

Connection Security and Privacy

VPN

Outbound from your PC out to the internet. Also called a commercial VPN service (such as Windscribe, ProtonVPN, PIA).

from your PC out to the internet. Also called a commercial VPN service (such as Windscribe, ProtonVPN, PIA).

Inbound from a PC you're using at some outside place on the internet, into some private network (your home LAN, or work or school network).



Systemwide VPN : encrypts all traffic and changes the IP address it comes from.

: encrypts all traffic and changes the IP address it comes from.

Systemwide proxy : only changes the IP address all traffic comes from.

: only changes the IP address all traffic comes from.

Systemwide onion proxy : sends all traffic from your system out through the onion network, changing IP address. (anonsurf, nipe, TorGhost, etc)

: sends all traffic from your system out through the onion network, changing IP address. (anonsurf, nipe, TorGhost, etc)

Dedicated OS with onion proxy : sends all traffic from your system out through the onion network, changing IP address. (Tails, Kodachi, Subgraph OS, Whonix)

: sends all traffic from your system out through the onion network, changing IP address. (Tails, Kodachi, Subgraph OS, Whonix)



Single-client VPN : (a browser extension) encrypts browser's traffic and changes the IP address it comes from.

: (a browser extension) encrypts browser's traffic and changes the IP address it comes from.

Single-client proxy : (a browser extension) only changes the IP address on traffic from one app.

: (a browser extension) only changes the IP address on traffic from one app.

Single-client onion proxy : sends one app's traffic out through the onion network. (torsocks, Torify)

: sends one app's traffic out through the onion network. (torsocks, Torify)

Dedicated onion client: only that app's traffic goes out through the onion network, changing IP address. (Tor Browser)

I'm unclear on whether the "onion" alternatives force use of HTTPS (I think they don't), and at what point they understand onion URLs (where is DNS done ?).



Onion network does multiple hops, hiding originating IP address from final exit relay, and hiding destination IP address from entrance relay. VPN does everything in one company's network, so that company can see both originating and destination IP addresses. I'm unclear on whether the "onion" alternatives force use of HTTPS (I think they don't), and at what point they understand onion URLs (where is DNS done ?).Onion network does multiple hops, hiding originating IP address from final exit relay, and hiding destination IP address from entrance relay. VPN does everything in one company's network, so that company can see both originating and destination IP addresses.

VPN client could be custom/proprietary from a commercial VPN service (such as Windscribe, ProtonVPN, PIA), or standard/open-source built into your operating system.

could be custom/proprietary from a commercial VPN service (such as Windscribe, ProtonVPN, PIA), or standard/open-source built into your operating system.

VPN server could be owned by a commercial VPN service (such as Windscribe, ProtonVPN, PIA), or you could set up your own VPN server in a cloud-hosted VPS.

could be owned by a commercial VPN service (such as Windscribe, ProtonVPN, PIA), or you could set up your own VPN server in a cloud-hosted VPS.

DNS service could be provided by the commercial VPN service (such as Windscribe, ProtonVPN, PIA), or you could use your ISP's DNS, or DNS from Google or Cloudflare or somewhere else.

I recommend using your OS's standard client, a commercial VPN service's server, and the commercial VPN service's DNS. I recommend using your OS's standard client, a commercial VPN service's server, and the commercial VPN service's DNS.

Use a VPN. Leave it running 24/365. Turn it off only briefly when using some site that won't tolerate a VPN.



A VPN will not keep you 100% secure or private or anonymous. But it will help.



Give as little identity info as possible to your VPN provider.



Use HTTPS to hide traffic details from your VPN provider.



You never can 100% trust your VPN provider. But trusting the VPN is better than trusting your ISP, as long as VPN doesn't require a proprietary client.



I like Windscribe and ProtonVPN. I'm sure others are good too.





Encryption IP address on outside Browser Src Dest None v request v ^ response ^ WebSite OS TCP/IP HTTPS v request v ^ response ^ PC LAN WebSite VPN client HTTPS + VPN v request v ^ response ^ PC LAN VPN Srv PC's Wi-Fi adapter HTTPS + VPN + Wi-Fi v request v ^ response ^ PC LAN Router LAN LAN Wi-Fi HTTPS + VPN + Wi-Fi v request v ^ response ^ PC LAN Router LAN Router's Wi-Fi adapter HTTPS + VPN v request v ^ response ^ PC LAN VPN Srv Router HTTPS + VPN v request v ^ response ^ Router public VPN Srv ISP HTTPS + VPN v request v ^ response ^ Router public VPN Srv Internet HTTPS + VPN v request v ^ response ^ Router public VPN Srv ISP2 HTTPS + VPN v request v ^ response ^ Router public VPN Srv VPN server HTTPS v request v ^ response ^ VPN Srv WebSite ISP2 HTTPS v request v ^ response ^ VPN Srv WebSite Internet HTTPS v request v ^ response ^ VPN Srv WebSite ISP3 HTTPS v request v ^ response ^ VPN Srv WebSite Site server HTTPS v request v ^ response ^ VPN Srv WebSite Server OS TCP/IP None v request v ^ response ^ VPN Srv Web server

The "LAN" and first ISP could be your home LAN and ISP, or ones used by your school or library or restaurant where you use Wi-Fi.



If instead of a browser, you use a secure-messaging application such as Wire or Signal, that adds its own additional, innermost layer of encryption. The "LAN" and first ISP could be your home LAN and ISP, or ones used by your school or library or restaurant where you use Wi-Fi.If instead of a browser, you use a secure-messaging application such as Wire or Signal, that adds its own, innermost layer of encryption.

Hide your traffic from your ISP, which will see only encrypted traffic to/from the VPN. So your ISP can't sell your data, inject ads, or throttle based on traffic type or traffic source.



Add an extra layer of encryption to your traffic; protects against threats on the LAN or Wi-Fi.



By using the VPN's DNS, you get a secure tunnel to the DNS, and your ISP can't see your DNS traffic.



Web sites and eavesdroppers will see the IP address of the VPN server, not your home IP address.



Mix your traffic with hundreds or thousands of other users using the same VPN server.



Defeat geo-blocking, where a download or site won't work unless your IP address is in a certain country.



Defeat location-tracking, where a site wants to relate your IP address back to physical location.



Flexibility: you can turn the VPN on and off, or change VPN server, as you wish.



Add multiple jurisdictions/countries, if someone wants to sue or DMCA you.



If a site or remote ISP bans your IP address because of something you do, you can just switch to a different VPN server or a different VPN service.



Some VPNs have additional features, such as ad-blocking and malware-blocking and parental controls.



You will pay a performance penalty, the only question is how much.

pay a performance penalty, the only question is how much.

Some VPNs may sell your data.



You may pay money for the VPN.



Some sites may not work or may impose a CAPTCHA if they see your traffic is coming out of a VPN. Some (e.g. PayPal) may not let you log in through a VPN unless you have two-factor authentication enabled on the account.



Some sites (such as govt or credit-reporting companies) may not work if they see your traffic coming from a foreign country.



Some sites (such as open game servers) may automatically ban your account if they see you using a VPN ? They just assume you must be cheating.



Some sites (such as bank or PayPal) may trigger a security flag if they see your traffic coming from a VPN or from an unusual country.



My bank said this: We do not prohibit the use of a VPN per se, but VPN use often triggers our automated high-risk login protocols which lead to temporary account restrictions.



We strongly suggest if you choose to use a VPN that you also enable two-factor authentication on your account. An account with active two-factor authentication should be exempt from automated restrictions. [Someone on reddit said same is true of Capital One; if you use VPN, have to use 2FA.]

But your VPN may always have its traffic coming from a certain country, and you may be able to specify a static IP address. So you could reduce or avoid this problem.

[To avoid the last four issues, you may be able to add VPN exceptions or a proxy so that some sites don't go through the VPN, or set one browser or browser profile to use the VPN and another to not use it.]



Some networks (such as a school or library or public network) may ban/block VPN use.

You may be able to defeat this by using OpenVPN with TCP + port 443 instead of the more common UDP + port 1194.

You may be able to defeat this by using OpenVPN with TCP + port 443 instead of the more common UDP + port 1194.

You're adding another layer, another point of failure, to your system. If the VPN or its ISP is down, you're down (until you turn off use of the VPN).



If you're installing the VPN's custom app on your system, you're trusting the app not to be malicious.



Your ISP has to obey the laws of your country; the VPN may be located in some foreign country under a different legal system. The VPN company may be less regulated than your ISP.



If the VPN shares IP addresses among many customers, you may suffer from the bad behavior of other users. For example, suppose user X uses address N (VPN server N) to do port-scanning, an ISP tags that address as malicious, then you connect to the VPN and start using same address N (VPN server N) ?



Some VPN clients could crash/fail silently. So you could browse for a while thinking you're using the VPN, when you're not. The feature where the VPN client software disables all internet access if the VPN disconnects is called a "kill switch" (sometimes "firewall", or "always on").

Search Encrypt Blog's "The Case Against VPNs"



Paraphrased from

When creating a new account, or doing a major purchase, you may not be able to use a VPN. The account may be locked or the transaction denied.



So, instead, go to a network that is not associated with you (Wi-Fi at Apple Store or a library or a cafe), turn off VPN, and do your business.



If creating a new account, maybe log in and out several times over the next few days from the same network or nearby networks. You are "training" the security algorithms to see that your IP address can vary, and your location is reasonable, and you're not using a VPN. After that, you should be able to use a VPN, picking a server that is somewhat near that location (same country at least, same city better). When creating a new account, or doing a major purchase, you may not be able to use a VPN. The account may be locked or the transaction denied.So, instead, go to a network that is not associated with you (Wi-Fi at Apple Store or a library or a cafe), turn off VPN, and do your business.If creating a new account, maybe log in and out several times over the next few days from the same network or nearby networks. You are "training" the security algorithms to see that your IP address can vary, and your location is reasonable, and you're not using a VPN. After that, you should be able to use a VPN, picking a server that is somewhat near that location (same country at least, same city better).

How can a site tell that you're using a VPN ? The most likely way is by using a list of known VPN server IP addresses. Or maybe your time-zone setting or language doesn't match the location of your IP address. But sometimes they can tell by analyzing your packets: [To avoid the last four issues, you may be able to add VPN exceptions or a proxy so that some sites don't go through the VPN, or set one browser or browser profile to use the VPN and another to not use it.]Paraphrased from The Complete Privacy & Security Podcast episode 183:How can a site tell that you're using a VPN ? The most likely way is by using a list of known VPN server IP addresses. Or maybe your time-zone setting or language doesn't match the location of your IP address. But sometimes they can tell by analyzing your packets: ＷＩＴＣＨ?

Many of the advantages of HTTPS and VPN can be lost via JavaScript or user's own actions. What good is it to have the VPN hide your originating country if JavaScript on the web page gets your location from the browser and sends it to the web site ? What good is it to hide your real name and address from ISP and VPN if you just go ahead and post those things on Facebook anyway ? Or suppose while you're browsing, some updater software on your machine connects to an update server using your ID for that service ? In each case, you're not giving the info directly to the ISP or VPN companies, but you're revealing it. So HTTPS and VPN by themselves are not cure-alls.



From Tor Project's "b. Don't torrent over Tor":

Torrent applications "often send out your real IP address in the tracker GET request".

From Tor Project's "b. Don't torrent over Tor": Torrent applications "often send out your real IP address in the tracker GET request".

Use the VPN all the time, 24/365, don't turn it on and off. Some traffic, such as Tor/onion traffic, does not need the protection of the VPN. But even when you're using Tor, background services and apps may be doing network traffic, and you want all that traffic to be protected and not revealing your real IP address. [Note: Tails is a different situation; I'm talking about Tor Browser on a normal OS.] And if you get in the habit of turning the VPN off and back on, at some point you will forget to turn it back on when you need it.



I suspect that there is a vulnerability if your computer connects to internet automatically at startup, and your VPN client is running in the computer (not in the router). When the OS boots, various services and apps on the computer may access the internet directly before the VPN client starts up, revealing your true IP address to some sites.



An issue with VPNs in general: how can a user be assured that not a single access using their real (ISP) public IP address is getting out of the system, to any destination except the VPN server ? At boot time, at shutdown time, if there's a bug or a crash, from any source including drivers and DNS resolvers, etc. Probably the only way is to have a second line of defense in an external device (router or Pi-hole or something).



Some VPNs provide filtering features. For example, 10/2018 Windscribe announced their servers block IPs of known sources of malware, and soon their DNS's will be doing ad-blocking. The level of filtering will be adjustable.





[WORK IN PROGRESS; PROBABLY SOME OF THIS IS WRONG]



OpenVPN strongSwan WireGuard User application: Browser or SSH or SFTP

or any other app or service;

may have its own use of SSL/TLS VPN client application: OpenVPN Connect, Tunnelblick, many others strongSwan or Libreswan or Openswan Standard utilities such as ifconfig, ip-link, ip-address,

and a new utility "wg",

applied to new virtual network devices "wg0", "wg1", etc Authentication: OpenSSL, HMAC ?

Pre-shared keys (PSKs) ? IKE Cryptokey Routing

Pre-shared keys (PSKs)

Associates public keys with IP addresses,

and associates network device with private key and peer. Session key-exchange: TLS

Sometimes ECDH IKE Curve25519, Noise IK (plus optional PSK) Transport-level Encryption: SSL/TLS

(usually AES or Blowfish)

Uses HTTPS port, so hard to block none none IP-level Encryption: none IPsec

(usually AES) ChaCha20 and Poly1305 Transport protocol: UDP or TCP ESP or AH or UDP UDP Link and physical layers: Ethernet, Wi-Fi, etc.

There are more stacks: PPTP/IPsec (old), L2TP/IPsec (slower),

WireGuard

Jason A. Donenfeld's "WireGuard: Fast, Modern, Secure VPN Tunnel"

Rob Mardisalu article

Douglas Crawford article



WireGuard:

WireGuard



From Windscribe Support about WireGuard, in 2020:

We are adding it to our service at some point, it's on the roadmap.



But there's nothing special about WireGuard. It's very barebones which requires us to basically build our own framework for it.



It's also NOT made for consumer VPNs like Windscribe, it's made for the actual definition of VPNs which is to connect a group of people on the internet to a virtual private network.



Then as a VPN provider like us, we have to completely remove that functionality because we're not trying to connect multiple people together, we just want them connecting to the server. There's tons of firewalling involved to ensure that even though a bunch of people are on the same virtual network, nobody sees anyone else. You don't want to connect to a VPN server and a bunch of people can now reach your computer as if they were on the same network as you. That's not private at all and only puts you at way more risk than not using a VPN to begin with.



From what I know, there's no special care given to the WireGuard protocol to make it more in line with the privacy and anonymity-based consumer definition of a VPN, it's still just a different way of connecting a group of people together on the same network. But since everyone keeps asking for it and other companies are now starting to implement it, we'll have to do the same in order to keep up with the most current tech. We've got a lot on our plate right now though so it'll still take some time to get it implemented into our service. We are adding it to our service at some point, it's on the roadmap.But there's nothing special about WireGuard. It's very barebones which requires us to basically build our own framework for it.It's also NOT made for consumer VPNs like Windscribe, it's made for the actual definition of VPNs which is to connect a group of people on the internet to a virtual private network.Then as a VPN provider like us, we have to completely remove that functionality because we're not trying to connect multiple people together, we just want them connecting to the server. There's tons of firewalling involved to ensure that even though a bunch of people are on the same virtual network, nobody sees anyone else. You don't want to connect to a VPN server and a bunch of people can now reach your computer as if they were on the same network as you. That's not private at all and only puts you at way more risk than not using a VPN to begin with.From what I know, there's no special care given to the WireGuard protocol to make it more in line with the privacy and anonymity-based consumer definition of a VPN, it's still just a different way of connecting a group of people together on the same network. But since everyone keeps asking for it and other companies are now starting to implement it, we'll have to do the same in order to keep up with the most current tech. We've got a lot on our plate right now though so it'll still take some time to get it implemented into our service.

From someone on reddit:

There is no client and server in WireGuard terms. WireGuard only knows peers. Each device you have has one [Interface] block where you set the private key, tunnel address, DNS etc and then you can have multiple [Peer] entries. Each peer is its own tunnel. There is no client and server in WireGuard terms. WireGuard only knows peers. Each device you have has one [Interface] block where you set the private key, tunnel address, DNS etc and then you can have multiple [Peer] entries. Each peer is its own tunnel.

From someone on reddit:

If your machine is "laptop1":

Create a private key:

wg genkey >laptop1.key

chmod 600 laptop1.key

Create a public key:

wg pubkey <laptop1.key >laptop1.pub



One can also generate a unique pre-shared key for each peer-pair.

If your machine is "laptop1" and the VPN server is "vpnsrv1":

wg genpsk >laptop1-vpnsrv1.psk

If your machine is "laptop1":Create a private key:wg genkey >laptop1.keychmod 600 laptop1.keyCreate a public key:wg pubkey laptop1.pubOne can also generate a unique pre-shared key for each peer-pair.If your machine is "laptop1" and the VPN server is "vpnsrv1":wg genpsk >laptop1-vpnsrv1.psk

From Windscribe Support about WireGuard, in 2020:From someone on reddit:From someone on reddit:

pcWRT's "Performance comparisons of three VPN protocols on a budget router"

[WORK IN PROGRESS; PROBABLY SOME OF THIS IS WRONG]There are more stacks: PPTP/IPsec (old), L2TP/IPsec (slower), SoftEther , SSTP/SSL (a bit Windows-oriented).



To use a VPN, you have to have some client-side software installed at some level. Could be:



Add-on in browser (so works only for that application), or



A layer in OS networking stack on client computer (so each computer in the house has to install it), or



In router used by all client devices in the house.



Some VPNs have client software that can be installed in your home router/modem. Only a few home routers support this, and maybe only pre-installed before you buy the router.



Advantages: nothing has to be installed on each client device, some client devices (such as game consoles, IoT) are locked down and you can't install VPN client software on them, some smartphone OS's (iOS at least) permit installing only a VPN client OR a firewall so this would allow you to have both, new devices automatically use the VPN, you administer the VPN client in only one place, you're guaranteed that even accesses by your client during boot and shutdown and install and update are handled by the VPN.



But if that home router/modem is owned by your ISP, they may be able to see your traffic before it goes into the VPN. And if you need to disable the VPN to play a game or stream video or something, it may get disabled for all devices. Make sure you can put a list of domains into the VPN router client, so access to those sites does not use the VPN, because some sites will not tolerate a VPN. Expect complaints from other users in your house as sites break and you have to whitelist them. You're not protected against other devices on your LAN attacking you. Another disadvantage: if you take your phone/laptop to another network, it no longer has (automatic) use of the VPN, you have to remember to switch to client software on the device.



From someone on reddit 6/2017:



> I want to buy a used router/modem for $100

> that would run a VPN client.



On a $100 budget you won't be able to get a new modem and router and have a router that is decent for VPNs.



Consumer-level routers are generally woefully underpowered for OpenVPN, so you need the best router CPU that you can get for the budget you have. An underpowered CPU in the router will severely limit your performance to all devices connected through the router while on the VPN.



Also consider the OS of the router. Asus has done a lot of work to make the OpenVPN install process very easy on their routers, and many other vendors do not support OpenVPN out of the box and require flashing the router to DD-WRT or Tomato, which can be hit and miss with support for your router hardware and also be an older build that contains security vulnerabilities.



DD-WRT does have the advantage of being open source, unlike AsusWRT, but it really is a sh*tshow for first-time VPN users.



Based on your budget, i'd get a mid-range consumer-level router from your preferred brand, and connect to the VPN using a regular OpenVPN client on the devices that you want protected. This is because a typical PC (even an old one) has many times over faster CPUs for VPN usage.



This setup would give you the protection of a VPN, with decent speeds (if your VPN provider is fast) and not break your budget. > I want to buy a used router/modem for $100> that would run a VPN client.On a $100 budget you won't be able to get a new modem and router and have a router that is decent for VPNs.Consumer-level routers are generally woefully underpowered for OpenVPN, so you need the best router CPU that you can get for the budget you have. An underpowered CPU in the router will severely limit your performance to all devices connected through the router while on the VPN.Also consider the OS of the router. Asus has done a lot of work to make the OpenVPN install process very easy on their routers, and many other vendors do not support OpenVPN out of the box and require flashing the router to DD-WRT or Tomato, which can be hit and miss with support for your router hardware and also be an older build that contains security vulnerabilities.DD-WRT does have the advantage of being open source, unlike AsusWRT, but it really is a sh*tshow for first-time VPN users.Based on your budget, i'd get a mid-range consumer-level router from your preferred brand, and connect to the VPN using a regular OpenVPN client on the devices that you want protected. This is because a typical PC (even an old one) has many times over faster CPUs for VPN usage.This setup would give you the protection of a VPN, with decent speeds (if your VPN provider is fast) and not break your budget.

Router specifically built to run a VPN client: InvizBox

The client software could be: Proprietary to the VPN vendor (could have more features), or

Built into the OS, or

Open-source standard (OpenVPN or WireGuard or strongSwan ?)

OpenVPN is: A standard communications protocol, and

An open-source protocol layer (SSL/TLS, OpenSSL) in the 7-layer stack, and

An application to start and manage the OpenVPN protocol layer.

WireGuard is: A communications protocol, and

Existing network interface utilities, plus a new utility "wg".

Claims to be much simpler than OpenVPN/OpenSSL or *Swan/IPsec.

strongSwan is: A client application.

Implements the IKEv1 and IKEv2 key-exchange protocols.

Uses IPsec.

Can use one of three crypto libraries (legacy [non-US] FreeS/WAN, OpenSSL, and gcrypt).

If the client piece is proprietary software from the VPN vendor, you're trusting it to a great degree: it can see all of your unencrypted traffic and encrypted traffic. Also it could install something else:



From someone on > On Android, should I install VPN provider's app directly, or

> should I set up OpenVPN per instructions on provider's website?



Often the custom VPN client supplied by a VPN service has nice features that make it preferable to use. The stock Android OpenVPN client is spartan. 'OpenVPN for Android' by Arne Schwabe is better. You choose based on features/convenience. > On Android, should I install VPN provider's app directly, or> should I set up OpenVPN per instructions on provider's website?Often the custom VPN client supplied by a VPN service has nice features that make it preferable to use. The stock Android OpenVPN client is spartan. 'OpenVPN for Android' by Arne Schwabe is better. You choose based on features/convenience.

I tried OpenVPN client on Windows 10 with Windscribe VPN 4/2018:

Downloaded OpenVPN client installer from OpenVPN's "Community Downloads".

Logged in to Windscribe web site and downloaded files from OpenVPN Config Generator.

Installed OpenVPN and copied Windscribe ".ovpn" config file into OpenVPN config folder.

Ran OpenVPN client and logged in with credentials from Windscribe.

DNS leak test showed a DNS leak until I added a "block-outside-dns" line to the config file Windscribe gave me. (But someone says that "only works for modern Windows versions, using the Windows Filtering Platform (WFP)", which is true.)

No way to select a particular VPN server, but directive such as "remote es.windscribe.com 443" in the OpenVPN client config file means you will get a Windscribe server in Spain ("es").

I didn't install certificates supplied by Windscribe, and saw no obvious ill effects.

Michael Horowitz's "An introduction to six types of VPN software"



To use a VPN, you have to have some client-side software installed at some level. Could be:Thecould be:is:is:is:If the client piece is proprietary software from the VPN vendor, you're trusting it to a great degree: it can see all of your unencrypted traffic and encrypted traffic. Also it could install something else: Ctrl blog's "Installing VPN root certificates leaves you more vulnerable to snooping" From someone on reddit's /r/VPN I tried OpenVPN client on Windows 10 with Windscribe VPN 4/2018: corrad1nho / qomui (Qt OpenVPN Management UI; Linux GUI client)

The choice is: Your home ISP, if you use no VPN.

The VPN service, if you use a commercial VPN.

The cloud service, if you use your own VPN server hosted on a cloud service.

Your home ISP, if you use your own VPN server hosted at home. The choice is:

The VPN company already knows every domain you're accessing, to no harm in using their DNS.



The major benefit of using their DNS is that the connection to DNS goes through the same encrypted tunnel to the VPN server.



Their DNS server may include ad-blocking.



Ask if their DNS server uses DNSSEC to talk to other DNS servers; it should. The VPN company already knows every domain you're accessing, to no harm in using their DNS.The major benefit of using their DNS is that the connection to DNS goes through the same encrypted tunnel to the VPN server.Their DNS server may include ad-blocking.Ask if their DNS server uses DNSSEC to talk to other DNS servers; it should.

Definitely use HTTPS on every site that supports it.

Use the VPN all the time, 24/365, don't turn it on and off.

Use the VPN's DNS server.

Using a VPN hides traffic from your ISP, and others on your network.

Using a VPN has costs, in performance and functionality and maybe money.

Even if the VPN is logging and selling your data, that is better than your ISP doing the same.

> Which is the cheapest vpn app out there? That won't sell my info?



You never know if they will sell or not. If they will give it away or not. If they will spy on you or not. Or if they will give info when justice, government, cops, or similar demand them or not. If not the company itself, then an employee, will get your info or not.

More than half of the world's 30 most popular smartphone apps for browsing the internet privately are owned by Chinese companies, according to a new study that raises significant privacy concerns.



Seventeen of the apps, which offer to connect users to the internet through a secure tunnel known as a "virtual private network" (VPN), were owned either by Chinese companies or companies appearing to have links to China.



...



But the companies operating them often had very limited privacy policies, said Simon Migliano, the head of research at Top10VPN.com, which reviews VPN services.



"We found a few apps that explicitly stated that users' internet activity was logged, which we have never seen anywhere else with VPNs. [VPN] policies usually state that they never ever log data," he said.



"We even found that in some cases they stated they would share your data with third parties in mainland China, which is clearly anti-privacy."



...



"It's pretty crazy that 60 per cent of apps we looked at didn't have a company website. Over half hosted their privacy policies on free wordpress blogs, that had ads on the page, full of typos and when you looked at them together, they had copied and pasted from each other in a sloppy way. This is far from what you'd expect from an internet company trying to protect your privacy."



Three of the apps - TurboVPN, ProxyMaster and SnapVPN - were found to have linked ownership. In their privacy policy, they noted: "Our business may require us to transfer your Personal Data to countries outside of the European Economic Area ("EEA"), including to countries such as the People's Republic of China or Singapore."



VPN Kill Switch For Linux Using Easy Firewall Rules



If you're connected to a VPN, you need a killswitch. No, it's not as metal as it sounds. It's just a mechanism that stops your Internet connection when you're disconnected from the VPN. It protects you from inadvertently leaking sensitive information onto the Internet when the VPN connection drops.



Some VPN services provide clients with a built-in killswitch, but none are as reliable as using iptables. Since iptables is independent of your VPN service, and it's integrated into the kernel itself, it won't fail when your VPN does. Iptables is also a well-proven security technology that can and will keep your computer safe.



The Tin Hat's "The Best VPN Kill Switch For Linux Using Easy Firewall Rules" If you're connected to a VPN, you need a killswitch. No, it's not as metal as it sounds. It's just a mechanism that stops your Internet connection when you're disconnected from the VPN. It protects you from inadvertently leaking sensitive information onto the Internet when the VPN connection drops.Some VPN services provide clients with a built-in killswitch, but none are as reliable as using iptables. Since iptables is independent of your VPN service, and it's integrated into the kernel itself, it won't fail when your VPN does. Iptables is also a well-proven security technology that can and will keep your computer safe.



Do browser and DNS leak testing, with sites such as Doileak.com and IPleak.com.



Check the system routing table; the VPN device (maybe "tun0") should be first and handling most of the traffic.



On Linux, do "ip r".



On Windows, maybe "netstat -rn" or "route print".

On Linux, do "ip r". On Windows, maybe "netstat -rn" or "route print".

Run a traffic dump and see if any traffic is going to any address other than your VPN's address.



On Linux, use tcpdump.



On Windows, use netsh and Microsoft Message Analyzer [tool has been discontinued by MSoft]: Make sure your VPN is running. Run CMD as administrator (Start menu, search for cmd, right-click on Command Prompt, choose "Run as administrator"). Run "Netsh trace start scenario=NetConnection capture=yes report=yes persistent=no maxsize=1024 correlation=yes traceFile=C:\Logs\NetTrace.etl". Do some network activity. Run "netsh trace stop". Run Microsoft Message Analyzer. Open the trace file (".etl" file) saved by netsh. Your VPN's address probably starts with 10 or 172 or 192. Addresses starting with 127 are okay. (Wikipedia's "IPv4") Access to an IP address starting with some other number is suspicious. Try looking up suspicious addresses on LookIP.net. To do this efficiently, add filter "!(IPv4.Address in [10.0.0.0/24, 172.0.0.0/24, 192.0.0.0/24, 127.0.0.0/24])". Apparently only values of TCP "local" addresses matter ? "Remote" will be the outside address the VPN server is talking to, but your computer is not talking directly to that address ?

On Linux, use tcpdump. On Windows, use netsh and Microsoft Message Analyzer [tool has been discontinued by MSoft]:

On Linux, monitor for IP address changes: ip -t monitor # gives messages when route changes, but not very clear https://stackoverflow.com/questions/2261759/get-notified-about-network-interface-change-on-linux # If you're using Network Manager to take VPN down/up deliberately, add a script # under /etc/NetworkManager/dispatcher.d # But I think this will only catch deliberate user operations through Network Manager # Add scripts under /etc/network/if-up.d and /etc/network/if-post-down.d ? # A script put in /etc/network/if-down.d never gets called, for some reason. # Hooks into DHCP or DBUS will catch only changes in local IP address, not public IP address ? Made a Python program (ipwatch) that polls for changes to public IP address, but polling is an ugly solution.



https://askubuntu.com/questions/38733/how-to-read-dbus-monitor-output https://stackoverflow.com/questions/11544836/monitoring-dbus-messages-by-python https://dbus.freedesktop.org/doc/dbus-python/tutorial.html Windows: https://www.groovypost.com/howto/automatically-run-script-on-internet-connect-network-connection-drop/ https://www.windowscentral.com/how-create-automated-task-using-task-scheduler-windows-10 https://docs.microsoft.com/en-us/configmgr/apps/deploy-use/create-deploy-scripts





SpeedOf.Me

TestMy.net

Fast.com



Down and Up speeds are in Mbps. Latency in msec.

Each test run twice and rounded and averaged.

Not all tests from same VPN locations and to same test locations.

Firefox browser. Vodafone ISP with fiber 100/100 service.



My tests with Windscribe on Ubuntu GNOME 20.04 6/2020: Site Ethernet

No VPN

Down / Up / Lat Ethernet

OpenVPN

Down / Up / Lat Ethernet

IKEv2

Down / Up / Lat SpeedOf.Me 100 / 85 / 55 95 / 75 / 45 45 / 60 / 40 TestMy.net 90 / 75 / 45 80 / 55 / 80 90 / 75 / 70 Fast.com 90 / 90 / 60 90 / 70 / 70 85 / 85 / 75 Down and Up speeds are in Mbps. Latency in msec.Each test run twice and rounded and averaged.Not all tests from same VPN locations and to same test locations.Firefox browser. Vodafone ISP with fiber 100/100 service.My tests with Windscribe on Ubuntu GNOME 20.04 6/2020:



This VPN industry needs a wake-up call, ELSE a better way at helping the average joe at Starbucks. Guys. Like. Me.



I read. As such, I know the importance of a VPN. In fact, I have spent hours/days reading up on them. I have made excel spreadsheets to compare them (and looked at the ones on "that site"). I even WANT to give you my money to insure I have a good one. As such, I have tried 4 paid popular ones I won't mention as I don't want to call them out, and spent a ton of time testing them on my PC and mobile.



They all are frustratingly SLOW. Or interfere with connections.



No matter what, all I want is a FAST secure connection I don't have to think about. Yet, I can't find a VPN that doesn't bring my public and often home networks connections to a crawl. The expected "30% drop" is BS. And none automatically find me the best servers, and in fact often I can get faster servers 5000 miles away, but I have to manually select them.



I understand its complicated. But I have stuff to do. Seriously. Which is why I want to pay someone else to think about these things and give me a good product.



You all sales-pitch me the "fastest speeds" but then I watch as my connection up and down speeds drop to pathetic - and I have the spreadsheets to prove it.



To anyone listening I speak for the masses ... take my money and give me a decent, secure VPN connection.



And if I am just not "reading enough" to know how to get what I am looking for, then it highlights my point that there is a problem out there for the non-technical guys like me who just want security without massive compromise and hours of research. This VPN industry needs a wake-up call, ELSE a better way at helping the average joe at Starbucks. Guys. Like. Me.I read. As such, I know the importance of a VPN. In fact, I have spent hours/days reading up on them. I have made excel spreadsheets to compare them (and looked at the ones on "that site"). I even WANT to give you my money to insure I have a good one. As such, I have tried 4 paid popular ones I won't mention as I don't want to call them out, and spent a ton of time testing them on my PC and mobile.They all are frustratingly SLOW. Or interfere with connections.No matter what, all I want is a FAST secure connection I don't have to think about. Yet, I can't find a VPN that doesn't bring my public and often home networks connections to a crawl. The expected "30% drop" is BS. And none automatically find me the best servers, and in fact often I can get faster servers 5000 miles away, but I have to manually select them.I understand its complicated. But I have stuff to do. Seriously. Which is why I want to pay someone else to think about these things and give me a good product.You all sales-pitch me the "fastest speeds" but then I watch as my connection up and down speeds drop to pathetic - and I have the spreadsheets to prove it.To anyone listening I speak for the masses ... take my money and give me a decent, secure VPN connection.And if I am just not "reading enough" to know how to get what I am looking for, then it highlights my point that there is a problem out there for the non-technical guys like me who just want security without massive compromise and hours of research.



When we talk about speed drops, you're going to lose ~9% just because of how the encapsulation and encryption works. You're also going to lose about 10ms on pings because the actual encrypting and decrypting takes time.



It is also important to manage expectations when we talk about privacy networks that are based on shared connections. We have had a rash of users on our service that are unhappy with our "slow" performance because their gigabit connection slows down to 190Mbit. They don't understand the nature of VPNs and that in order to keep their information private, their traffic has to be mixed with other users on a server, and these servers are running the same 1Gbit connection that they have. Yes, it is 20% of your line speed, but at the same time it is extremely fast for the market generally, and pretty much the limits of what you'll see on a server with proper user densities to protect your information.



If you're talking about a 30% drop on 10 Mbit that is significant. If you're getting a 30% drop on 200Mbit that's absolutely normal.



There's also other factors that play into VPN performance like distance from the server, which protocol they are using, etc.



In other words, you're always going to have some loss. If all factors are good, you can minimize that loss up to a limit in speed. More than 200 Mbit just isn't going to happen on a safe and private connection generally. When we talk about speed drops, you're going to lose ~9% just because of how the encapsulation and encryption works. You're also going to lose about 10ms on pings because the actual encrypting and decrypting takes time.It is also important to manage expectations when we talk about privacy networks that are based on shared connections. We have had a rash of users on our service that are unhappy with our "slow" performance because their gigabit connection slows down to 190Mbit. They don't understand the nature of VPNs and that in order to keep their information private, their traffic has to be mixed with other users on a server, and these servers are running the same 1Gbit connection that they have. Yes, it is 20% of your line speed, but at the same time it is extremely fast for the market generally, and pretty much the limits of what you'll see on a server with proper user densities to protect your information.If you're talking about a 30% drop on 10 Mbit that is significant. If you're getting a 30% drop on 200Mbit that's absolutely normal.There's also other factors that play into VPN performance like distance from the server, which protocol they are using, etc.In other words, you're always going to have some loss. If all factors are good, you can minimize that loss up to a limit in speed. More than 200 Mbit just isn't going to happen on a safe and private connection generally.



> why do many VPN setup guides advise you to disable IPv6 ?



A lot of VPNs only handle IPv4, so on those any IPv6 traffic bypasses the VPN.



Easiest fix is to disable IPv6. Better long-term solution would be to get a VPN that properly handles IPv6.



...



... the main reasons are:



Many ISPs still do not support IPv6 to clients. Unlike retail ISPs, VPN providers tend to be global services, so this is not a small deal.



Less than 20% of server sites support IPv6 - google conveniently tracks these sorts of stats.



IPv6 has very different configuration and security characteristics than IPv4, especially in extensibility at a protocol level. It is very easy for network and stack providers, i.e. including your OS, to mess up on both fronts, leading to an insecure network potentially at multiple levels. These issues are several factors worse on mixed networks, i.e. tunnelling IPv6 through IPv4 or IPv6 and IPv4 on same networks.



Related to the above, IPv6 is still maturing. Even the hardware tech to support both the equivalent level of configuration and security at scale for IPv6 is not readily available or is more costly than IPv4.



By default IPv6 uses globally routable addresses, i.e. every client gets an address that uniquely identifies them perhaps forever for a given ISP-client combination. Any leak there would be bad news. Since many VPN providers cannot even maintain leak-free status in IPv4, IPv6 over a VPN is not something to be carelessly keen about.



OpenVPN, the most popular retail VPN protocol, has been slow to add IPv6 support and it is still incomplete.

That's why, if you really care about security, your first concern is finding a strong VPN provider. Something like supporting IPv6 is not on most people's priority list, including not your VPN provider, except the best-in-class ones that at least prevent leaks at the client no matter which IP protocol they use.



...



Most budget/end user VPNs only cover IPv4 traffic, and anything sent over IPv6 is ignored.



...



I have seen anecdotally IPv6 messing up network applications. On more than one occasion. > why do many VPN setup guides advise you to disable IPv6 ?A lot of VPNs only handle IPv4, so on those any IPv6 traffic bypasses the VPN.Easiest fix is to disable IPv6. Better long-term solution would be to get a VPN that properly handles IPv6....... the main reasons are:That's why, if you really care about security, your first concern is finding a strong VPN provider. Something like supporting IPv6 is not on most people's priority list, including not your VPN provider, except the best-in-class ones that at least prevent leaks at the client no matter which IP protocol they use....Most budget/end user VPNs only cover IPv4 traffic, and anything sent over IPv6 is ignored....I have seen anecdotally IPv6 messing up network applications. On more than one occasion.

Torrenting not allowed when using free version.



I don't see any slow-down, but I am in Spain and mostly using USA web sites, so my speeds probably already were slightly low.



If I'm using a VPN server in another country, and do a Google search, Google changes country to France or Latvia or wherever the VPN server is. So I get results in French or Latvian or whatever.



Each time I change to a VPN server in a new country: Yahoo Mail may warn about new time zone, sends email about login from new location.

FB says suspicious activity, answer questions, or sends email about login from new location. In Windows 10, if you run the VPN and then click on the Network icon in the system tray and connect to Wi-Fi, it's possible to get connected to both the VPN and the normal Wi-Fi simultaneously. To fix this, I think you have to disconnect from both, then connect to Wi-Fi, then run the VPN. Torrenting not allowed when using free version.I don't see any slow-down, but I am in Spain and mostly using USA web sites, so my speeds probably already were slightly low.If I'm using a VPN server in another country, and do a Google search, Google changes country to France or Latvia or wherever the VPN server is. So I get results in French or Latvian or whatever.Each time I change to a VPN server in a new country:In Windows 10, if you run the VPN and then click on the Network icon in the system tray and connect to Wi-Fi, it's possible to get connected to both the VPN and the normal Wi-Fi simultaneously. To fix this, I think you have to disconnect from both, then connect to Wi-Fi, then run the VPN.

Easiest way: if you're using a proprietary VPN client app that supports split tunneling, use that. But many don't support it, or support it only for certain operating systems.

Windscribe

ProtonVPN

PIA







Complication: Linux networking has been changing (Network Manager, systemd) over the years, so old instructions may not work any more.



One way: make a second user, run all with-VPN apps under one user and all no-VPN apps under the other user, then have different iptables rules for the two users ?





Another way: set default system route to no-VPN, then set some apps (those which allow custom network specifications) to use a proxy that will route to the VPN.







Split tunneling on the basis of destination IP address, not application: In Linux Network Manager's OpenVPN profile for a VPN connection, in the IPv4 and IPv6 tabs you can set "Routes" and/or enable "Use this connection only for resources on its network" ? Not sure how to set it, and if it works.



Make iptable rules to route based on destination IP address. Maybe in PREROUTING or mangle table ?



When using strongSwan/IKEv2 or Wireguard, maybe set IPsec rules to do split tunneling ? In Linux Network Manager's OpenVPN profile for a VPN connection, in the IPv4 and IPv6 tabs you can set "Routes" and/or enable "Use this connection only for resources on its network" ? Not sure how to set it, and if it works.Make iptable rules to route based on destination IP address. Maybe in PREROUTING or mangle table ?When using strongSwan/IKEv2 or Wireguard, maybe set IPsec rules to do split tunneling ?

Easiest way: if you're using a proprietary VPN client app that supports split tunneling, use that. But many don't support it, or support it only for certain operating systems. Wiki "strongSwan VPN Client for Android 4+" does support split tunneling, both on basis of application and on basis of destination IP address. Define a VPN connection, highlight it, click Edit, scroll down to Split Tunneling.Complication: Linux networking has been changing (Network Manager, systemd) over the years, so old instructions may not work any more.One way: make a second user, run all with-VPN apps under one user and all no-VPN apps under the other user, then have different iptables rules for the two users ? article (a bit confusing)Another way: set default system route to no-VPN, then set some apps (those which allow custom network specifications) to use a proxy that will route to the VPN. article1 (a bit confusing) article2 (similar using OpenVPN), not application:

Windscribe VPN



Alternative architectures: I think you have your choice of these stacks (from oldest to newest):

IPsec config : UI (CLI): ipsec Config files: /etc/ipsec.conf /etc/ipsec.secrets /etc/ipsec.d/cacerts Daemons:

:

strongSwan config : UI (CLI): swanctl Config files: /etc/ipsec.conf /etc/ipsec.secrets /etc/ipsec.d/cacerts /etc/strongswan.conf /etc/strongswan.d/* /etc/swanctl/swanctl.conf Daemons: /lib/systemd/system/strongswan.service /usr/lib/ipsec/charon

:

strongSwan through Network Manager : UI: Network Settings in system tray Config files: same as previous section Daemons: same as previous section

:

I think you have your choice of these stacks (from oldest to newest):

Windscribe's "IKEv2 Profile Generator"

Saved credentials in my password manager.



"The IKE protocol uses UDP packets and UDP port 500."

Open-source implementations of IKEv2 include: OpenIKEv2, Openswan, and strongSwan.

It's less feasible for a network admin to block OpenVPN (which uses HTTPS port 443), than to block IKEv2 (which uses UDP port 500).





I tried things a bit out of order, got things mixed together, hope I've sorted out things properly in the following sections:



IPsec config method:

Mostly following first half of sudo windscribe stop sudo systemctl stop openvpn sudo systemctl disable openvpn apt install strongswan-starter libstrongswan-extra-plugins libcharon-extra-plugins sudo xed /etc/ipsec.conf # and add: conn windscribe-es # name I picked keyexchange=ikev2 fragmentation=yes dpdaction=restart # restart if connection drops dpddelay=300s # how often to send packet to do Dead Peer Detection keyingtries=%forever # keep trying to connect, forever eap_identity=MYUSERNAME # username from https://windscribe.com/getconfig/ikev2 leftauth=eap-mschapv2 left=%defaultroute leftsourceip=%config right=89.238.178.43 # address from ping es.windscribe.com rightauth=pubkey rightsubnet=0.0.0.0/0 rightid=%any type=tunnel auto=start # start at system boot; if not, set to "add" # man ipsec.conf # https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection sudo xed /etc/strongswan.d/charon/kernel-netlink.conf # and after line "# mtu = 0" add: mtu = 1300 # use "tracepath" to see how hops in a route might be changing MTU sudo xed /etc/ipsec.secrets # and add (with the spaces exactly in the places shown): MYUSERNAME : EAP "MYPASSWORD" # check that this directory is empty: ls /etc/ipsec.d/cacerts # then make IPsec just use the OS certificates: rmdir /etc/ipsec.d/cacerts ln -s /etc/ssl/certs /etc/ipsec.d/cacerts # Edit /etc/resolvconf/resolv.conf.d/tail to contain (first line is a comment): # following is from /etc/resolvconf/resolv.conf.d/tail nameserver 208.67.222.222 # OpenDNS # If you wanted to remove other lines, maybe # edit /etc/NetworkManager/NetworkManager.conf and add "dns=none" in [main] section sudo ipsec restart sudo ipsec up windscribe-es # or whatever connection name you picked # see message "connection 'windscribe-es' established successfully" # to switch from one connection to another, take old one down before putting new one up: sudo ipsec down windscribe-es # or whatever connection name you picked sudo ipsec up windscribe-usa # or whatever connection name you picked cd /tmp && rm -f ip && wget -q https://ipinfo.io/ip && cat ip && rm -f ip # or curl --get ifconfig.me && echo # and you should see an address in same subnet as the "right=" address you used # probably 89.238.178.n ping es.windscribe.com # see if it's similar # run leak tests such as https://www.doileak.com/ and https://ipleak.com/ # tests passed, for me # Tried unplugging from Ethernet, waiting a minute or two, plugging back in. # Checked IP address and saw ISP's address not VPN address. # Waited 10-15 seconds (dpddelay), checked IP address and ran leak tests again, # all is well, system is connected to VPN again. # But: there is a time-window where the VPN is not being used, and traffic # still can go out. Not sure if same would happen if you're using VPN # and Windscribe server crashes for some reason. How to stop this ? # Need a "kill switch". # Need to create another connection with "type=drop" ??? # ipsec _updown script ? # https://www.mail-archive.com/users@lists.strongswan.org/msg15467.html # need to install swanctl (see section below) # from Windscribe Support: to make a "kill switch", create iptables # rule to DROP all packets that are not UDP on 500+4500 (ports IPsec uses) # so I created a file with (simplified) these commands: iptables -P INPUT DROP iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p udp --match multiport --dports 500,4500 -j ACCEPT iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT iptables -A INPUT -d 172.17.0.0/16 -j ACCEPT iptables -A INPUT -d 255.255.255.255 -j ACCEPT iptables -A INPUT -s 192.168.0.255/24 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT # want to change to DROP, but keep getting DNS 1.1.1.1 traffic iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -s 10.255.255.255/8 -j ACCEPT iptables -A OUTPUT -d 10.255.255.255/8 -j ACCEPT iptables -A OUTPUT -p udp --match multiport --dports 500,4500 -j ACCEPT iptables -A OUTPUT -d 127.0.0.25/24 -j ACCEPT ip6tables -P INPUT DROP ip6tables -P FORWARD ACCEPT ip6tables -P OUTPUT DROP sudo ipsec statusall sudo journalctl | grep Windscribe sudo journalctl | grep charon # There is a HUGE amount of logging in the journal by Charon and IPsec # https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration man strongswan.conf # see LOGGER CONFIGURATION section sudo xed /etc/strongswan.d/charon-logging.conf # in syslog section, add line: default = 0 # rebooted # but that doesn't seem to have done much, removed it and tried: man ipsec.conf # parameter "charondebug" sudo xed /etc/ipsec.conf # and in section "config setup" add: charondebug = dmn 1, mgr 1, ike -1, chd 0, job 0, cfg 0, knl 0, net -1, asn 0, enc -1, lib 0, esp 0, tls 0, tnc 0, imc 0, imv 0, pts 0 # COULD do this, I haven't done it: in ipsec.conf connection section: leftfirewall=yes # disables use of iptables once VPN is connected ? # Wanted to make a connection to disable the VPN so I can use some site that # won't tolerate a VPN. Couldn't get the new conenction to work. # But (with DNS addition in /etc/resolvconf/resolv.conf.d/tail), just # taking down the Windscribe connection (and resetting iptables) is enough; # don't need this connection definition (which doesn't work anyway). sudo xed /etc/ipsec.conf # and add: # https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Passthrough-policy conn no-vpn # name I picked left=127.0.0.1 left=%defaultroute leftsourceip=%config rightsubnet=0.0.0.0/0 # also tried %any rightid=%any type=passthrough # auto=route auto=add sud xed /etc/swanctl/swanctl.conf # and add: connections { no-vpn { remote_addrs = 127.0.0.1 children { passthrough-1 { local_ts = %any remote_ts = %any mode = pass } } } Mostly following first half of /u/nosmokingbandit's "Using IKEv2 on Linux"

[I HAVE THINGS WORKING TO THIS POINT; FOLLOWING PARTS NOT WORKING YET !]



strongSwan config method:

apt install strongswan-swanctl # charon daemon probably is running already, but check: sudo ps -ax | grep charon # if not: sudo /usr/libexec/ipsec/charon sudo systemctl enable strongswan.service systemctl status strongswan # list connections sudo swanctl -L man swanctl man swanctl.conf # /etc/swanctl/swanctl.conf man strongswan.conf # /etc/strongswan.conf and /etc/strongswan.d/*

Main config file is /etc/strongswan.conf, but make any changes in /etc/strongswan.d/*

After any configuration change, do "systemctl restart strongswan" and "sudo ipsec restart".



"strongSwan is basically a keying daemon, which uses the Internet Key Exchange protocols (IKEv1 and IKEv2) to establish security associations (SA) between two peers." Charon is a keying daemon that implements the IKEv2 protocol for strongSwan.

"The actual IPsec traffic is not handled by strongSwan but instead by the network and IPsec stack of the operating system kernel."

Introduction to strongSwan

Main config file is /etc/strongswan.conf, but make any changes in /etc/strongswan.d/*After any configuration change, do "systemctl restart strongswan" and "sudo ipsec restart"."strongSwan is basically a keying daemon, which uses the Internet Key Exchange protocols (IKEv1 and IKEv2) to establish security associations (SA) between two peers." Charon is a keying daemon that implements the IKEv2 protocol for strongSwan."The actual IPsec traffic is not handled by strongSwan but instead by the network and IPsec stack of the operating system kernel."

strongSwan through Network Manager method:

Tried installing from Mint's Software Manager ("strongSwan IPsec VPN solution metapackage" and "strongSwan-nm"), didn't work. Tried other things, no luck.



"sudo apt-get install network-manager-openvpn-gnome"

"apt install strongswan" and "apt install network-manager-strongswan" and "apt install strongswan-charon" and "apt install libcharon-extra-plugins". Click network icon in system tray, Network Settings, Network Proxy, "+", get "Add VPN" dialog, choose "strongSwan", get another "Add VPN" dialog where you specify details. If you have a username and password, set "Authentication" to "EAP". Specify username, but there's no way to specify password ? Click "Add" button. Dialog closes and back to "Network" window. Select the VPN you just created and click "On". But fails to connect, every time. Tried installing from Mint's Software Manager ("strongSwan IPsec VPN solution metapackage" and "strongSwan-nm"), didn't work. Tried other things, no luck."sudo apt-get install network-manager-openvpn-gnome""apt install strongswan" and "apt install network-manager-strongswan" and "apt install strongswan-charon" and "apt install libcharon-extra-plugins". Click network icon in system tray, Network Settings, Network Proxy, "+", get "Add VPN" dialog, choose "strongSwan", get another "Add VPN" dialog where you specify details. If you have a username and password, set "Authentication" to "EAP". Specify username, but there's no way to specify password ? Click "Add" button. Dialog closes and back to "Network" window. Select the VPN you just created and click "On". But fails to connect, every time.

Saved credentials in my password manager."The IKE protocol uses UDP packets and UDP port 500."Open-source implementations of IKEv2 include: OpenIKEv2, Openswan, and strongSwan.It's less feasible for a network admin to block OpenVPN (which uses HTTPS port 443), than to block IKEv2 (which uses UDP port 500).I tried things a bit out of order, got things mixed together, hope I've sorted out things properly in the following sections:method:[I HAVE THINGS WORKING TO THIS POINT; FOLLOWING PARTS NOT WORKING YET !]method:method:



Went to Settings / Network / Wired.

Clicked "+" next to VPN.

Types offered are OpenVPN and PPTP and "Add from file".



sudo apt install strongswan network-manager-strongswan libcharon-extra-plugins Now have another choice "IPsec/IKEv2 (strongSwan)" in there.



Tip: In Network Manager, keep connection profile names descriptive and short, so they appear well in the desktop menu. E.g. "Winds-Open-NYC" instead of "Windscribe-OpenVPN-NewYorkCity".



Create an IKEv2 connection:

Gateway address from ping es.windscribe.com

Authentication = EAP.

Username from Windscribe.

Enable "Request an inner IP address".

Enable "Enforce UDP encapsulation".

Click "Add" button.

Copy password into clipboard.

Move slider to enable VPN.

Paste password into dialog.





Password is NOT remembered once the IKEv2 connection profile is set; you have to type it in each time you connect.



Connection is unreliable for some sites.

sudo gedit /etc/strongswan.d/charon/kernel-netlink.conf

# and after line "# mtu = 0" add:

mtu = 1300

# then reboot

# that helped a bit, but still not 100%

Gateway address from ping es.windscribe.comAuthentication = EAP.Username from Windscribe.Enable "Request an inner IP address".Enable "Enforce UDP encapsulation".Click "Add" button.Copy password into clipboard.Move slider to enable VPN.Paste password into dialog.Password is NOT remembered once the IKEv2 connection profile is set; you have to type it in each time you connect.Connection is unreliable for some sites.sudo gedit /etc/strongswan.d/charon/kernel-netlink.conf# and after line "# mtu = 0" add:mtu = 1300# then reboot# that helped a bit, but still not 100%

OpenVPN:

Logged into Windscribe account and got openvpn_cert.zip (contains ca.crt and ta.key files) and Windscribe-*.ovpn files and username and password.

Move the ca.crt and ta.key files to somewhere permanent; Network Manager seems not to keep its own copies of them.



sudo apt-get install network-manager-vpnc # doubt this is needed

Go to Settings / Network / Wired.

Click "+" next to VPN.

Click "Add from file".

Select the Windscribe-*.ovpn file.

See dialog; Gateway field should be populated, Authentication type = Password.

Type in username and password.

CA certificate field should be a .pem file.

Click Advanced.

Click TLS Authentication tab.

Under "Additional TLS authentication ..." should be Mode = TLS-Auth, Key-file = ta.key, Key Direction = 1, Extra certificates = ca.crt.

Click Okay.

Click Add.



Move slider to enable VPN.

In upper-right of desktop, see white rectangle "VPN" appear !

Do browser leak-tests.



After reboot, OS does not reconnect to VPN automatically.

Do "sudo nm-connection-editor" to set that.

Now after reboot, OS does not reconnect to wired ethernet automatically (!), but when you manually turn on wired ethernet, it WILL reconnect to VPN automatically.

Behavior is different for Wi-Fi ? Will connect to Wi-Fi automatically, but won't reconnect to VPN automatically ? Not sure.



Later, Windscribe sent me some configuration files, one per VPN server. They're .txt files that each have a complete Network Manager (or is it OpenVPN ?) VPN definition in them. [They're OpenVPN "unified connection profile" files, sometimes named with .ovpn extension; see

Do Settings / Network / VPN + / Import from file, give it one of these files, type in your username and password, done.

[nm-connection-editor will export a VPN connection to a file, but only for OpenVPN connections.]



Password is remembered once the OpenVPN connection profile is set; don't have to type it in each time. Logged into Windscribe account and got openvpn_cert.zip (contains ca.crt and ta.key files) and Windscribe-*.ovpn files and username and password.Move the ca.crt and ta.key files to somewhere permanent; Network Manager seems not to keep its own copies of them.Go to Settings / Network / Wired.Click "+" next to VPN.Click "Add from file".Select the Windscribe-*.ovpn file.See dialog; Gateway field should be populated, Authentication type = Password.Type in username and password.CA certificate field should be a .pem file.Click Advanced.Click TLS Authentication tab.Under "Additional TLS authentication ..." should be Mode = TLS-Auth, Key-file = ta.key, Key Direction = 1, Extra certificates = ca.crt.Click Okay.Click Add.Move slider to enable VPN.In upper-right of desktop, see white rectangle "VPN" appear !Do browser leak-tests.After reboot, OS does not reconnect to VPN automatically.Do "sudo nm-connection-editor" to set that.Now after reboot, OS does not reconnect to wired ethernet automatically (!), but when you manually turn on wired ethernet, it WILL reconnect to VPN automatically.Behavior is different for Wi-Fi ? Will connect to Wi-Fi automatically, but won't reconnect to VPN automatically ? Not sure.Later, Windscribe sent me some configuration files, one per VPN server. They're .txt files that each have a complete Network Manager (or is it OpenVPN ?) VPN definition in them. [They're OpenVPN "unified connection profile" files, sometimes named with .ovpn extension; see OpenVPN's "Connection Profile creation" .]Do Settings / Network / VPN + / Import from file, give it one of these files, type in your username and password, done.[nm-connection-editor will export a VPN connection to a file, but only for OpenVPN connections.]Password is remembered once the OpenVPN connection profile is set; don't have to type it in each time.

To see connections: "nmcli". Also "nmcli general status".

To get GUI version for bug-reporting: "NetworkManager --version".

"ls /etc/NetworkManager/system-connections"





Note: Network Manager is a freedesktop.org component:



Same issue with all types of VPN: when boot system, wired ethernet will be off. Have to turn it on before VPN's "connect automatically" setting works. Went to Settings / Network / Wired.Clicked "+" next to VPN.Types offered are OpenVPN and PPTP and "Add from file".Now have another choice "IPsec/IKEv2 (strongSwan)" in there.Tip: In Network Manager, keep connection profile names descriptive and short, so they appear well in the desktop menu. E.g. "Winds-Open-NYC" instead of "Windscribe-OpenVPN-NewYorkCity".To see connections: "nmcli". Also "nmcli general status".To get GUI version for bug-reporting: "NetworkManager --version"."ls /etc/NetworkManager/system-connections"Note: Network Manager is a freedesktop.org component: NetworkManager / issues Same issue with all types of VPN: when boot system, wired ethernet will be off. Have to turn it on before VPN's "connect automatically" setting works.



[Caution: later heard from someone on reddit who installed WireGuard into Mint 19 (probably 19.3) and something destroyed all his network interfaces, he had to re-install the system.]



I don't have a VPN service that supports WireGuard yet. Just curious.



sudo apt install wireguard sudo modprobe wireguard lsmod | grep wireguard sudo ls /etc/wireguard # 5/2020: I think no Network Manager GUI support yet; # can't click "+" to create a WireGuard connection profile nmcli connection add type wireguard ifname wg0 con-name Winds-WireG-Spain # profile doesn't appear in Network Manager GUI nmcli --overview connection show Winds-WireG-Spain

Thomas Haller's "WireGuard in NetworkManager"

psyhomb / wireguard-tools

[Caution: later heard from someone on reddit who installed WireGuard into Mint 19 (probably 19.3) and something destroyed all his network interfaces, he had to re-install the system.]I don't have a VPN service that supports WireGuard yet. Just curious.

Proxy

Router And Modem

WAN connector: connects to outside cable or phone line.

Modem: from WAN connector, converts fiber or phone signal to digital, sends to router.

[Fiber modem may be called an ONT (Optical Network Terminal).]

[Fiber modem may be called an ONT (Optical Network Terminal).] Router: intelligence that converts between internal (LAN) and external (WAN) IP addresses, using NAT.

LAN Switch: connects all the parts of the local network: LAN side of router, Ethernet ports, Wi-Fi AP.

LAN Ethernet connector: wired connection to client device in home.

Telephone connector: wired connection to telephone in home.

TV connector: wired cable connection to TV in home.

USB connector: for a disk drive to be shared on the LAN.

Wi-Fi access point: wireless connection to Wi-Fi devices in home. These parts may be packaged into two devices (modem and router) or one device (router/modem). These parts may be packaged into two devices (modem and router) or one device (router/modem).



Basically, two key layers, with their associated address forms: IP layer (with IP addresses, which are assigned by software or by router or by authorities).



Link layer (with MAC addresses, which are permanent in hardware).



[Simplified, and assume a simple flat LAN, and client has single network interface:] In your computer, your browser forms an HTTP request and gives it to TCP layer, saying: "send to IP address N.N.N.N".

[Ignore how (DNS) a web-address is looked up to find IP address.]

TCP layer forms a TCP packet: TCP header followed by data (the HTTP request). The TCP header contains port numbers and flags and other info.

TCP layer gives TCP packet to IP layer, saying "send to IP address N.N.N.N".

IP layer forms an IP packet: IP header followed by data (the TCP packet). The IP header contains the IP addresses and other info.

The IP layer does a check of destination IP address N.N.N.N:



If special address such as localhost (127.0.0.n), the traffic is handled internally by software.



If source and destination IP addresses are on the same subnet (destination is in the LAN), the IP address should be found in the ARP table, and it gives MAC address DD:DD:DD:DD:DD:DD for the destination.



Otherwise, the IP layer picks destination MAC address RR:RR:RR:RR:RR:RR (the router).

[This mapping was established earlier by ARP mapping "gateway" IP address to MAC address.]

IP layer gives IP packet to link layer, saying "send to MAC address" (DD:DD:DD:DD:DD:DD or RR:RR:RR:RR:RR:RR).

Link layer adds its own header. Then packet goes across the LAN (Ethernet or Wi-Fi) from MAC address CC:CC:CC:CC:CC:CC (your computer) to destination MAC address. At other end, link layer strips off the link header.

If the destination was the router:



The IP layer in the router does a lookup of IP address N.N.N.N in rules for IP address ranges. In simplest case, only rule is "send everything out to WAN". But there could be firewall rules, segmented LAN, etc. And DHCP table here serves as backstop for source machine's ARP table ?



If the destination IP address is outside your LAN (on public internet), the lookup finds that packets to IP addresses in that range should be sent to the device at MAC address II:II:II:II:II:II (the ISP's router).



Packet goes out (through a link layer again) through the modem to MAC address II:II:II:II:II:II.

Basically, two key layers, with their associated address forms:[Simplified, and assume a simple flat LAN, and client has single network interface:]



Internet ISP WAN connection

(fiber, cable, phone line) MODEM NAT

(many LAN devices share

one public IP address) Firewall

(filter traffic to

prevent attacks) Router/switch

(DHCP to assign LAN addresses;

map IP addresses to external/Ethernet/Wi-Fi) LAN Ethernet ports Wireless Access Point Devices

connected via Ethernet Devices

connected via Wi-Fi



Modem (owned by ISP or by you) + router (owned by ISP or by you).

Combined modem/router (owned by ISP or by you).

Modem (owned by ISP) + router (owned by ISP) in "bridge" mode + router (owned by you).

Combined modem/router (owned by ISP) in "bridge" mode + router (owned by you). Implications: You will be paying monthly rent for the pieces owned by the ISP.

The pieces owned by the ISP could be used by the ISP to spy on you.

The ISP may be slow to update firmware and software in their pieces to latest versions.

Likely you can't install new software on the pieces owned by the ISP.

Likely the ISP's standard software will not have features you could get through new software, such as VLANs, guest Wi-Fi networks, firewall, VPN, more. From someone on reddit 7/2019: You should have only one device functioning as a router. It's fine to have other routers in the network, so long as they are configured to operate purely as Wi-Fi Access Points (AP). If you have multiple functioning routers, then you'll have double or even triple NAT. While it's possible to get port forwarding to work through multiple routers, it's messy and unnecessary. UPnP won't work at all through multiple routers.

If you have separate modem and router, plugging your PC directly into the modem for troubleshooting or something is a bad idea. You expose your PC directly to the internet and lose any protections implemented in the router. From someone on reddit 7/2019:If you have separate modem and router, plugging your PC directly into the modem for troubleshooting or something is a bad idea. You expose your PC directly to the internet and lose any protections implemented in the router.



Gigabit Ethernet (1000 Base-T), not just "Fast Ethernet" (100 Base-T).



Number of Ethernet LAN connectors.



VLANs: ability to put devices on separate VLANs where traffic does not pass between VLANs. You want this enforced in the switch/router, not just by packet-tags applied in each client device.



Guest networks: multiple Wi-Fi network names and passwords (and once devices log in, they're on separate LANs where traffic does not pass between LANs).



WPA3. Starting to become available at end of 2018.



IPv6. But your ISP and VPN may not support this.



Compatibility with / support for running a VPN client in the router.



Compatibility with / enough processing power and RAM to run a custom OS (DD-WRT, Tomato, pfSense, etc).



Firewall: ability to control traffic by MAC address, IP address, TCP/IP port number, maybe import lists of rules from elsewhere.



Incoming port forwarding.

Features that seem unimportant to me: parental controls, dual-band, built-in anti-malware, MU-MIMO, smartphone app to control router, Quality of Service (QoS) or Wi-Fi Multimedia traffic controls, mesh networking, USB port to make a NAS. Your priorities may be different.



Heard this, not sure if it's standard terminology/functionality: a device on a VLAN can talk to any other device on same VLAN, and to internet; a device on a guest network can only talk to internet. Features that seem unimportant to me: parental controls, dual-band, built-in anti-malware, MU-MIMO, smartphone app to control router, Quality of Service (QoS) or Wi-Fi Multimedia traffic controls, mesh networking, USB port to make a NAS. Your priorities may be different.Heard this, not sure if it's standard terminology/functionality: a device on acan talk to any other device on same VLAN, and to internet; a device on acan only talk to internet.



WPS.



Remote management.



PNP.



Any telemetry or "phone home" features.





If setting address from the router, it's called a DHCP reservation (or just "reservation"). "Static" only applies if done from the client side.



Do all assignments in one place, centrally: the router.



Good idea to have reservations for all server-type devices: NAS, printers, Pi-hole, etc. This may include game consoles and IoT devices, if anything is going to initiate traffic to them.



Don't do client-side static assignments for devices such as phones and laptops which could be moved to another network at any time.



Also IPv6.



Firewall



Level 3 (packet filtering): filter by IP address, port number, and protocol type (TCP, UDP, ICMP) ?



Level 4 (stateful filtering): filter TCP and maybe UDP by connection and session state.



Level 7 (application level): understand application protocols such as FTP, SMTP, Telnet, HTTP, etc.



WAF: Web Application Firewall (understand HTTP and associated).



Torrent Seedbox

DNS (Domain Name Service)



Best way: a leak-test site such as Doileak.com will tell you what DNS server actually is being used.



On Linux: systemd-resolve --status nmcli dev show | grep DNS resolvectl status resolvectl statistics # see DNS cache statistics # cache is limited to 4096 entries # Firefox has its own very transient DNS cache in front of this one cat /etc/nsswitch.conf nmcli dev show tun0 # and see GATEWAY systemd-resolve --status # and see "Current DNS Server" for "tun0" device



Open a command prompt and run "nslookup google.com". First address shown is your DNS's address. But an IPv4 address that starts with "10.", "127.", "172." or "192." likely is an "internal" address, meaning that something in your computer or VPN or router or ISP is grabbing that address and mapping it to something else. See Tim Fisher's "Private IP Address".

A few other settings are shown by



Test both with VPN on and with VPN off. There WILL be times you need to turn the VPN off to access some site. A few other settings are shown by Cloudflare's "Browsing Experience Security Check" Test both with VPN on and with VPN off. There WILL be times you need to turn the VPN off to access some site.



If/when you're using a VPN, use the VPN's DNS. That way all DNS traffic is inside the VPN's encrypted tunnel, and your ISP or eavesdroppers can't see it.



Tricky: you want your system to be accessing the DNS through the VPN , not directly. If the DNS address specified in your system is something like 10.x.x.x, it's going through the VPN tunnel.

Tricky: you want your system to be accessing the DNS , not directly. If the DNS address specified in your system is something like 10.x.x.x, it's going through the VPN tunnel.

When the VPN is off: Probably might as well just use your ISP's DNS, since the ISP is going to see all the IP addresses you access anyway. But instead you could: Avoid a DNS owned by a data-collector (e.g. Google). Use a DNS owned by a service that is fast and supposedly doesn't log traffic (e.g. Cloudflare 1.1.1.1 and 1.0.0.1, Quad9 9.9.9.9, OpenDNS 208.67.222.222). Use a DNS that will block malware and/or adult sites (e.g. Cloudflare 1.1.1.3 and 1.0.0.3).

Cloudflare's "Introducing 1.1.1.1 for Families" Use an encrypted connection to DNS to prevent your ISP from redirecting you (if ISP is malicious), or to prevent someone on your LAN (which may be public Wi-Fi) from modifying your DNS results.





MAC Address

Certificates in the browser

ls /etc/ipsec.d/cacerts ls /usr/share/ca-certificates ls /usr/share/ca-certificates/mozilla ls /etc/pki ls -l /usr/local/share/ca-certificates ls -l ~/.mozilla/firefox/*.default-release/cert* locate .pem # finds files everywhere sudo ls -l /etc/ssl/private # key files # Symlinks to cert files in other dirs. # Updated by running "update-ca-certificates". ls /etc/ssl/certs # To get the "subject" of every CA certificate in /etc/ssl/certs/ca-certificates.crt: awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' </etc/ssl/certs/ca-certificates.crt # List all certs in system and display issuer and expiration date: locate .pem | grep "\.pem$" | xargs -I{} openssl x509 -issuer -enddate -noout -in {} # man openssl-x509 # check for certs expired or due to expire in next month (30*24*60*60 == 2592000 seconds) for f in `ls /etc/ssl/certs/*.pem` do openssl x509 -checkend 2592000 -noout -in "$f" >/dev/null if [ $? -ne 0 ] then openssl x509 -issuer -enddate -noout -in "$f" fi done # Snap version of sqlitebrowser fails, don't use it. # https://sqlitebrowser.org/ sudo apt install sqlitebrowser sqlitebrowser --help sqlitebrowser --read-only --table nssPublic ~/.mozilla/firefox/*.default-release/cert9.db # Personal certs are listed among the others. # The interesting data is in a blob in column a11, I think. # But I think this is a cache; not all certs are listed. # man openssl-pkcs12 locate .p12 .pfx openssl pkcs12 -in CERTNAME.p12 -out TMP.pem -nodes -clcerts openssl x509 -issuer -enddate -checkend 2592000 -noout -in TMP.pem rm TMP.pem # A .pfx file has both public and private PKCS12 keys, can contain multiple certs, can be password-protected. # A .p12 file has both public and private PKCS12 keys, can contain multiple certs, can be password-protected. # .pfx is predecessor of .p12 # A .key file has both public and private PKCS8 keys, in either DER binary or PEM ASCII format. # A .cer file has only public key, in either DER binary or PEM ASCII format. # A .crt file has only public key, in either DER binary or PEM ASCII format. # A .der file has only public key, in DER binary format. # A .pem file has only public key, in Base-64 and with a header and footer added. # A .ca-bundle file has only public key, what format ? # A .pvk file has only private key.

Location Leaks

LAN address (192.n.n.n).

VPN client's WAN address (10.n.n.n in my case).

Router's WAN address (77.n.n.n in my case).

VPN server's WAN address (89.n.n.n in my case).

Inbound Traffic



Normally, a router's firewall blocks all incoming traffic unless it's related to outgoing traffic. The firewall will temporarily open ports used by the outgoing traffic.



Port forwarding allows unsolicited incoming traffic to a port or range of ports through the firewall to a specific IP address in your LAN.



By opening a inbound port, you are exposing a device to unsolicited traffic from the Internet. Unless you can restrict the incoming traffic to a trusted remote address, the device may be at risk of being compromised. Open ports only when there is no option, such as gaming. Only open the necessary ports, and close them when finished. For other use cases, [carefully evaluate how much you can restrict access and what kind of authentication is being used.]



...



Tunneling home over an inbound VPN will give the outside client machine access to everything in your network, and apps like Hamachi work great for playing games that are only designed to work over LAN. However, inbound VPN is not suitable for services that need to be accessible by clients you don't control or clients that you don't want to have access to your whole internal network. You would not use an inbound VPN just make a web server accessible, nor would you use an inbound VPN for most services designed to work over the Internet.



...



Low-security file sharing protocols like SMBv1 are only safe to use over a secure LAN and should never be exposed to the internet.



...







Most people will want to set up port forwarding manually on the router or use UPnP. In most cases, it makes sense to pick one method. ... Using a combination of both will give the static rules precedence. Some people disable UPnP port forwarding entirely for security reasons, but using both doesn't create any issue. The only reason to say "I'm only using UPnP" is to avoid confusion between the static and dynamic port forwarding rules. You can use both. While it's true that UPnP is insecure by design, the convenience it offers home users is usually well worth the concerns in small networks where you manage all the devices. ... For any given application/game, you only need to use one. It's certainly possible to use static port forwarding for one application and UPnP for another.



...



In a home network, it's strongly recommended to have only one device functioning as a router. It's fine to have other routers in the network, so long as they are configured to operate purely as Wi-Fi Access Points (AP). If you have multiple functioning routers, then you'll have double or even triple NAT. While it's possible to get port forwarding to work through multiple routers, it's messy and unnecessary. UPnP won't work at all through multiple routers.



...



Usually, you need only concern yourself with opening ports for incoming traffic. All consumer-grade routers open all ports in the outgoing direction by default, so you can generally ignore any application- or game-specific requirements to open outbound ports. You may come across some applications and games where it's not specified which direction (inbound/outbound) needs to be opened. This is really unfortunate, as you end up having to open more ports than necessary. Do be sure you open the correct protocol (UDP or TCP). If in doubt, open both.



...



Before you test port forwarding through your router [to a server on your LAN], make sure the application/game is running on your server. Then try connecting to it locally from another local device. ... Once you have confirmed that a local connection works, you can proceed to test port forwarding [inbound from the internet]. ...



...



If you run the actual application/game executable (not through a browser), maybe run it on a device that is not connected to your home network (LAN). If you have a smartphone, for example, switch from Wi-Fi to cellular Internet. Normally, a router's firewall blocks all incoming traffic unless it's related to outgoing traffic. The firewall will temporarily open ports used by the outgoing traffic.Port forwarding allowsincoming traffic to a port or range of ports through the firewall to a specific IP address in your LAN.By opening a inbound port, you are exposing a device to unsolicited traffic from the Internet. Unless you can restrict the incoming traffic to a trusted remote address, the device may be at risk of being compromised. Open ports only when there is no option, such as gaming. Only open the necessary ports, and close them when finished. For other use cases, [carefully evaluate how much you can restrict access and what kind of authentication is being used.]...Tunneling home over an inbound VPN will give the outside client machine access to everything in your network, and apps like Hamachi work great for playing games that are only designed to work over LAN. However, inbound VPN is not suitable for services that need to be accessible by clients you don't control or clients that you don't want to have access to your whole internal network. You would not use an inbound VPN just make a web server accessible, nor would you use an inbound VPN for most services designed to work over the Internet....Low-security file sharing protocols like SMBv1 are only safe to use over a secure LAN and should never be exposed to the internet.... UPnP is a multi-purpose protocol. One of its functions is to enable a device to dynamically set up port forwarding on a UPnP-enabled router. This can be convenient when multiple devices (such as multiple gaming consoles) need port forwarding. The application/game must work on multiple, different ports. If it doesn't, then it's impossible for multiple consoles to work in the same network. While UPnP can be convenient, there are documented instances of security vulnerabilities associated with it.Most people will want to set up port forwarding manually on the router or use UPnP. In most cases, it makes sense to pick one method. ... Using a combination of both will give the static rules precedence. Some people disable UPnP port forwarding entirely for security reasons, but using both doesn't create any issue. The only reason to say "I'm only using UPnP" is to avoid confusion between the static and dynamic port forwarding rules. You can use both. While it's true that UPnP is insecure by design, the convenience it offers home users is usually well worth the concerns in small networks where you manage all the devices. ... For any given application/game, you only need to use one. It's certainly possible to use static port forwarding for one application and UPnP for another....In a home network, it's strongly recommended to have only one device functioning as a router. It's fine to have other routers in the network, so long as they are configured to operate purely as Wi-Fi Access Points (AP). If you have multiple functioning routers, then you'll have double or even triple NAT. While it's possible to get port forwarding to work through multiple routers, it's messy and unnecessary. UPnP won't work at all through multiple routers....Usually, you need only concern yourself with opening ports for incoming traffic. All consumer-grade routers open all ports in the outgoing direction by default, so you can generally ignore any application- or game-specific requirements to open outbound ports. You may come across some applications and games where it's not specified which direction (inbound/outbound) needs to be opened. This is really unfortunate, as you end up having to open more ports than necessary. Do be sure you open the correct protocol (UDP or TCP). If in doubt, open both....Before you test port forwarding through your router [to a server on your LAN], make sure the application/game is running on your server. Then try connecting to it locally from another local device. ... Once you have confirmed that a local connection works, you can proceed to test port forwarding [inbound from the internet]. ......If you run the actual application/game executable (not through a browser), maybe run it on a device that is not connected to your home network (LAN). If you have a smartphone, for example, switch from Wi-Fi to cellular Internet.

Tor Browser

Tor Browser and normal OS : Only activity from Tor Browser goes through onion network; all other traffic goes out normally (and your home IP address is revealed to destination servers). ISP sees that you're using onion network, and sees the destination IP addresses on your other traffic.



This is a bad configuration: For your non-onion traffic (from services, and apps other than Tor Browser), your ISP is seeing the destination IP addresses, and your home IP address is being revealed to the destination servers.

: Only activity from Tor Browser goes through onion network; all other traffic goes out normally (and your home IP address is revealed to destination servers). ISP sees that you're using onion network, and sees the destination IP addresses on your other traffic. This is a configuration: For your non-onion traffic (from services, and apps other than Tor Browser), your ISP is seeing the destination IP addresses, and your home IP address is being revealed to the destination servers.

Tor Browser and normal OS and VPN (AKA "Tor over VPN"): All traffic (Tor and other) goes out through VPN; activity from Tor Browser then goes through onion network (after coming out of VPN server). ISP sees that you're using VPN, but can't tell anything else.



This is a good configuration: All your traffic is protected from your ISP and the destination servers, one way or the other. And for your Tor Browser traffic, the VPN knows your ID but only sees that your destination is an onion entrance node, it doesn't know your final destination.

(AKA "Tor over VPN"): All traffic (Tor and other) goes out through VPN; activity from Tor Browser then goes through onion network (after coming out of VPN server). ISP sees that you're using VPN, but can't tell anything else. This is a configuration: All your traffic is protected from your ISP and the destination servers, one way or the other. And for your Tor Browser traffic, the VPN knows your ID but only sees that your destination is an onion entrance node, it doesn't know your final destination.



Normal OS and an onion connector (e.g. nipe or Orbot or TorGhost etc): All network traffic goes through onion network. ISP sees that you're using onion network.



This is a somewhat-good configuration: All your traffic is protected from your ISP and the destination servers, but you're paying a performance cost by using the onion network for everything.

(e.g. nipe or Orbot or TorGhost etc): All network traffic goes through onion network. ISP sees that you're using onion network. This is a configuration: All your traffic is protected from your ISP and the destination servers, but you're paying a performance cost by using the onion network for everything.

Custom OS and an onion connector (e.g. Tails, Kodachi, Subgraph OS, Whonix): All network traffic goes through onion network. ISP sees that you're using onion network.



This is a somewhat-good configuration: All your traffic is protected and there may be other security and privacy features, but you're paying a performance cost and running an uncommon OS that may lack features or support.

(e.g. Tails, Kodachi, Subgraph OS, Whonix): All network traffic goes through onion network. ISP sees that you're using onion network. This is a configuration: All your traffic is protected and there may be other security and privacy features, but you're paying a performance cost and running an uncommon OS that may lack features or support.

Normal OS and a VPN and then an onion connector (AKA "VPN over Tor"): All network traffic goes through onion network, then to VPN server. ISP sees that you're using onion network.



This is a bad configuration for onion traffic: You're losing any benefit from the onion routing, the VPN knows your ID and sees the final destination of your traffic.





[I am talking about "Tor over VPN in a normal OS", not Tails or "VPN over Tor": connect your system to internet through a VPN, then run Tor Browser. So onion traffic comes out of Tor Browser, goes through VPN, comes out of VPN server, then goes into onion network and does multiple hops until coming out of an exit relay or getting to an onion web site.]



How your traffic looks:

Not sure this is right: Encryption IP address on outside Tor Browser Src Dest None v request v ^ response ^ Onion entry OS TCP/IP HTTPS v request v ^ response ^ PC LAN Onion entry VPN client HTTPS + VPN v request v ^ response ^ PC LAN VPN Srv PC's Wi-Fi adapter HTTPS + VPN + Wi-Fi v request v ^ response ^ PC LAN Router LAN LAN Wi-Fi HTTPS + VPN + Wi-Fi v request v ^ response ^ PC LAN Router LAN Router's Wi-Fi adapter HTTPS + VPN v request v ^ response ^ PC LAN VPN Srv Router HTTPS + VPN v request v ^ response ^ Router public VPN Srv ISP HTTPS + VPN v request v ^ response ^ Router public VPN Srv Internet HTTPS + VPN v request v ^ response ^ Router public VPN Srv ISP2 HTTPS + VPN v request v ^ response ^ Router public VPN Srv VPN server HTTPS v request v ^ response ^ VPN Srv Onion entry ISP2 HTTPS v request v ^ response ^ VPN Srv Onion entry Internet HTTPS v request v ^ response ^ VPN Srv Onion entry ISP3 HTTPS v request v ^ response ^ VPN Srv Onion entry Onion entry server HTTPS v request v ^ response ^ VPN Srv Onion entry Server OS TCP/IP None v request v ^ response ^ VPN Srv Onion web site Onion relay code None v request v ^ response ^ Onion entry Onion relay 1 HTTPS ... Onion relay 1 Onion relay 2 HTTPS Onion relay 2 HTTPS ... Onion relay 2 Onion relay 3 HTTPS Onion relay 3 HTTPS v request v ^ response ^ Onion relay 3 Onion web site Onion web site

Not sure this is right:





Use the VPN all the time, 24/365, don't turn it on and off. Some traffic, such as Tor/onion traffic, does not need the protection of the VPN, but is not hurt by use of the VPN. But even when you're using Tor, background services and apps may be doing network traffic, and you want all that traffic to be protected and not revealing your real IP address. [I'm talking about Tor Browser in a normal OS, not Tails.] And if you get in the habit of turning the VPN off and back on, at some point you will forget to turn it back on when you need it.





Some people argue that Tor IS hurt by using it through a VPN. I think their reasoning is that the VPN service is another point of risk where someone could be monitoring your traffic. It's an increase in attack surface. And a VPN company may not be bound by privacy laws as strictly as an ISP is bound (varies by country).



But is having a malicious VPN monitor your traffic any worse than having your ISP monitor it ? All a malicious VPN could see is that you're using Tor/onion. I'd rather have a VPN company know that, and my ISP not know it, than have the ISP know it. The ISP knows my real name and physical address, and the VPN doesn't. I'd rather trust my VPN than my ISP. And in either case, all I'm trusting them with is "I'm using Tor/onion". They can't see the details of the traffic. [Caveat: if you have to use VPN's proprietary client, the calculation changes.]



Some people say "a VPN can keep logs". Sure, and so could an onion entry or exit point, or my ISP. And in the VPN or ISP cases, all the logs would show is "he did Tor/onion traffic".



A more serious issue occurs if you're using a custom VPN client on your machine. That client software sees all of your traffic, and you have to trust that it's not malicious. But if you're using HTTPS from a normal browser, or using Tor Browser, the information the VPN client can see is limited. Even a totally malicious VPN client would just see what domains you're accessing (in the case of HTTPS) or that you're using Tor (in the case of Tor Browser). And you could use an open-source standard VPN client (OpenVPN).



Some people say: instead of using a VPN, just run ALL system traffic through Tor/onion. But I don't think that is encouraged by the onion network people, especially if you're doing downloads or torrenting or VoIP. And I don't think there's an official proxy, just some unofficial projects that implement that.





As far as I can tell, the Tor Project does not say using Tor with a VPN necessarily is bad.



Tor Wiki

Tor Wiki's "TorPlusVPN"

Matt Traudt's "VPN + Tor: Not Necessarily a Net Gain"





So I think the bottom line is: Using a VPN adds slightly to the attack surface, doesn't add security to Tor, but gives the huge benefit of continuing to protect your non-Tor traffic while you're using Tor, and avoids forgetting to turn the VPN back on after you're finished using Tor. [I am talking about "Tor over VPN in a normal OS", not Tails or "VPN over Tor": connect your system to internet through a VPN, then run Tor Browser. So onion traffic comes out of Tor Browser, goes through VPN, comes out of VPN server, then goes into onion network and does multiple hops until coming out of an exit relay or getting to an onion web site.]Use the VPN all the time, 24/365, don't turn it on and off. Some traffic, such as Tor/onion traffic, does not need the protection of the VPN, but is not hurt by use of the VPN. But even when you're using Tor, background services and apps may be doing network traffic, and you want all that traffic to be protected and not revealing your real IP address. [I'm talking about Tor Browser in a normal OS, not Tails.] And if you get in the habit of turning the VPN off and back on, at some point you will forget to turn it back on when you need it.Some people argue that Tor IS hurt by using it through a VPN. I think their reasoning is that the VPN service is another point of risk where someone could be monitoring your traffic. It's an increase in attack surface. And a VPN company may not be bound by privacy laws as strictly as an ISP is bound (varies by country).But is having a malicious VPN monitor your traffic any worse than having your ISP monitor it ? All a 