You’ve seen the Term VPN (virtual private network) thrown around a lot recently. They’re a bit more technical than what the average computer user is used to, and until recently had been assumed to be used mainly by business people and pirates. Well, with the repeal of what would have been some great, and necessary, user protections you can expect them to become a lot more ubiquitous. My goal here is to give you the basics on what they are, what they do, what they don’t do, and how to get started with them.
The answer to what they are is a secured connection from your computer directly to the VPN server that you’re using. When you’re online your computer is communicating, through your ISP, with another server. For example, by reading this page your computer is talking to my website’s server. But that means I can see your IP address, which tells me where you are in the world, as well as your ISP, and some other things. But what if you wanted to keep that private? What if you didn’t want the sites you go to to know all about you? A VPN would mean that you talk to another server, and then that server talks to me. I would see the server you’re going through while your actual details remain anonymous. You can see why pirates would like that; it allows them to access files without being traced, since an attempt to do so links back to the VPN server and not directly to the pirate’s computer. That’s not to say that VPNs are for piracy. There are flaws in them that still don’t make that the safest thing to do, and beyond that there are innumerable legal benefits. A common one I deal with daily is that a VPN can create a secure connection to the internet even when on an open wi-fi connection. It’s also a form of protection from your own cell carrier when using a VPN over a 4G connection.
your computer —– website
your computer —– VPN —– website
They’re not a panacea to privacy, though. For example, your ISP can still listen in to unsecured communication. This site is secured, which you can tell from this green lock logo up in your address bar:
What that means is that your ISP can see that you’re on my page, but not anything within that. The particular articles you read here, and anything you might submit as a message to our writers, or post pitches are all secure. If you are using a VPN then your ISP wouldn’t be able to see that you’re on this page at all. They would see that you’re communicating with the VPN server and that’s all they would see. But you’re still communicating with sites on the other end of the VPN, so anything submitted to an unsecured site could be intercepted between the VPN and the site.
Another possible flaw in your protection even with a VPN is the VPN itself. You’re relying on your VPN to protect your data. That means not only to keep you secure and anonymous, but also with all the data you submit to them. I’m not saying that they’ll steal your credit cards when you shop online, but they may keep a log of their users’ activity and if subpoenaed, would have to provide that to law enforcement. Many VPNs claim not to keep logs, or to keep logs so vague that they’d be useless to tracking down individuals, but you are once again trusting them, and that’s a lot of faith to put into a company. Where the servers are physically located can be an important factor, as different countries have different laws regarding voluntary or mandatory logging. Some companies are also negligent or even malicious in their practices, and may simply be lying about the protection they offer, or listening in themselves.
Then there are security flaws in your own browsing. You’re still online, jumping from site to site. These sites can put tracking cookies on your computer. This sounds scary and it is, though the cookie itself is just a text file. But it does allow other servers to assign you a number that their site can track. So no matter how secure your connection to these sites are, they can track you with their own efforts.
So is there any hope? Yes, but it takes effort and diligence. Step one is to not trust free services. There’s an adage that if you’re not paying for the product, you are the product. That doesn’t mean that a VPN that charges money is benevolent, just that a company you’re not paying is getting a benefit somewhere. It’s also important to check what their policy on logs are. There are places that collect data about VPNs and put reports together. Torrentfreak, a news site about privacy and copyright, does an annual review of VPN logging policies, and you can read their 2017 report here. Of course, this is what they say, so before signing up with a VPN (and most of them offer short-term service so you can test out how they work for you), search around and see if they have ever been contacted by law enforcement and how they responded.
I think we’ve covered the basics of VPNs and picking one. But once you have one you’ll need to connect to them. Some of them offer their own software, and you’ll want to see what security they use as well as what platforms it supports. For me, I need Windows, Linux, and Android, but I have family that require iOS and OS X. If you by a subscription but can’t get it set up on your phone then you’re still vulnerable for a large portion of activity, but we’ll get into that in detail next time. If you don’t want to use the custom software, or if they don’t provide any, then you’ll need a client that supports their protocol, or communication standard.
PPTP, L2TP, and OpenVPN are protocols you’re likely to see when searching for this information. PPTP is to be avoided. It’s built into Windows which makes it convenient, but it’s outdated and no longer secure. L2TP has supplanted it, but it’s questionable how secure it is as a standard. That leaves you with OpenVPN. There’s an official OpenVPN client for Windows, Linux, iOS, and Android. OS X has OpenVPN as well, and Tunnelblick if you want an opensource solution. When you sign up with your VPN they will have instructions on connecting, and you’ll enter those settings into your client.
There are a few other things to talk about when poking around VPNs and online protection. So in this end section I’ll touch briefly on additional steps you can take in your own software, what Tor is, and quick links to more advanced options to look at if you want to get serious about protecting your network.
Remember how I mentioned secure websites, like this one, that use https? Well, some sites have it but don’t redirect if you happen to forget to type in that “s” at the end, or click a link that doesn’t include it. There’s a browser plugin called HTTPS Everywhere from the EFF (Electronic Frontier Foundation) that will push https request on every page so if it’s an option, this will force it to connect securely. They also provide a plugin called Privacy Badger, which blocks those pesky tracking cookies mentioned above. You should also always keep your OS and browser software up to date to make sure security flaws are fixed in your software as soon as possible.
There’s also a protocol called Tor. Tor is a network setup that uses a large number of nodes to bounce your data around from computer to computer before pushing it out to its destination. The system has benefits as well as flaws. Hypothetically it creates a network connection so layered and tangled that it becomes difficult to trace. The down side of this is that it can be very slow, since there’s so much additional traffic. And like a VPN, cookies and unsecured sites are still possible security breaches. There have also been instances of exit nodes, computers that act as the exit point of a Tor connection, being compromised and inserting malicious data into Tor connections. There’s also the fact that the US Department of Defense has invested significant effort into hacking through Tor anonymity. So once again, it comes down to placing a lot of trust into the system. That said, it’s free and not too difficult to install on Windows, Mac, Linux or Android, so you may want to play around with it and see how you like it.
Last of all, there are a number of ways to roll your own solution, all of which have varying degrees of difficulty. If you want to protect your whole home behind a VPN but don’t want to have each device connect separately, you can put DD-WRT on many relatively cheap routers to give them advanced features. DD-WRT is software that replaces the software your current router runs. It allows access to features as long as the hardware supports it, such as OpenVPN, and it’s free. Set up a router with an OpenVPN connection to your VPN and anything behind that router is secure, including your wifi. Just be aware that some VPNs are blocked by services like Netflix so if certain sites stop working that could be the issue.
If you want to secure a public computer then you can try out Tails. Tails is a live operating system, which means you can run it off of a CD, DVD, or thumb drive. It contains the whole OS and software, so if you’re on a public computer you won’t be using any of the software from it. If they have a locked down version of Windows with a browser you don’t want to use, none of that will affect you anymore. It relies heavily on Tor for browsing security, so keep that in mind.
For the truly ambitious there’s Streisand. This is a free software package that you install to a server, and it creates everything you need to run your own VPN. It’s compatible with Amazon EC2, DigitalOcean, Google Compute Engine, Linode, and Rackspace, so you’ll still be paying for the sever but that’s it. It won’t be cheaper than many commercial VPNs out there, running about $10 a month on Amazon, but it’ll be completely in your hands. That means all of the trust issues I brought up will be in your own hands because it’ll be your server.
And that’s it for this segment on privacy. As always, if there are any issues that you think I should touch on or clarify, or anything you think I mangled or did great at describing, please leave a comment below.