VPNs are more popular than ever, but I think many are confused about why they’re running them.
There’s a concept in security called Threat Modeling, where you figure out what you’re worried about—specifically—and then you look at how your defenses match up against those attacks.
This is something that VPN users need to do.
The most common things VPN users are interested in—or worried about—are:
For #1 it’s usually porn.
- Their ISP Looking at Their Traffic: Most people use VPNs to hide their traffic from someone, which mostly applies to their ISP. Not enough people realize the traffic that leaves the VPN server travels normally, so you have to ask yourself who you’re really hiding from.
- Being Able to Access Country-Specific Content: This is for people who want to avoid IP/Country-based restrictions to content, like only being able to order a product from the UK if you’re in the US, or watch streaming content that’s restricted to a particular country.
- Hiding From the Government: A lot of VPN users think that using a VPN makes their traffic invisible. Like nobody can ever see it ever. And this just isn’t true. The site you’re visiting can see that traffic (obviously), and all the locations your traffic moves through can potentially provide logs to the authorities if they were asked.
This is where most people’s use of VPNs tends to break down.
If you’re just using a VPN so you can look like you’re coming from multiple countries, fine. You can use almost anything in that case, and the only thing you might care about is performance (for streaming quality, etc.).
If you’re trying to hide your online from someone, however, you have to ask who that someone is. Are you trying to hide from someone who has access to your computer? Well the VPN won’t help with that. Are you trying to hide from someone who has access to your ISP and its logs? In that case you can use most VPNs.
It’s hard to build good defenses without knowing who you’re defending against.
But if you’re trying to hide from the government, because you’re a journalist worried about free speech, or you’re someone investigating the government or something, well, then you need to worry about another threat: governments having access to your VPN provider.
Let’s say you’re using some overseas VPN provider to hide your traffic from your own government, for whatever reason. Do you really know what security that VPN provider has? Do you know all the laws for the country in which they operate? Do you know their relationship with your government, e.g., EU, US, China, Australia?
There have been many situations where we find out later that some famous VPN provider has been infiltrated by one or more governments for months or years, with access to logs. That means they potentially know usernames, origin IP addresses, traffic patterns, etc. And that could include your traffic.
Do you really want to share VPN infrastructure with a bunch of people trying to hide from others?
VPNs aren’t just used by people trying to watch Netflix; they’re also used by criminals, and that means they’re a prime target for governments. And if you’re the one doing something sensitive then you might be the one the government targets at your VPN provider. What will that provider do when the government of Country X walks through the door with a warrant?
They’ll probably hand over whatever they have on you.
A better VPN option
This is why it’s better to just run your own VPN service.
Remember, we’re trying to:
- Hide your traffic from your ISP (because they should mind their own business)
- Get around Country/Region restrictions (because foreign content is better sometimes)
- Avoid governments accessing your VPN provider’s logs (because that’s creepy)
The only solution that accounts for all three Threat Scenarios is you running your own.
Trail of Bits just created a method of easily deploying Wireguard.
If you’re sophisticated enough to use a VPN this isn’t that much more complex. In fact, you are just changing the setup step from setting up an account with a VPN provider to setting up an account with a VPS provider, such as Amazon, or Digital Ocean, etc.
These are generic providers of servers, and what you’re doing is enabling them to build a custom, secure VPN server for you that only you have access to. It’s a dedicated VPN infrastructure.
Once you have that set up, you just run through a setup wizard and it builds everything for you. Then you put your credentials into your VPN client and you’re done!
It’s hard to ask for logs that don’t exist anymore.
The coolest thing about this is that you can then go in and destroy that VPN box whenever you want—like every month, or every week, or after every use if you were that paranoid.
It’s going to be infinitely harder for a foreign government to come after some random IP address on Digital Ocean, for example, than just going to a known VPN provider.
And if the box is already destroyed when they do come to Digital Ocean or whatever VPS provider you’re using, there’s not too much they’ll be able to do.
- Threat Modeling is essential for making sure your security controls are working against the things you’re actually worried about
- Most people aren’t doing this regarding their VPN use
- One of the main things people are worried about is government access to their traffic
- Commercial VPN providers are rather vulnerable to government access, and you wouldn’t necessarily know if that happened
- The best way to get maximum VPN security is to run the VPN server yourself, and to regularly destroy and re-create the box itself
- This is trivially accomplished in minutes using TrailofBits’ Algo, which builds the entire infrastructure for you in one command.
- The goal here is not to teach people how to hide from various governments. First, if you’re that much of a threat, they’ll come for you physically and the VPN won’t matter that much. Second, the thing you’re doing on the other side of the VPN will likely have your tracks as well.
- The purpose of this post is to teach people how to think about VPNs in a Threat Modeling Mindset, i.e., asking yourself what you’re actually worried about and building your controls accordingly. In other words, this is a lesson in people not assuming they have more security than they actually do.
- More information on Trail of Bits. More