VPN Suggestions?

[ttabbal]

I've been interested in doing this for a while, but the recent activity rolling back the little privacy protections we got from the previous FCC has me more interested. I'd like to VPN my traffic so the ISP can't mess with it and/or data-mine it. Home ISP is Comcast, which is already annoying me with things like DNS hijacking.

The biggest catch seems to be IPv6. I'd like to keep that active, and have to on t-mobile, but most VPN providers don't support it. For IPv4 only VPNs, any v6 traffic will just go over the normal default route. I've found a couple services that will do it, or claim to at least, but they cost a lot more.

The least expensive option I can think of is to get a low end VPS somewhere, most of them don't work well with v6 either, but I can route an HE.net tunnel I guess.. Then run OpenVPN, FreeSWAN, etc..

I know the traffic is still accessible on the VPN endpoint, but the worst offenders seem to be the local ISPs. Sadly, there is zero competition in my area.

 

[maze]

Try looking at HostHatch — Blazing fast OpenVZ SSD VPS in Sweden, Netherlands and USA

they provide one ipv4 and a /64 ipv6.. they have a setup in LA, and have a few different bandwidth/cpu packages.

 

[Blue)(Fusion]

Unfortunately, IPv6 doesn't play well with privacy. There is simply no NAT for IPv6 by design. Using an IPv6 over IPv4 tunnel is your best bet. I was also excited to finally get IPv6 by my ISP a few years ago, but it didn't last long as I disabled it entirely for privacy matters.

I use Private Internet Access (PIA) VPN with a yearly subscription. I've had no issues with it over the past 4 years. I now have it running on my pfSense box for the whole house with a few exceptions by-device (i.e. "smartish" TVs to stream Netflix).

 

[BlueLineSwinger]

Unfortunately, IPv6 doesn't play well with privacy. There is simply no NAT for IPv6 by design. Using an IPv6 over IPv4 tunnel is your best bet. I was also excited to finally get IPv6 by my ISP a few years ago, but it didn't last long as I disabled it entirely for privacy matters.

Not sure why you believe IPv6 is any less private than IPv4. At least IPv6 has a defined mechanism for randomizing the client address that is enabled by default on every major operating system. How to avoid exposing my MAC address when using IPv6? (read the first answer).

All IPv4 NAT is going to do is aggregate all the traffic for a network behind a single address. This address rarely changes and is easily linked to the MAC, typically via DHCP.

Yeah, a VPN gets you around the ISP tracking you. That doesn't stop the VPN provider or any site you connect to from doing doing so using various other mechanisms.

 

[ttabbal]

Just to update with some info I found digging around. There are a couple providers now with v6 support.

https://www.mullvad.net/
https://www.azirevpn.com/

There are some others, but those had the better reviews and reasonable pricing. Mullvad also offers a proxy server if you want that NAT type feel. Most of the time, I think I'd rather just let the address randomization in the OS handle things.

NAT isn't a firewall, or a privacy shield. It's a somewhat broken way to share IP addresses, that's all. A firewall with deny all inbound as the default gives you at least the same security level a NAT does. Even with world-routable addresses on the internal network. Neither does anything for privacy. VPN only gives you privacy for the first hop, we all know that. But that's the target to fix right now, so it'll do. There are other ways to deal with FB and friends tracking if you want to do so.

The VPS provider mentioned earlier looks pretty good too, so that's another option. I don't mind rolling my own, but it is nice to have one less server to maintain.

 

[amalurk]

So lets get extra paranoid. If you want privacy, is going through a service that has a known business model of trying to provide such (big VPN providers like PIA et...) a good idea or might you just be wrapping up your habits in a bow for the powers that be who now know where to easily find a bunch of targets? Seems like it would be smarter to just run your own VPN on a cloud VPS provider like a $5/do instance or whatever. Just a thought since we are on a technical do it yourself type forum.

 

[Cheddoleum]

The least expensive option I can think of is to get a low end VPS somewhere, most of them don't work well with v6 either, but I can route an HE.net tunnel I guess..

Be aware that consumer services like Netflix often block tunnels like HE.net. I noticed when I switched from using my ISP's 6RD to HE -- latency was comparable -- and found that Netflix gave me an error message unless I forced IPV4. I switched back for other reasons (Cogent still being dicks about peering with HE). They might not block any given VPN today, but that can change at a moment's notice, many content networks are playing whack-a-mole with VPN exit nodes.

 

[ttabbal]

I built a setup on a VPS running pfSense and it's working well. Sadly, finding a provider that supports subnets is very difficult. The one I'm on says they are planning to support routing a /48 in the summer, so I guess we'll see. It's HE right now. I know about Netflix etc, which is one reason I would like to have native IPv6, but even for dedicated servers many providers just won't do more than a /64. When I ask, I get responses like "aren't <some number> of IPs enough?". No, it isn't. I want /64s at the endpoints as many things don't work without /64. In particular, SLAAC, and Android (of which I have a bunch) doesn't work if SLAAC doesn't work. Even Comcast gets it and will provide a /60 for residential users. I don't know why any business would want to be MORE annoying than fscking Comcast!

Even native IPv6 is no guarantee with Netflix etc.. But the Cogent/HE situation is also annoying. I get really poor performance to some places that perform fine on T-Mobile's native v6. Reading up, at least some of that is due to the peering situation. It seems Netflix is targeting VPS blocks as well from some reading. I'm honestly not that concerned about them. I'll force them to route over the ISP block for now, or just cancel the service.

If anyone knows a VPS provider that will route a native v6 block today, please post. I get them in Europe all day long, but US providers don't seem to understand v6 or just want to keep the IP scarcity myth going. Another option is a provider that doesn't overcharge for BGP sessions. I can get v6 space, but I'd need to announce it. I found a couple, but they charge more than the VPS for BGP. I tried one Europe provider, but the network just didn't cut it for me. Not real surprising as trans-Atlantic bandwidth is more constrained, but I figured it was worth a go.

 

[ttabbal]

So I haven't stopped working on this. I found a couple options for service.

ARP Networks. They will allocate a /48 per customer and route it to your VPS/dedicated servers. Sadly, I can't get pfSense to work well there due to the vertio network driver bug in BSD. I did get things going on Linux and get decent performance, oddly better with TCP. Really responsive customer service guys, that know IPv6 and had the /48 routed right away when I asked for it.

Joe's Datacenter. Dedicated boxes, pretty cheap, decent network performance. They will do a /48 to a dedicated, but had some trouble getting it done. It works now, so that's something. I had them install Proxmox and I put pfSense in a KVM. I did manage to get this one working fine. Routing from a container on the LAN side to a server in the same datacenter, I get near gigabit speeds. However, I can't get OpenVPN to perform well. I've tried about everything I can find, seems capped about 50Mbps. I don't think it's the DC, I had a similar problem on ARP, but the same settings don't help here. And those settings were bizarre, TCP w/48k mtu..

Any thoughts for VPN tweaks? I've tried sndbuf/recvbuf, MTU, fragment/mssfix, TCP/UDP, ports, the usual suspects. The box on Joe's might be CPU constrained, I need to re-test with encryption disabled to see if that's it. I thought I did, but with so many changes it's possible I missed it.

I also haven't managed to get pfSense to talk to the VPN at ARP with the oddball settings properly. It's more difficult as pfSense can't just use the ovpn files.

I know the pfSense box on my side can handle the speeds, I have tested a IPVanish with the same crypto settings at near line speed.

 

[Kriegar_05]

If anyone wants to access favorite websites without worrying about data privacy then think the Total free vpn server software is just perfect. Though there are many free vpns available out there but it is much better. The speed is really good.

 

[ttabbal]

First post advertising, but just in case...

Here's the thing with free... If you aren't the customer, you're the product. So I find it unlikely that a free VPN is not selling your information. To each their own, but I won't do it.

 

[i386]

Torrentfreak publishes every year a list of vpn providers who answered their questions about privacy, logging, court orders, dmca takedown notices, ipv6 and so on: Which VPN Services Keep You Anonymous in 2017? - TorrentFreak

 

[Phenic]

I used to use PIA like a poster above but I switched to Torguard recently (a bit faster in my area) while using pfsense so all traffic (except some devices) have more privacy. However I don't think they support ipv6.

 

[BLinux]

Torrentfreak publishes every year a list of vpn providers who answered their questions about privacy, logging, court orders, dmca takedown notices, ipv6 and so on: Which VPN Services Keep You Anonymous in 2017? - TorrentFreak

that's nice and all, but I mean, it's a list of interview questions, with answers that were well prepared by the VPN providers. maybe i'm just old and cynical, but i don't put a lot of weight into a bunch of answers that were probably reviewed by legal, reviewed by marketing, and reviewed by PR departments before being published.

that said, i'm a happy customer of PIA, but my expectations of privacy are not the highest; i've seen all to often the difference between what corporations advertise and what actually goes on internally.