Tuesday, 29 November 2016

Evaluating a VPN provider

At A&A we are looking in to how we can best help customers exercise their human rights for privacy and rights to net neutrality and to access to legal content.

The IP Act puts in place horrendous snooping powers, and the DE Bill as proposed puts in place a new national censor with the job of blocking porn sites - legal porn sites. We can all imagine how much further such proposals could go.

At present there is no ban on operating a VPN - it would be hard to ban without also banning https used by many web sites and businesses and banks and the VPNs used by industry and even parliament.

There are VPN providers now (sensibly) targeting the UK market - they provide an VPN endpoint which you connect to from your computer or using a router that can do VPN for your whole house. They make a point of having equipment and legal entities in countries that do not require logging and snooping, and make a point of not recording anything or accepting orders from governments like the UK.

So, the next question is how we evaluate VPN providers and even make some recommendations. We may even set up a VPN operation ourselves (well, not ourselves, a foreign company with foreign servers, so no subject to UK jurisdiction).

These are this obvious aspects I can think of, but keen on other comments.

Speed

One simple aspect of the service and the devices you choose to operate the VPN at your premises is whether the service can keep up with the speed of your Internet connection, such as an 80Mb/s VDSL service.

Price

Obvious one, but you want a reasonable price. Free is great but there has to be a catch some how, so you expect to pay a few dollars a month at least for any reasonable service.

Anonymity

Are they really not logging anything, do they have a clear history of refusing information requests?

Trust

Can we really trust them? Very hard to be sure but reputation and how long they have been in business are key factors.

Geotagging

Can they have your traffic look like UK traffic (if that is what you want)? This may be tricky and without it things like netflix may not even work. If someone sets up a service specially for UK use they may be able to convince netflix and others that it is UK IP addresses even if plugged in via another country.

Technical

MTU issues, latency, transparency of IP protocols and ports and so on, IPv6. All things that matter from a technical point of view. Ironically, maybe even fixed IP - if blocking/censorship is your main concern.

41 comments:

  1. +1 for an Å&Å VPN. Your customers already trust you to deliver most of the above.

    ReplyDelete
    Replies
    1. An A&A VPN would certainly be my first choice. I've been researching the options over recent days but even ones that appear to tick all the boxes have some poor customer reviews that cast doubt. To get the best price you generally need to pay a year or two up front, so taking a chance on quality. With an A&A VPN I wouldn't hesitate to pay a couple of years up front, hopefully with some kind of discount, for a service I would know had been set up with the right motives in mind.

      Delete
    2. In my opinion, it's very hard to differentiate Top VPN service providers with each other. All are offering more or less a similar service but yes service delivery is what you can evaluate a VPN for. In my opinion ExpressVPN & PureVPN are the two giants in the industry which have promising service delivery when it comes to streaming & fast browsing.

      Express usually target people with high budgets looking to stream movies, serials, sports events etc. Whereas, PureVPN targets a mass segment who has a low budget but still interested in streaming and downloading.

      Delete
  2. Another +1 for an A&A VPN. Would be happy to pay over the standard costs to know it was provided by a technically competent and privacy focused company.

    ReplyDelete
  3. Currently I've got RouterOS running on a vps instance in Europe. $45 for the CHR license and <£5 a month to run the VPS instance. Have even assigned some UK geolocated ip"s to it. More than powerful enough to run my 70Mbps FTTC flat out (will burst up to 1Gbps) and have tested it on fibre Ethernet connections up to 200Mbps and seen no slow down so far.
    Has come in handy when I need to get round firewalls when on jobs elsewhere by using sstp. Works fine on BBC iplayer, itv catch-up etc

    ReplyDelete
    Replies
    1. Loads of other soft routers would do a similar job, PfSense etc.

      https://en.wikipedia.org/wiki/List_of_router_and_firewall_distributions

      Delete
  4. Re geotagging, at least one VPN based in Panama offers what they call a Smart Play option, which claims to spoof the user's country of origin to gain access to sites like iPlayer for example without using UK servers, so it must be feasible. Mind you, there are a few user comments complaining that it doesn't work.

    ReplyDelete
    Replies
    1. It doesn't work with Netflix at the moment because Netflix is playing "whack-a-mole" with VPNs. It does work with Amazon, Hulu and UK catch-up services.

      It offers various other options (assuming we're talking about the same company) such as Double VPN, TOR over VPN, Anti-dDOS, Dedicated IP, P2P. You simply select the category you want, then a server in the country of your choosing - there's endpoints in 54 countries for a simple VPN, other options vary.

      As I said before it maxes out an 80/20 VDSL2 circuit pretty much any time of day and costs $4/month which is actually less than the cost of a return bus ticket in Leicester.

      There's apps for Windows/Android/ios/Linux/Blackberry & you can run 6 devices concurrently or just make the router the endpoint. All the usual encryption/tunnel options are there : IKEv2/IPsec, OpenVPN, PPTP, L2TP, etc etc.

      As far as trusting them - well they're based in Panama for a reason & they've apparently been audited to verify no logs are kept. The CC companies know who they are as payment was a little unusual - they didn't want an address, just a postcode & that went through instantly with none of the Verified by Visa nonsense. Normally that'd be flagged as suspect (CC got cloned recently) but nope it was fine which indicates Visa have no worries about these guys doing a runner :)

      Delete
    2. We are talking about the same company and I liked the look of them for the same reasons you gave. They're actually offering £3/month at present if you pay £72 upfront for two years. The only unknown is throughput speed and reliability of connection. As you seem to have signed up with them recently, what is your own experience in those respects so far?

      Delete
    3. It just works - I tend to use UK servers* which will give pretty much line speed on a VDSL2 connection.

      Iceland is 50/20 or so, Netherlands the same. Further you go then the worse the latency/throughput for browsing.


      Double VPN is about 30Mbps both ways. TOR over VPN is the same as TOR using obfs4 - somewhat sluggish to say the least.

      Streaming HD video is fine, no idea about 4k stuff.

      I have an endpoint running on a Ubiquiti USG and that runs fine. I don't normally run that though as I'm on Sky (who do a /56 prefix on ipv6) and the USG issues a release command on the /56 every time you do a controlled reboot. Yanks & ipv6 don't work sadly but I have hopes as the guy who ran the pfSense project is now working for them. I digress

      tl;dr it works and for the price of a pint/month it will at least avoid ICRs/blocking.

      *yes I know but it bypasses the simple bulk data scoop without buggering up your connection.

      Delete
  5. A wiki of "here's what we've found out in terms of third party providers", from which customers can make decisions based on their needs / preferences / wallets sounds like it might be useful. Probably more, and perhaps more viable commercially, than trying to run your own overseas-terminating VPN service.

    ReplyDelete
  6. I've been playing with this for a while but it's more hassle than I expected.

    I was hoping to run the VPN on my router, an Asus RT AC87u, which does support OpenVPN, but it seems to cap out at about 14mbit throughput, which is a shame for what is supposedly a high end router.

    So, I need to run a VM for it on my home server I guess, which is messier than I would like.

    The other issue is that I'm on Virgin Media 300mbit, so many VPN providers won't cope with the speed. Also, VM have congestion issues at times, so a single threaded connection reduces my real world throughput (although I am ready to accept this limitation)

    A&A are not an option, as you state your L2TP connections are unencrypted, and you don't allow more than 100Mb/s, even if I pay 3 times, I cannot apparently have 300mb/s, you're also UK based!

    It's a bit of a nightmare really.

    ReplyDelete
    Replies
    1. I've been testing NordVPN.

      No VPN:
      http://www.speedtest.net/my-result/5839278352

      VPN:
      http://www.speedtest.net/my-result/5839240785
      http://www.speedtest.net/my-result/5839256897

      This is with a dedicated PFsense box, with 8GB ram and a 3.2GHz i5 CPU.

      The search continues!!

      Delete
    2. This is likely a Virgin thing - if you look at the ThinkBroadband tests then you'll see that single-thread connections (which a VPN is) are somewhat sub-optimal.

      You are only ever going to get single-threaded figures on Virgin via a VPN at most times of day.

      YMMV.

      Delete
    3. If you are talking of the way TCP handles congestion, that would not normally apply to a per packet VPN - i.e. TCP for each real session would do its thing as multiple "threads" as normal.

      Delete
    4. What was the VPN setup and how did the cpu loading look while running the test...?

      Delete
    5. RevK - its a "Virgin/Docsis/DPI thing". I tested it on next doors connection tonight and its bad. Really bad.

      Delete
    6. About the commodity wireless router pegging out at 14MB/s as ebreyit mentions above, look at CPU usage, probably AES is chewing through all of it.

      If you want to avoid the virtual route - those SBCs inna-box style things are fairly cheap (around 100quid) and would cope fine - just pick one where the processor has AES support.

      Delete
    7. I don't want to lay the blame solely on VM. I am not in a congested area, and can hit 300mbit on my work VPN (Cisco Anyconnect SSL). This VPN can be traced back to me though so isn't what I want to use!!

      Delete
  7. Given the space in which VPN providers exist - Those which are transparent would likely cooperate with (non local but democratic) governments, those which are not willing to do are more likely to be doing unnacceptable things, I think the only real option for you is to have a sister off shore company that can trade on AAISP's "endorsement" as a good, honest, privacy respecting VPN.

    ReplyDelete
  8. Presumably an A&A VPN wouldn't help since it would be subject to the snooper's charter.

    ReplyDelete
    Replies
    1. As I say, it would have to be a VPN actually run by a legal entity that is outside Uk jurisdiction, even if we made that company come in to existence and even if we were subcontracted to set it all up.

      Delete
    2. If it's likely that only the backbone providers such as BT and TalkTalk will initially be asked to collect ICRs, what's to stop AAISP offering unlogged VPN access until specifically requested to perform logging under the terms of the IPA?

      Delete
    3. Indeed, and that is one thing we are considering - but we need to have a means to sell off the operation to a non UK company as soon as we are asked.

      Delete
    4. Dunno whether you've read it but El Reg has an article up which seems directly relevant :

      http://www.theregister.co.uk/2016/11/30/investigatory_powers_act_backdoors/

      I'm no lawyer but I reckon there's probably enough of a catch-all there to give you significant problems even AFTER you "sell off" the operation.

      It also requires you to inform the govt of "new products and services in advance of their launch, in order to allow consideration of whether it is necessary and proportionate to require the CSP to provide a technical capability on the new service."

      "technical capability" = decrypt on demand.

      Tread carefully Adrian, you're in the middle of a minefield....

      Delete
    5. > It also requires you to inform the govt of "new
      > products and services in advance of their launch

      In that case launch a VPN product now, it doesn't have to be foreign, it doesn't even have to be used by any customers but at least when the law come in it won't be a new product (IANAL).

      Delete
  9. So I contract with a company in a foreign land for a VPN the connection point for which is in !UK.

    How on earth is HMG going to get said foreign company to provide a backdoor?

    Stupid, stupid legislators; they'll be passing a law to make Pi === 3 next.

    ReplyDelete
    Replies
    1. They won't need to.

      They can stop you using it by blocking conventional CC payment, just like happened to wikileaks. This is trivial to do.

      Then you're into the "interesting" world of bitcoin. I'd suggest that's not a place you want to be unless you have some technical competence? That means most people won't bother & those that do get their encrypted traffic recorded. Remember before you call "tinfoil hat" that this has been done in the UK forat least a decade.

      tl;dr HMG will do it the way they always have - bulldoze it through & let the courts deal with the fallout. Then change it on the quiet as they gave themselves rights to do so as secondary legislation....

      Delete
    2. But a VPN service is not illegal, even under IP Act, so they have no legal basis to block CC payments, surely. Anyway, there is always bitcoins.

      Delete
    3. Nor was wikileaks but that didn't stop Visa/MC doing what the USA told them to.

      You'll find that Visa/MC both have merchant terms which permit them to stop payments to anyone they like for any reason they want.

      Bitcoin is fine because 99% of the population won't use it and those who do are probably on GCHQs radar anyway.

      This is secret squirrel shit Adrian so don't expect anyone to uphold your "rights" if you piss them off.

      Plod is bad enough if they have a grudge against you, the rest of them have no problem leaving you dead in the woods if you're in the way of state torture/rendition/murder.

      For all of you rolling eyeballs at this point then I'd remind you that ALL of this has happened in the last 15 years within the UK.

      Delete
    4. And even if none of that happens, the PTB can easily entangle you in the legal equivalent of a tarpit that can go on for years.

      Delete
  10. Thinking outside the box, but if we all were to register as an isp with a&a, would that not mean we do our own logging rather than a centralised log somewhere? Sure it's more effort on our parts and doesn't get around the issue of lohhibg but at least we would know when they come looking...

    ReplyDelete
    Replies
    1. Previously, maybe, but with IP Act, no. That allows deep packet inspection to extract and generate data so could be done in BT Wholesale even.

      Delete
    2. Ah, that's less than ideal

      Delete
  11. What I am having difficulty in grasping is:

    1. What are the objectives of the legislation?

    2. Do the measures to be taken fulfill the objectives?

    A couple of paragraphs outlining these two points for us low attention span, old people, would be really useful.

    ReplyDelete
    Replies
    1. Objective ① to lay the ground for formal large-scale internet censorship in the UK ("oh dear, foreign sites don't comply with our laws, so nobody may be allowed to see them");

      Objective ② to make a great deal of money for "age verification" providers.

      Hope this helps.

      Delete
  12. For 1, read the government respose to the petition, for 2 you can make your own mind up.

    https://petition.parliament.uk/petitions/173199

    ReplyDelete
  13. There is no point to the legislation as we all well know. I went out this week and paid cash for a 3 network data SIM, £30 for 12 gig to be used within 12 months. No logging would tie that to anything other than the nearest cell mast.

    ReplyDelete
    Replies
    1. Provided that is, that you don't use any services which could be linked to you. If you were making a conscious effort the most likely trip up might be mobile devices which access services accredited to your accounts, creating a trail that leads back to you and by association other usage could be attributed to you.

      Delete
  14. Did you see this post on slashdot about requiring backdoor's to encryption?
    https://news.slashdot.org/story/16/12/03/1636231/encryption-backdoor-sneaks-into-uk-law

    ReplyDelete
    Replies
    1. See paragraph 10 of the Schedule to the current interception maintenance of capability framework, for an indication of where this came from:

      http://www.legislation.gov.uk/uksi/2002/1931/schedule/made

      Delete