the older DNS changer with a fairly new, real, VPN called Blokada Tunnel which costs 5 Euros/month (roughly $5.50 in US dollars). Great feature: customized white and black lists.
  11. Coming: AdGuard VPN (Jan 2020). They are writing a new VPN protocol, which is not a good sign.
  12. Android 9, 10, 11 and 12: There is an interesting conflict between a VPN and the Android Private DNS feature. Each wants to be in charge of the system-wide DNS. In a test of Android 10 with three VPN providers, Private DNS won out every time. This was not a DNS leak, the DNS requests went through the VPN tunnel and the Private DNS resolver sees requests coming from the VPN server, not from the VPN client. However, in a test with Android 9, the VPN DNS won out. Beats me why. If Private DNS wins, and you use NextDNS, then any VPN can be used alongside the ad and tracker blocking from NextDNS. The best of both worlds. I tested with multiple DNS testers on my RouterSecurity.org site.

 

  FYI ON LOCATION HIDING   top

All VPNs claim to hide your physical location and/or let you appear to be somewhere else. This stems from the fact that, with a live VPN connection, all data going to/from the Internet passes through the VPN server. Your pubic IP address is that of the VPN server not your home or office. In the old days this was sold for the anonymity it offered. Later, it was sold so that people in the US could listen to the BBC.

But the claim predates smartphones, spy machines that they are. A smartphone can locate itself using GPS, Wi-Fi, cell tower location and probably even Bluetooth (not sure). I have tested Wi-Fi based locating and found it extremely accurate. So, if the phone knows where you are, who is to say whether it leaks this information to the outside world. And the outside world, on a phone or a desktop computer, is not just websites. Modifying your public IP address is not the be-all and end-all that it used to be. It is still a good thing, but it may no longer be sufficient.

The June 2022 issue of Unredacted Magazine had a story about this. The anonymous author is a privacy enthusiast. He uses a router with VPN client software, and the router makes a VPN connection that all LAN side devices pass through. One of the LAN side devices is an Xbox that is Ethernet connected to the router. You might think that the outside world only knows about the physical location of the VPN server. That's what the author of the article thought ... until he checked his Xbox Account Settings page and found a picture of the apartment complex where he lives with a pin in it indicating his apartment. It turns out that the Xbox uses Wi-Fi and that it can not be disabled. The Xbox was spying on him. It listened to all the SSIDs and MAC addresses being broadcast by the routers of his neighbors and calculated his location. VPN be damned.

If hiding your location is really important, it is best to use a device without Wi-Fi or GPS or Bluetooth. On a smartphone or tablet, disable them and hope the phone operating system honors your request. On a cellphone, airplane mode should prevent it from contacting cell towers. I say "should" because I don't know how to verify this. Even if you can not make or receive a phone call, that does not insure that the phone is not communicating with a cell tower. After disabling Wi-Fi, GPS and Bluetooth, re-boot the device to insure that it is not still using a recently detected location.

Clearly, Ethernet is your friend here. iPhones and iPads can use Ethernet with an appropriate adapter. Likewise there are USB type A and USB type C adapters for Ethernet that can be used with any computing device with a USB port.

To put this in perspective, the strongest option is preventing the operating system from knowing where it is. If this is not possible, then you need to try and prevent the operating system from giving the location to applications and to web browsers. In the case of browsers, there are probably configuration options in both the browser and the operating system for this. For more on this, see the Location Tracking topic on the main page.

Windows 10, for example, offers OS level configuration options for Location in System Settings -> Privacy -> Location. In the resulting panel, insure that everything is off. On a lower level, Windows users should probably disable the Windows Geolocation service (a.k.a. lfsvc). The description says that it "...monitors the current location of the system and manages geofences (a geographical location with associated events). If you turn off this service, applications will be unable to use or receive notifications for geolocation or geofences." There may be a down side to disabling this service, I have not tested this extensively. But, I doubt it.

As an example of browser location settings, consider the Location settings for the Chrome browser (the screen shot is from Chrome 93 on Windows). You can access the location settings directly at chrome://settings/content/location. Here is where you control whether the Chrome browser is allowed to tell websites the location of the computer/phone/tablet. This assumes that the operating system and the browser already know the location. One slip-up in configuring this and a VPN can no longer hide your location from a website.

An article on this: How does my browser know my real location when I'm on a VPN? by pcwrt (January 2021).

I have yet to see any VPN provider mention that location blocking should be configured in both the operating system and the web browser that you use. That would burst their marketing bubble.

Fighting with the operating system and the browser is complicated, error prone and, even if done right, involves some trust that the software is doing what its told. The safer approach is to insure the operating system can not learn its location in the first place. Ethernet is your friend.

 

  DOUBLE VPNs

You can increase your anonymity by using a VPN inside a VPN. Start with a normal Operating System level VPN. Then, while it is connected, use a web browser that has a VPN extension for a different VPN provider.

How does this protect you? The OS level VPN company will only know that you connected to the Browser VPN company. They can not see anything that you do in the browser. The Browser VPN company can see what you do (like any VPN provider) but they do not know where you are. They see you as a customer of the OS level VPN provider. They may, however, know who you are.

If you can be anonymous to the Browser VPN company, all the better. Perhaps the Browser VPN has a limited free tier or a free trial that can be used without providing personal information. Or, you can pay for some VPNs with cash or a gift card. I would avoid any VPN provider that only offers a free service.

Not all VPN companies offer a web browser extension.

NordVPN calls theirs a VPN proxy extension and it works with Chrome, Edge, and Firefox.

Microsoft's Edge browser will soon have a free VPN called the Edge Secure Network. The free tier limits data to 1 gigabyte per month. Worse, however, is that Microsoft requires users to be signed in to a Microsoft account to use the VPN. So, no anonymity there.

TunnelBear has extensions for Chrome and Firefox. It is a paid service with a limited free tier.

Windscribe has extensions for Firefox and Chrome. It too, is a paid service with a limited free tier.

The Opera browser has its own free VPN as part of the browser itself, no extension needed.

The Epic browser includes a free VPN and it can be installed on Android, iOS, Windows and macOS. That said, I am not familiar with it at all.

Not all browser VPN extensions are limited to just the browser, some work at the Operating System level and thus can not provide a VPN inside a VPN. This is true for the ExpressVPN browser extension and the Mozilla VPN. On Android and iOS, Brave includes a VPN (powered by Guardian) that also works at the operating system level.

Another option for double protection is offered by the desktop (Windows, macOS, Linux) versions of the Brave browser which includes access to the Tor network, no need to install an extension. The option is called "New private window with Tor".

A third approach is to run a normal Operating System level VPN on your computing device, while it is connected to a router that has its own VPN connection. This is most secure when each VPN connection is to a different VPN company.

  ADVANCED TECHIE STUFF   top

The below is very technical, scholarly research into VPNs.

UNIVERSITY of MICHIGAN

The paper, VPNalyzer: Systematic Investigation of the VPN Ecosystem by researchers at the University of Michigan is long and dense and looks at a number of criteria never found in the tech press. They wrote their own software to perform assorted technical evaluations of VPNs. Their software ran on Windows, macOS and Linux, so nothing in the paper applies to iOS or Android. They studied 80 different VPN providers. Some findings (there is much more) are below.

ARIZONA STATE UNIVERSITY

Researchers from a number of different universities looked into hacking VPNs. This is an introductory article about their research and findings: Are virtual private networks actually private? by Annelise Krafft of Arizona State University (October 2022).

UNIVERSITY of MICHIGAN (again)

OpenVPN is Open to VPN Fingerprinting by Diwen Xue, Reethika Ramesh, and Arham Jain, University of Michigan; Michalis Kallitsis, Merit Network, Inc.; J. Alex Halderman, University of Michigan; Jedidiah R. Crandall, Arizona State University/Breakpointing Bad and Roya Ensafi, University of Michigan. This was an August 2022 USENIX presentation. The page has both a PDF and slides. Quoting: "To investigate the potential for VPN blocking, we develop mechanisms for accurately fingerprinting connections using OpenVPN ... We identify three fingerprints based on protocol features such as byte pattern, packet size, and server response ... we identify over 85% of OpenVPN flows with only negligible false positives, suggesting that OpenVPN-based services can be effectively blocked with little collateral damage ... Although some commercial VPNs implement countermeasures to avoid detection, our framework successfully identified connections to 34 out of 41 'obfuscated' VPN configurations."

 

  USER EXPERIENCES   top

The experience of using a VPN varies drastically, not only from company to company, but also from operating system to operating system with the same VPN provider. With that in mind, this haphazard section offers some insight into the user experience on a handful of operating systems with a few VPN providers (Windscribe, OVPN, ProtonVPN, Mullvad).

See the user experiences

 

 This page: 42 views per day (over 406 days)   Total views: 17,099   Created: October 17, 2021
This Page
Last Updated

November 17, 2022
Total Site
Page Views

 467,551
Site Page
Views Today

  317
Previous
Website View

4.9 minutes ago
Website by
Michael Horowitz
@defensivecomput
top
Copyright 2019 - 2022