Hacker News new | past | comments | ask | show | jobs | submit login

Instead of a VPN subscription, I'd recommend a self-managed VPN solution. One can easily fire one up thanks to Streisand (https://github.com/jlund/streisand)



Well, then you depend on your VPS company.

Its important that you dont host any domains on the VPS you run the VPN on.

Security might not be top priority at the VPS provider.

All your requests come from the same IP address (and the VPN provider might very easily give out your private info).

I think a VPN from a reputable provider (like f-secure) is better for most users.


It depends on your goal. For privacy, a self-hosted VPN is a nightmare. To prevent sniffing and/or modification of content, a self-hosted VPN is great (your VPS company is less likely to target VPN traffic than a dedicated VPN provider).

I think a reputable VPN provider offers the better tradeoff, but there are legitimate reasons for self-hosting a VPN.


could you please explain why a self-hosted vpn is a nightmare for privacy? i am running a streisand server and the disk is fully encrypted


With a VPS-self-hosted VPN all your connections to the outside originate from a static, unique, unshared IP, making it trivial to track and correlate your behavior across all protocols. Instead of containable identifiers like cookies, your IP has become a guaranteed unique identifier.

To leverage this, it's fairly easy to detect you're on a self-hosted VPN: your IP is in an IP range assigned to a hosting/colocation provider, is not a TOR proxy (there is a public list of those) and doesn't belong to any remotely popular VPN (easy to enumerate for a little money, lots of lists exist).

In exchange for that you have eliminated your ISP (or public wifi) as a threat but instead added the hosting provider to the list of threads. And for any adversary that stands above the law, the routing infrastructure of your hosting provider is already a valuable target.


thanks. so basically there is no way to hide the addresses i access through my vpn from the provider of my dedicated server? would it help if i used non logging encryped dns server?


Because you're moving the "exit" from your non-anonymous local ISP to your non-anonymous colo provider. If you want to hide your traffic or at least make your adversary work a little to determine who you are, shared VPN endpoints are better.


How is that any different? ISPs don't let just anybody know who the subscriber is at a given IP (though if you do reverse lookups, many ISPs so leak a lot of locality information, so still a good idea to use some VPN instead of no VPN).

My Streisand hosted on AWS looks to the outside like anybody else's Streisand hosted on AWS, doesn't it?

Similarly, my f-secure egress looks like anybody else's f-secure egress, so what's the difference?

I don't really know, I don't use a VPN. Really asking.


ISPs don't let just anybody know who the subscriber is at a given IP

They certainly let law enforcement and intelligence agencies know, often without a warrant.

Please read my comment as if the threat model includes panopticon governments, not common skids running aircrack-ng.


And reputable VPN vendors resist efforts by nation states to procure information about subscribers? I would expect to have to pay a handsome fee for that.

(I'm not saying you're wrong; again I've not really thought about having to thoroughly anonymize my own traffic.)


"Its important that you dont host any domains on the VPS you run the VPN on."

Why is that is I may ask? I have the impression that the great firewall blacks a lot of domains by default and they are allowed/blocked after a review after somebody tries to access them the first time. I may be paranoid but often I try to open an obscure site. It is blocked. I have to use a VPN. A few days later the site can be accessed. Why not use a VPN sever with a nice website that makes it look harmless?


I see three issues:

- You might forget private whois and expose your identity. - There might be issues with the private whois that exposes your identity. - The contents of the website might expose you.


You could set up a box at home to route through.


Not if its your home connection you want to protect.


True, but most of the advice given here seems to be about preventing MITM-type of attacks and general traffic sniffing




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: