IN-DEPTH Behind the VPN veil
If you take your privacy seriously you need to take VPNs seriously. David Rutland goes off the record, on the QT and very hush-hush.
If you take your privacy seriously then you need to take virtual private networks seriously. David Rutland goes off the record, on the QT and very hush-hush.
Linux users are a paranoid bunch and they don’t welcome surveillance in any form – whether it’s Google’s trackers that are strewn across the web, or individual webmasters checking their access logs for IP addresses and then nuking your router with a Low Orbit Ion Cannon when you leave a nasty comment on their wine-tasting blog.
A virtual private network disguises your IP address by routing your traffic through a remote network. You can spoof your location and pretend to be in Russia, the US, Jamaica, or wherever your VPN provider keeps its servers – meaning that your dismissal of the Taittinger ‘43 as a drink for geriatric poseurs will go unpunished. If you’re serious about privacy, and you don’t want other people knowing what you’re watching and downloading, a consumer VPN might be exactly what you’re looking for to help you cover your tracks. They’re not perfect by any means, but can prove valuable as part of a package of measures to keep your online activities under the radar.
You’re probably reading this while seated near to your PC at home. Don’t worry if you’re not – just pretend. Your PC is connected to your router, and through your router, it is connected to the internet.
But your PC isn’t the only device in your house and it probably isn’t even the only device within eyeshot of where you’re sitting right now. There’s your phone sitting next to
you on the couch; there’s your Roku TV stick; there’s the glossy black games console; there’s an array of printers and scanners. If you’re anything like us, there’s probably a stack of low-cost Raspberry Pis running a farrago of bizarre and specialised tasks.
In other rooms there are likely to be other computers, other laptops, other phones belonging to other members of your household, and yet more longforgotten Pis up to their own arcane shenanigans under a coating of warm dust in the attic .
They all talk to each other through the router that’s sitting unobtrusively in the corner. Even if the internet dropped out today, they would still be able to talk to each other. You could send files to Jon, up in his bedroom, listen to Kendra’s MP3 collection, stream movies from the NAS in the den. You would be able to do this because all of the devices are on the same network. And because they’re all on the same network they all have the same IP address when connecting to the outside world through your router.
It’s a private network, which means that only the machines on it have direct access to it. This author can use the network to view a document on their laptop, and then conjure it into the physical world via the laser printer in the lounge. From your back bedroom in Basingstoke, you can’t use this printer because you’re not on the private network.
But you can be invited to join this private network, giving you access to all of the author’s devices and domestic IP address, by creating a virtual private network. With a VPN, an encrypted tunnel is created over the internet, between your machine and one of the machines on the author’s network. For all intents and purposes, you may as well be inside the same building.
Why would you want a VPN?
If you’re not setting up a remote work environment, then you probably want a VPN because you want to disguise your location and identity from the powers that be. Note that we didn’t say ‘because you don’t want to be tracked,’ because we know that our astute readership isn’t actually that naive.
Advertising and tracking companies don’t need your IP address to work out who you are. Aside from cookies, there are a variety of tactics to establish either a concrete or inferred link to your real identity, ranging from browser fingerprinting to harvesting the MAC address or IMEI of your hardware. It’s very likely that you’ve already given them explicit permission to do so, and a VPN on its own won’t do squat against that kind of corporate surveillance.
Tracking companies have you pinned already, and using a VPN might result in you being shown Albanian adverts, but unless you take some extra precautions then Google and an entire encyclopedia of other tracking companies still know exactly who you are.
Fundamentally, there are only ta few legitimate reasons to use a consumer VPN. The first is to access geoblocked content. If you’re an expatriate stuck on a volcanic island on the far side of the world, and you’re feeling homesick for the latest episode of EastEnders, you’ll find that you can’t access the show through iPlayer because it’s restricted to IP addresses in the UK. Your machine will connect to the BBC servers, the BBC server will check the incoming IP address and realise that the request is coming from a beach bar near Phuket – tough luck. No EastEnders for you.
By connecting through a VPN server located in the UK, the BBC server will see a UK IP address and you’ll finally be able to find out how Ian Beale’s latest plan to turn The Queen Vic into an anime-themed tattoo parlour is about to be thwarted by Phil Mitchell lodging an objection with the Walford planning committee.
We feel obliged to point out at this point that accessing geoblocked content – either from the BBC or some other streaming service – is likely to constitute a breach of the Terms of Service at the very least. We would never suggest that you do it.
Aside from malicious wine-bloggers stalking you across the net, the other use case is if you’re planning
There’s a nonzero chance that routers supplied by your ISP won’t support direct connection to a VPN. Some providers supply preconfigured routers that will make setup very easy.
Any query that you can search online about VPNs – their effectiveness, uses, features, or even ‘Do I need a VPN to watch Luxembourg TV’ – has been gamed to death by highly paid SEO specialists. Look for advice on the r/privacy subreddit instead.
on downloading or streaming large files using Torrents. Bandwidth is expensive and distributing multi-gigabyte archives as direct downloads can be financially crippling. Torrents work by having the end user download chunks of the file from other torrent users who have it on their own machines. At the same time, you’ll be uploading chunks to yet more users. It’s an exceptionally good system. Most Linux distros offer torrents, and Linux Format distributes online versions of its cover DVD this way.
The problem with using torrents is that not only are you uploading content to others (potentially strangling your home network’s bandwidth), but your IP address is displayed to anyone who wants to look for it, and permanent records can be acquired and kept by anyone with the slightest interest.
For an incomplete history of what has been torrented using your IP recently, take a look at https:// iknowwhatyoudownload.com. It might scare you.
If you’re simply downloading a new Manjaro image or the cover disc for this very magazine, the prospect of snoopers seeing what you’re up to might not bother you too much, but believe it or not, far more sensitive things are downloaded over torrents than Linux distros.
WikiLeaks’ huge archive of un-redacted US State Department cables was available for months via torrent before they were published on the main website. The notorious Democratic National Committee emails, which were hacked by Russian intelligence services and which may have cost Hillary Clinton the 2016 election, were originally released via torrent.
That you downloaded and perused these archives is not necessarily illegal, but also, not necessarily something you want other people to know. If you’re not using a VPN, then interested parties are able to take a list of the IP addresses that have been distributing the files, and coerce the ISPs to which they’re registered into revealing the identity of the end user. If you’re using a VPN then they’ll get as far as finding out that the IP address is registered to a VPN provider in Panama which (says it) doesn’t keep logs, and while it may be just about possible to tie that IP address to you, it’s not easy.
Some people use torrents to download or stream copyrighted material, along with a VPN to keep the MGM lawyers at bay. As far as we’ve been able to tell, it’s pretty effective, but again, not something we could either suggest or condone.
Some threats but not all threats
So, VPNs are good for stopping you being tracked when you download the latest Debian release. They’re also pretty handy if you want to evade government surveillance while engaging in some low-level whistleblowing – if you take extra precautions, that is.
As mentioned early, there are a plenty of indicators that can betray your real identity – VPN or no – and a determined adversary or a state actor won’t find it overly difficult to track you down if you don’t take care.
If you use any of your own devices, you can probably be traced. If you sign into any of your online accounts, you can be traced. If you pay for your VPN – even if you use Bitcoin rather than your credit card or PayPal account – then yes, you can be traced, provided the local constabulary considers the case important enough to throw all of their resources at and trace back the transactions to the source.
The bottom line is that if you have a state-level actor, such as Europol, Interpol or the NSA gunning for you,
then a consumer VPN will slow them down, but in the long run is unlikely to help very much at all. But for the most common VPN activities, you’re probably safe.
Paid vs free VPNs
If you’re not paying for it, you’re the product. Running high-bandwidth servers costs money, and somebody, somewhere, is picking up the bill. You need to ask yourself what’s in it for them?
Consider the axiom that data is the new oil. Everybody wants to get their greasy fingers on your private information, browsing habits and purchase history – even internet service providers who, in the days before https became ubiquitous, used to have a nasty habit of injecting their own tracking scripts into HTML headers.
In interacting with any online service, such as a bank, information is transmitted from your computer to your ISP to a different ISP, then to the server of the site you’re interacting with.
If you’re using a VPN, the company providing the VPN is inserted into that path. All the data that should be kept private between you, two ISPs and the website you’re using, goes onto their servers. Do they keep a copy or simply pass it forward?
Is the Auth token provided to you by NatWest being duplicated and used to empty your cash ISA before you’ve even finished downloading the Regolith Linux Live USB? You just don’t know.
Paid-for VPNs have a reputation to consider and will usually go out of their way to assure you that your privacy and security is their prime concern. They’ll boast of zero-log policies, RAM-based servers, and they will swear that your data is never sold on or kept.
With a free VPN, you have no such assurances. You’re not paying for the service, and the provider has no reputation to maintain beyond keeping their service ranked on the front page of results for the search term ‘Free VPN.’
Paid VPNs are also usually very quick, and offer support in helping you to get set up on all of your devices. Free services tend to have a waiting time and the connection can be downright sluggish.
Privacy theatre?
Visit the homepage of any big VPN provider and you’ll see a litany of promises: Fast speeds! Unlimited connections! Great for streaming! No logs kept!
The ‘No logs kept’ promise is as important as it is deceptive, and to demonstrate this, we took a deep dive into the actual terms and conditions of NordVPN – one of the biggest and most successful players in the VPN game. Without too much effort, we discovered that the company collects anonymised telemetry data from your devices and in some cases, “we may record your mobile device’s identifier for marketing or analytics purposes.”
Marketing cookies and anonymised telemetry sound reasonable enough, but something that can be anonymised can, of course, be de-anonymised, given enough resources, time, and motivation. And as Hansel and Gretel would tell you, cookie crumbs can lead an assiduous investigator to all kinds of interesting places,
In addition, Nord keeps records of whether you connected in the last 30 days, and stores details of every connection for 15 minutes after it ends.
Again, that doesn’t seem so bad on the surface, but if a three letter agency is actively gathering evidence about your activities, it’s not inconceivable that they could gain access to these logs. Not ideal.
Lastly, NordVPN’s help services are operated by third parties who will, by necessity, have your information on hand so that they can assist you. These third parties include Zendesk, which famously had some 10,000 to 15,000 chat accounts accessed by hackers in 2016 and only owned up three years later.
We’re not saying that consumer VPNs are useless for privacy – they’re not – but you should read all of the available documentation, consider your threat model, and then take all of that into consideration when making your choice.
Setting up your VPN
Every VPN provider is different, and almost all of them provide ‘apps’ for you to install on your phone and your various computers.
Some provide tools for Linux machines, and some don’t. In the case of Nord, it’s as simple as downloading the Deb or RPM file and installing using gdebi, dpkg or your distro’s package manager.
After installation, you connect to the VPN by typing: nordvpn login
into your terminal, then entering your username and password when prompted. Typing nordvpn connect
will automatically connect you to the fastest server for your location. The details vary between providers, but it’s all much of a muchness.
Some VPN providers enable you to connect your router directly to their VPN network, and this is the preferred option.
Visit 192.168.1.1 to connect to your router’s admin page, then enter your user name and password.
Somewhere in your settings there should be a VPN tab. Not all routers have this, and if yours doesn’t, that’s unfortunate because you’ll need to buy one a new one with this capability. Bear in mind it may be hidden deep in a submenu somewhere.
Choose PPTP and copy the details from your VPN provider’s setup page to your router’s VPN config menu.
That’s it. Enjoy your soap operas of people shouting at each other in assorted regional accents while you trawl the latest Wikileaks dump!
Using a VPN will slow down your connection. If you don’t need to be connected to a VPN for your current activity, you should probably turn it off.
Opera’s built-in VPN isn’t a true VPN, but it will help enable you to view geoblocked content. We wouldn’t trust it with any sensitive data, though.