|
I am talking about true VPN working at IP level, in which case the application has to resolve any none IP address into IP before using VPN ... Any one that claim otherwise is not providing true VPN service (they most likely are providing one endpoint SOCKS proxy service, but it's different from 1-NET which contains pair of SOCKS endpoints that forms a secured tunnel)
Suppose a user has two zones (LANs), one is the one he/she want to secure (obscure, in OP's word) and the other one is "safe" and the application is in the first zone. The user want to delegate all his/her internet activity to the second one. If one use VPN to connect (tunnel) the two zones, the all the network layer "authorities" (service provider, ISP, etc ...) in the first zone still know what the use is doing since the use is making DNS requests in the first zone and they can control what are visible by the user by controlling the DNS providers. That is what leaky mean in my post. But using 1-NET secured tunnels, one can choose to do DNS requests inside the other zone ...
modified 10-Apr-17 16:02pm.
|
|
|
|
|
Abso-effin-lutely not. I don't know who you got that information from but it is 100% wrong. When you are connected to a VPN your DNS server becomes the DNS server assigned to the VPN connection, not your ISPs DNS server, and all DNS requests are encrypted and tunneled like all other packet.
How do you think connecting to a corporate intranet through a VPN would work if it was using your ISP's public DNS server to resolve requests? It wouldn't...
VPN doesn't work "on an IP level", it works on a packet level.
|
|
|
|
|
Unfortunately, sometimes your browser will just ignore that you have a VPN set up and will send the DNS request straight to your ISP. That’s called a DNS leak. This can lead to you think that you’ve stayed anonymous and that you’re safe from online surveillance, but you won’t be protected. How DNS Leaks Can Destroy Anonymity When Using a VPN, And How to Stop Them[^]. Therefore it's not 100% after all ...
I mean works at level 3, level 2 knows no IPs so it does not know how to route base on IP addresses
|
|
|
|
|
The way you were describing it before you were implying that it is intended that VPNs work that way and all of them work that way, that you *WILL* get leaky protection from a VPN. That's not the case. If that's happening, its a bug or a bad configuration.
As the article you linked to states, most of the top VPN providers provide leak detection/prevention already, so a good VPN is a perfectly reasonable way to fully protect yourself.
|
|
|
|
|
Well, in the world of security, info breach/leak "Could" happen == "risk"
And there are application scenarios that would favor different VPN connections for different application contexts at the same time, like connecting to different remote offices and browsing at the same time. One needs "Split tunneling" ...
This is happening in our ever connecting and distributed online experiences
modified 11-Apr-17 19:55pm.
|
|
|
|
|
"VPN only offer a leaky protection since it works at IP level"
That's the part I'm referring to which was misleading. A properly configured VPN or one that checks for leaky DNS will keep you protected. As per your article:
So which VPNs include DNS leak protection? According to BestVPNz.com, Private Internet Access, TorGuard (both of which made it to our best VPNs list), VPNArea, PureVPN, ExpressVPN, VPN.AC, and LiquidVPN all provide protection.
|
|
|
|
|
Users need external means to patch the holes and it's not 100% sure, aren't they? That's what I meant ...
|
|
|
|
|
And also, 1-NET is designed to have both ends of the "VPN" tunnel under a user's control (self hosting, not using third party services), there is no third party logging involved ...
|
|
|
|
|
Following your link, my impression was that 1-NETs main purpose is the connection of your devices, not so much the obscuring of your presence in the web. The direct device-to-device connections may offer the obscuring as a side-effect, but I don't see how it would help me when I (or some unwanted program service on my system) connect to anything else on the web.
It surely looks interesting for the specific purpose of connecting my devices. But beyond that, I'd still need an actual VPN.
GOTOs are a bit like wire coat hangers: they tend to breed in the darkness, such that where there once were few, eventually there are many, and the program's architecture collapses beneath them. (Fran Poretto)
|
|
|
|
|
OK, maybe the front page of the 1-NET website is a little confusing that give you the said impression, its still work in progress, you know. It stipulates the ultimate effects of connecting a user's devices across LAN boundaries using the user's existing network resources (the connection is of course encrypted and have both ends authenticated). But as one would expect, connected devices can pass data through the connection using custom or standard protocols, like SOCKS. Otherwise what is the point of connecting? Majority of mature networking applications can handle SOCKS protocol, including but not limited to ssh, git, ftp clients, some remote desktop clients and of course browsers the list goes on ....
A user can use one of his/her existing devices located in a set "safe" locations (LAN) as exit endpoints that his/she can delegate all his/her web browsing to (this feature is build into the 1-NET gateway). The external world only knows only these endpoints are doing the browsing but the user may actual doing the browsing at an endpoint far a way (logical or physical) from exit one, (e.g. across Atlantic Ocean, etc.). Is this what you were asking for? It's a build in feature of the 1-NET gateway! In the VPN services on the market, the "exit endpoints" are controlled by the services providers who does not belong to the "external world". In our solutions, the "exit endpoints" are controlled by the user himself/herself. So the later is a more privacy respecting architecture in design ...
If one really like to have pure IP level VPN solution, there is no problem at all. There are open source tun2socks lib that one can use to build VPN systems base on SOCKS tunnels. Some compiling and networking setup may be involved, but we are programmers, right?
But as I stated VPN can handle simple application scenarios, for more sophisticated ones at larger scale, a more controllable one is needed and our solution is 1-NET ...
|
|
|
|
|
Shuqian Ying wrote: 3) Setting up of VPN is not easy.
This is absolute rubbish in most cases. I use CyberGhostVPN and once you install the client all you have to do is login, select the country and you're done. If so desired, you can even select a specific server in the country. They have almost 900 servers in 27 countries and do not keep logs so there will be nothing to hand over when some 3-letter agency comes calling.
|
|
|
|
|
I know it easy if you use a third party service which host your "other endpoint" for you. But then you are letting the service provider as an insider of you network. That is why they almost all declare that they do not do logging, etc. Do you really trust them, that is the problem ...
Try to host the other endpoint your self! Just try it, then you will know ...
modified 10-Apr-17 15:55pm.
|
|
|
|
|
Do you plan to have your own servers in 27 countries? If you do, start your own VPN company and make some money in the process.
Otherwise, having your own VPN server is
1. unnecessary because there are plenty of VPN service providers
2. impractical because you will be severely limited in your access points
3. an unnecessary, potentially prohibitive, expense you have to carry
99.9% of people just want some reasonable way to not be constantly tracked or spied upon or to have access to websites that would otherwise not be accessible because of geographic limitations. For that purpose, any good VPN service is more than adequate and that was what the poster was looking for. The only thing that really counts is that the VPN provider does NOT keep logs and that they are NOT based in the USA or the UK, the two largest mass surveillance centres in the world.
|
|
|
|
|
Having the other endpoint of the VPN under your own control makes the whole thing quite useless for obfuscation. If you are the known owner of the VPNs exit point, then you are identifiable again.
Using a VPN for obfuscation only makes sense if you are NOT the exit point yourself an - if possible - share the same exit point with hundreds of other "unknown" people.
The downside is of course, that you have to trust the VPN provider that he does his job as expected and really makes it impossible to track the traffic back to you.
|
|
|
|
|
|
Thank you very much for the link. I always like a (somewhat?) neutral source to compare products.
GOTOs are a bit like wire coat hangers: they tend to breed in the darkness, such that where there once were few, eventually there are many, and the program's architecture collapses beneath them. (Fran Poretto)
|
|
|
|
|
Enjoy!
|
|
|
|
|
I have used PIA over a year and recommend it. But you also asked about TOR.
PIA provides privacy so that your internet provider can't spy on you. It also provides
encryption so you are safe on public Wifi. However, your browser also collects data on your browsing habits, so something like TOR is extremely valuable, in addition to a VPN. I don't use TOR, but I configured my browsers (both Chrome and Firefox) to clear my browsing history when I exit.
|
|
|
|
|
My only experience is with PIA (Private Internet Access) as well. It does well enough for what I need. Speeds were not that great in the beginning (2 maybe 3 years ago) but are now up to par. I notice only a marginal drop in bandwidth while connected, which is to be expected due to VPN overhead.
They also have a large number of regions you can connect to for circumventing geo-tracking/fencing, et cetera, as well as offering port forwarding on a handful of those if that's something you need. They also include a few concurrent connections without using their client, so you can connect a mobile device as well without needing additional software (this has come in handy while traveling abroad; never know who is recording what off of those hotel wifi points...)
For me, the price is more than reasonable for what I'm getting ($25 USD a year, iirc.) Your mileage may vary (obviously) based on your needs.
|
|
|
|
|
I can vouch for PIA as well. Reasonably quick and it cost something like $40 for a whole year. That said, don't expect 100Mbps through it, so if you are downloading large files you want quickly you will probably want to disconnect, but it's the best VPN I've used in that price range by far and I've tried a several of the top recommended options on review sites.
|
|
|
|
|
|
Thanks for the warning. It's always hard to decide on something when you're not aware of the pitfalls.
GOTOs are a bit like wire coat hangers: they tend to breed in the darkness, such that where there once were few, eventually there are many, and the program's architecture collapses beneath them. (Fran Poretto)
|
|
|
|
|
Stefan_Lang wrote: that for VPN I need to choose a provider. Which means you're issue of caring about who has what data is still there. Now, it will be a VPN provider who sees your data.
There are two kinds of people in the world: those who can extrapolate from incomplete data.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
True. But supposedly many of them don't actually store these data. My greatest fear isn't so much who sees it now, but who may be gaining access to it for darker reasons in the future. With most internet companies located in the US, any of them might hand over data about me to any three letter 'intelligence' organization on a whim. Also, hackers have the nasty habit of breaking into even the most secured databases, and they may have even worse ideas about what they could do with it.
Data that isn't stored, can't be handed over, or stolen.
GOTOs are a bit like wire coat hangers: they tend to breed in the darkness, such that where there once were few, eventually there are many, and the program's architecture collapses beneath them. (Fran Poretto)
|
|
|
|
|
Stefan_Lang wrote: But supposedly many of them don't actually store these data. Supposedly is the keyword there.
Stefan_Lang wrote: gaining access to it for darker reasons in the future. I guess I have no imagination on this subject. What possible darker reasons are there? What are you actually concerned might happen? (Not looking to fight, I genuinely don't know.)
There are two kinds of people in the world: those who can extrapolate from incomplete data.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|