Ok,,,,,so you have seen Mr.Robot, or read the news or maybe just developed a common sense that when you are on a public WiFi, that this is potentially a very serious treat to your privacy whether it be your local Starbucks, or an Airport WiFi, wherever......
You can be spied upon by others on the network or by the WiFi provider, who at best, maybe just wants to look at what websites you are visiting or, at worst, wants to access your computer. You could even find a WiFi that you think and that looks like the local Starbucks WiFi but it is actually not! Anyway, it is just one of the many threats of which you must be aware when it comes to security and privacy!
(Additional your ISP can sell your unencrypted data to 3rd parties! Legally!....but that's another issue!).
"ISPs are in a position to see a lot of what you do online. They kind of have to be, since they have to carry all of your traffic," explains Electronic Frontier Foundation (EFF) senior staff technologist Jeremy Gillula. "Unfortunately, this means that preventing ISP tracking online is a lot harder than preventing other third-party tracking—you can't just install [the EFF's privacy-minded browser add-on] Privacy Badger or browse in incognito or private mode."
Yes, all that is possible but and there is a solution! It called VPN! Your very own Virtual Personal Network!
Basically, you switch it on and connect via a VPN provider, your traffic is encrypted and your IP is masked and you are now pretty much totally worry free?
VPN! The holy grail of internet and network privacy! NOPE!
Many of our friends and business associates ask 'what is the best VPN?' Well we will get on to various options but we have some way to go yet,
So let's get things into perspective!
A VPN can hide your IP and your ISP supposedly is unable to see your traffic nor slow your speed when you stream etc.
They shouldn't do that anyway! But they do!
This fact out of the way let's say you want to watch a Bundesliga Game and need a German IP address, or a Premier League game and need a UK IP address or watch NETFLIX and be able to watch the US shows wherever you are............
.....this is what VPN's do really well, BUT If you want privacy use TOR!
That said, not all is lost when it comes to VPNs! In the next chapters and sections of the Privacy Cookbook, we will cover a number of VPN providers, demonstrate DIY VPN setups and look at the best and worst encryptions that are out there.
Lets start with the the main options!
You have Shadowsocks and socks5 that can unblock websites what might be blocked by your ISP which thinks it's the right thing to do, or by your government which believes you shouldn't get real news and instead feed you with propaganda and corporate/party line BS! Shadowsocks was created in China to help get over the Great Firewall! So yes! It works!
A Shadowsocks 'how to do it yourself' guide will be published here soon.
IKEv2 (Internet Key Exchange version 2) is a recent protocol for setting up a Security Association between two systems. The combination of IKEv2 and IPsec is a natural because IKEv2 is in part a recent version of the IPsec specification. IKEv2/IPsec is largely supported across Windows, macOS, iOS and Android plus (believe it or not) Blackberry devices (remeber these?).
IKEv2 and L2TP get security features from IPsec so they both are equally secure. But IKEv2/IPsec has advantages over L2TP/IPsec especially on mobiles. Pricipal amongst these are:
IKEv2/IPsec doesn’t double-encapsulate data so is generally quicker.
IKE2v/IPsec handles network changes via its MOBIKE which is significant when you're traveling around.
On the downside, with L2TP/IPsec you may need to manually open firewall ports to enable the IKEv2/IPsec connection.
IKEv2 is also very lightweight and can, in some cases, run alongside DNScloak on iOS. This is a fast and effective solution but bear in mind that Edward Snowden revealed that the NSA has already cracked this one,,,,,,that said take a look at the following statement from security researcher, Thomas Ptacek:
In 2001, Angelos Keromytis --- then a grad student at Penn, now a Columbia professor --- added support for hardware-accelerated IPSEC NICs. When you have an IPSEC NIC, the channel between the NIC and the IPSEC stack keeps state to tell the stack not to bother doing the things the NIC already did, among them validating the IPSEC ESP authenticator. Angelos' code had a bug; it appears to have done the software check only when the hardware had already done it, and skipped it otherwise.
The bug happened during a change that simultaneously refactored and added a feature to OpenBSD's ESP code; a comparison that should have been == was instead !=; the "if" statement with the bug was originally and correctly !=, but should have been flipped based on how the code was refactored.
HD Moore may as we speak be going through the pain of reconstituting a nearly decade-old version of OpenBSD to verify the bug, but stipulate that it was there, and here's what you get: IPSEC ESP packet authentication was disabled if you didn't have hardware IPSEC. There is probably an elaborate man-in-the-middle scenario in which this could get you traffic inspection, but it's nowhere nearly as straightforward as leaking key bits.
To entertain the conspiracy theory, you're still suggesting that the FBI not only introduced this bug, but also developed the technology required to MITM ESP sessions, bouncing them through some secret FBI-developed middlebox.
One year later, Jason Wright from NETSEC (the company at the heart of the [I think silly] allegations about OpenBSD IPSEC backdoors) fixed the bug.
It's interesting that the bug was fixed without an advisory (oh to be a fly on the wall on ICB that day; Theo had a, um, a, "way" with his dev team). On the other hand, we don't know what releases of OpenBSD actually had the bug right now.
It seems vanishingly unlikely that there could have been anything deliberate about this series of changes. You are unlikely to find anyone who will impugn Angelos. Meanwhile, the diffs tell exactly the opposite of the story that Greg Perry told. - Thomas Ptacek
OpenVPN is one of the most common and secure VPNs. It has been audited and proven over a long period of time. OpenVPN supports a range of encryption algorithms including AES-256, the same encryption algorithm used by the US government to protect classified data.
However its not the fastest solution!
It is an open source software which means that the source code can be seen and inspected by anybody. And this happens a lot as people look for bugs or malicious code. Many VPN protocols are proprietary which means that you can’t inspect the code and therefore have to trust the owner to maintain and protect it as well as not mismanage it!.
OpenVPN uses UDP or TCP Port 443 to communicate between devices. This port is principally used for HTTPS traffic so a firewall can’t block it without also blocking large sections of the internet at the same time. Deployment with a VPN service running in stealth mode, where data is formatted to resemble normal Internet traffic, will make it very difficult for censors or others to see that you are even using a VPN.
An additional great feature about OpenVPN is that it is implemented in user space., meaning that the code for OpenVPN runs in the memory reserved for applications. This, in turn, allows you to download and install it yourself, separately from the VPN service you have chosen to use.
What are the benefits of doing this? It could be because your VPN service doesn’t provide a client for the device or OS you are on. An example of this would be that whilst many VPN services support OpenVPN they don’t provide a client for Linux. Download OpenVPN and configure it so you can get your Linux devices connected to the VPN without requiring a proprietary client.
Looking at all the above points, it is fairly easy to understand why OpenVPN is the most popular VPN Protocol in use today.
It works on routers, mobiles and all computers and we will have a guide on each of those solutions, so no worries, we will write up a guide on how to make and host your own OpenVPN.
Wireguard is the New Kid on the Block and has been catching the eye of users across the world.
It is an open-source software that currently runs in the Linux kernel. It has fewer lines of code thereby making it easier to maintain and harder to hack, is easier to set up and uses some serious cryptographic algorithms.
“Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art.” - Linus Torvalds, Linux Foundation
Praise indeed and this has the potential to become the star VPN protocol one day!
On the minus side, it is still under development and has to be seen as as still a work in progress. This is currently only a protocol to be used for experimentation. Another negative is that the current design requires the VPN service to log each user’s IP Address. This will be a non-starter for the many VPN service users who insist on 'no logs'.
Wireguard stays online even when you switch from WiFi to cellphone connection and this is a big plus! It also makes sure your IP never leaks! (except to your VPN provider but they would know anyway!)
Again, we will shortly have a guide on 'how to do' your own Wireguard setup.
Before we get into self hosted VPNs, let's review some of the best known providers. We'll do in one short and (hopefully) simple article. Don't worry, this won't be an in-depth review of NorthVPN with a referral link or a piece praising ExpressVPN just because it is quick......it'll be more on how most of them have trackers and flows, so we will focus on that!
Yes, there is a lot more to this than just using any old VPN for unblocking websites so we recommend using this guide, but use it with caution, we've done our best and we're not some kinda referrals for money guide!!!
Stay tuned......this chapter on VPNs is going to be a lot of fun!