VPN - Karegohan-And-Kamehameha/privacyguide GitHub Wiki

There are a lot of guides out there that cover the basics of using a VPN, I am not going to do this here. Instead, the focus of this section is going to be answering some of the more advanced questions that may surface when using a VPN. Many of there answers are the ones I have actually provided on Reddit, while others cover some of the more general areas.

Q: How do I choose a safe and reliable VPN?

A: First off, go take a look at Thatoneprivacyguy's comparison chart. There is a lot of information you can get from one place that can help you narrow down the amount of choices. Additionally, Torrentfreak has recently conducted an interview with all of the major VPN providers. If a VPN service is not listed there or a company's answers show that it doesn't care about privacy, it's probably best to stay away from it. Privacytools also has a list of some reliable VPN providers, but it doesn't necessarily mean that you have to choose one of them.
As far as countries go, some will say that you should avoid VPNs from fourteen eyes, but I would disagree with that statement, considering there are no guarantees that a VPN located outside of those countries doesn't cooperate with NSA and other government agencies. The rule of thumb to use here is: never use a VPN from your own country. That way you can at least guarantee that anyone who tries to subpoena your VPN is going to have to jump through the hoops of another legislation. Additionally, if you are located in one of the Five Eyes countries, it is recommended to avoid VPNs from any other Five Eyes countries.
Don't forget that privacy isn't the only concern when using a VPN, speed and features are important too. Do you need your VPN to also provide proxy servers or SSH tunnels? Is a warrant canary important to you? What countries do you need it to have servers in? Finally, when you narrow your list to a few possible options, go read what people say about the candidates in /r/vpnreviews, but remember that some of them have an agenda, pay attention to their other posts to determine which ones are marketers in user's clothing. Don't trust people with too few posts or who just registered to post something and don't trust those review sites on the internet, all of which seem to recommend the same few services over and over again.

Q: How do I know a VPN provider hasn't been compromised and gagged by a court order?

A: Some VPN services provide a Warrant Canary which states that they have not been gagged and promise to change it to a blank statement if they are. Whether or not they will actually do it is another question, but there is no legal ground for government agencies to stop them from doing it.

Q: Should I use OpenVPN or the client of my VPN provider?

A: OpenVPN should always be chosen over any proprietary clients a service provides. Most of those clients are built on top of OpenVPN, they consume more resources, are generally slower, offer less flexibility in terms of configuration, and often raise privacy concerns. The OpenVPN-GUI installer for Windows, as well as Linux packages, can be found here.

Q: I am using OpenVPN on Windows and my tunnel is slow, what can I do to optimize the speed?

A: For VPN over UDP, add the following lines to your .ovpn config file:
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
For a more detailed solution to speeding up your VPN, read this guide.

Q: I have a question about configuring OpenVPN...

A: RTFM.

Q: What is the difference between UDP and TCP for VPN?

A: They are different transport layer protocols with significant variance in header structure and functionality. UDP is very simple, while TCP is more sophisticated, it also sends ACKs of all the packets that have been received to confirm that the data has been delivered, but since the majority of the traffic that is encapsulated within the VPN packets it already using TCP, this additional verification is not needed. Generally, because UDP is so simple, it tends to work faster than TCP and should be the protocol of choice, unless you are on a network with a restrictive firewall that blocks UDP traffic.

Q: What are IP leaks and how do I prevent them?

A: IP leaks are events that cause the leakage of your real IP address to a server and/or the leakage of part of your traffic in unencrypted form to your ISP. IP leaks can generally be divided into four categories: DNS leaks, IPv6 leaks, reconnection leaks and WebRTC leaks. According to tests most VPN services leak, but the truth is: it doesn't really matter, because all of these leaks can be prevented by properly configuring your setup.

1. DNS Leaks.
DNS leaks happen when a DNS resolution request is sent through the DNS server configured in your system instead of the one on the VPN server. The easiest and safest way to prevent DNS leaks is to set up DNSCrypt, that way even if your VPN leaks DNS requests, the only thing that leaks are going to be encrypted DNS requests to servers run by freedom respecting companies and privacy enthusiasts. No identifiable information and no way for your ISP to spy on you. The easiest way to set up DNSCrypt on Windows is to use Simple DNSCrypt.
If you would still rather only use your VPN's DNS servers, you can add the following line to your .ovpn config file:
block-outside-dns
However, this method did not work in my case and prevented me from establishing a connection with the VPN altogether.
For other methods of preventing DNS leaks, read this guide.

2. IPv6 Leaks.
IPv6 leaks happen when some or all of the IPv6 traffic is not routed through the VPN. This can happen for various reasons, but the easiest way to fix the problem is by disabling IPv6 altogether. Don't worry, unless your ISP doesn't support IPv4, your internet connection is going to work just fine without it.

3. Reconnection Leaks.
Reconnection leaks happen when the connection to a VPN server is lost and some of the traffic that previously went through the VPN end up going through the open channel. The way to prevent them is by setting up a killswitch, which is going to terminate your internet connection or the programs of your choice if it detects that the connection to a VPN server has been lost. A simple open source program to do that on Windows has been described in this Torrentfreak article.

4. WebRTC Leaks.
WebRTC leaks can happen when the corresponding function is used in a browser that supports it. For a way to fix WebRTC leaks in Waterfox refer to the Browser settings section of this guide.

Q: Why do websites show my local time instead of the time of the VPN server I'm connected to?

A: Websites do not use your location to determine the timezone, they know your system time and it can be used to determine your timezone and even fingerprint you by logging the difference between your system clock and a reference clock.
To alleviate the issue you can set your system timezone to that of your VPN server location or run your browser in an environment with a different timezone. On Windows that can be done by creating a batch file with the following lines in the folder, where your browser is located:

SET TZ=GMT[+-n, where n is the inverse of the VPN timezone]
START [browser_name.exe]
exit
Pay attention that the Set TZ variable has to be the inverse of the timezone you are trying to get. For example, to get the Central European time of GMT+2, you have to use the line SET TZ=GMT-2.

Q: What are the pros and cons of getting a VPS and setting up a VPN server yourself instead of third party solutions? Wouldn't a dedicated IP be better?

A: Using a dedicated VPS as a VPN or SSH tunnel is not a very good idea.

  1. Limited number of servers (limited to one, to be precise).
    1.1. No choice of regions. If you get a VPS in US, you won't be able to connect to European or Asian servers. Those may be useful for circumvention of geo blocking and speeding up connections to servers in other parts of the world.
    1.2. No backup servers in case of failure. If the VPS goes down, you won't be able to just quickly switch to a different server and carry on.
    1.3. You won't be able to use a double tunnel either, unless you rent two servers.
  2. Higher costs than that of most VPN providers.
  3. No flexibility. Want to use a different protocol? You'll have to configure it first.
  4. Lack of additional technologies that are provided by some VPN servers, such as split-tunneling configurable withing the client or packet header obfuscation that masks the fact that you are using a VPN. You could, of course, implement these yourself, but it would require a lot of time and effort.
  5. A dedicated IP is a double-edged sword. On one hand it stops you from getting banned or blacklisted for actions committed by other people, but on the other hand it makes you stand out and detriments your privacy. Furthermore, if you really do need a dedicated IP, many VPN services provide those too.
    5.1. A unique IP leaves your VPS wide open to DDoS attacks and, possibly, to other forms of cracking.
    5.2. If your VPS provider gets a DMCA or some other subpoena, you're fucked. On the other hand, if it happens to your VPN provider and he doesn't keep logs, it may be very difficult, if not impossible, for him to comply.

In conclusion, there are only two good reasons why one would want to use a VPS server as a VPN or SSH tunnel for personal use and those are the following:

  1. You live in China or another authoritarian country, the government of which actively blocks VPN providers.
  2. You already have a VPS for other stuff, so you might as well use it as a VPN to save some money.

Q: How do I purchase games on Steam without the risk of getting banned, use Netflix, 4chan or some other service that actively blocks VPNs?

A: The answer to this problem is split tunneling. Many VPN clients come with this function built in, but even if yours doesn't, you can still do it on the system level. If you're using OpenVPN, doing it in the configs is also an option.
To do it on your DD-WRT router, follow this guide.
To do it on Windows open the registry editor and add a key in the following format:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\PersistentRoutes\\[ip address of host you want to bypass],255.255.255.255,[IP address of your gateway],1

Tunneling certain applications around the VPN is also possible. On Windows it can be done using a program called ForceBindIP, the usage instructions and download links for which can be found on the project's website.

Q: Should I use a VPN for gaming?

The answer to this question can be less straightforward than it seems. It really depends on how the VPN is configured and where the game servers are located. The reason for this is because unlike in the case of the majority of other internet traffic, connection speed does not matter much for gaming, what matters is latency. In some cases a VPN can actually improve latency, if the VPN servers are fast and are located close to the game servers, while you are located far away. On the other hand, if the game servers are located next door and the VPN server is halfway around the world, the lag will be horrific. So, as a general rule if you decide to use a VPN for gaming, choose the VPN server closest to the game servers, and preferably the lowest possible level of encryption. The latter is important due to the latency increase because of the time it takes to encrypt and decrypt a packet.

However, VPNs are not the only thing to consider when trying to improve latency for gaming. Another important factor is network settings. Two programs to optimize network settings on Windows are Leatrix Latency Fix and TCP Optimizer. They do different things, so it is recommended to use both. It is also possible to tune all of the settings that these two programs change by hand, but the procedure is rather complex and requires a lot of networking knowledge.

Q: How come VPNs can charge so little compared to ISPs for the same amount of bandwidth per month?

A: ISPs need a shitload of infrastructure to function, including routers in buildings, hubs in telecommunication centers, etc. Additionally they are subject to a HUGE amount of governmental scrutiny, there are entire sections in codexes and standards that are written solely for regulation of telecommunication companies.
On the other hand, pretty much anyone who can afford buying a few servers, or even renting a few VPSs can be a VPN provider.

Q: How do browser VPNs compare to client VPNs? What will happen if I use both? Are there any benefits to doing that?

A: There is no such thing as a browser VPN, VPNs work on the transport layer, while browsers work on the application layer. Anything that is advertised as a "browser VPN" is in fact just a proxy. If you use a chain of a VPN and a proxy, the traffic to the proxy will go through your VPN and everything after that will also go through the proxy, services are going to recognize your external IP as that of the proxy.
It is not going to break anything, but it will be slower than using just one or the other, especially if the locations of the VPN and the proxy are far apart. As for privacy and security, it is overkill for anything that is not criminally illegal and is unlikely to save you from the feds for anything that is.

Q: What is the difference between a private VPN and a corporate VPN?

A: Corporate VPNs have a completely different use case, they usually aren't used as proxies for private access to the internet, but instead create a secure tunnel between the branching offices of a company. In many ways this is what the technology was originally created for.