Hello,
What’s the best way to protect my traffic data from my ISP on Linux?
2nd question: I am looking for some VPN service but now a lot of VPNs are getting purchased by some big brother companies and are becoming useless. What’s a safe VPN service or a safe way to achieve the same effect?
Thanks.
I host my own VPN on a VPS that a rent.
Benefit is that you then have your own server to do with what you please. I use OpenVPN that i log into at router level with my pfsense router. That way you can choose what goes through the VPN an what doesn’t. Pretty important for stuff like Netflix. Also takes the encrypt/decrypt load off the individual clients.
Can you use multiple IPs (4-5 Countries) this way?
Well pfsense supports multiple VPN clients and you can just set the firewall rules for what traffic you want to go through what gateway. Only thing is you will have to rent a VPS in every country.
If I may, what reason do you have for doing this?
@edit: If you just want traffic to be routed through a random VPN the whole time then you can easily achieve this by setting up a multiple Gateway/WAN load balance. This way every new connection is distributed via round-robin between them.
I don’t need all IP addresses used in parallel at the same time, I just want to be able to change from one IP to another in case it gets blocked or whatever. I just want to have some easy freedom nothing fancy.
Will this old PC be able to run PfSense for a small home network (3 PCs):
CPU: Intel Core2Duo E6300 1.86 GHz
MB: AsRock Conroe XFire-eSATA2
GPU: Ati Radeon X300SE
RAM: 1 GB DDR2
HDD: Seagate 160 GB
PSU: Fortron 300W
This can’t be answered unless we know what your are protecting and who you are trying to protect it from.
Well, to be honest I don’t have a specific goal, I just think it’s prudent to create some space between my ISP and my traffic just as a general rule of thumb. I would like to protect my browsing history and my chats from my ISP.
In that case. Use chat and web sites that support encrypted transport. Aka Https.
For browser history you need a why, do you believe they are recording it for something?
You run the risk of giving your self a false sense of security against a threat you don’t even know or understand. People giving you random advice on what to do will leave you secure in one specific area and leave you vulnerable everywhere else because no one had an understanding of what you were actually trying to protect and from what.
Tread carefully.
Set up pfsense with cloudflare dns. It sends requests through SSL, encrypting your dns queries so your isp can’t see them in the clear.
Next, ensure all the websites you go through are using https, and if not be sure to visit it through a vpn.
A vpn is not needed on traffic from https sites because it goes through ssl anyway.
As far as if it is powerful enough, I would say no it is not. The amount of ram and type is irrelevant but the CPU needs to support AES-NI or else it will chew up it a lot of resources.
If it’s general purpose “home” use then one of the VPN services will do I’m sure. I have been with PIA for many years. I think Level1 has a referral link somewhere.
If you are a little more concerned by our corporate overlords then the people behind Protonmail offer a VPN service.
You can of course roll your own and that might be a fun project but if you are happy to pay some else and have them deal with the maintenance you could do a lot worse than using PIA.
vpn>onion routing with encypted dns
Well,
put it this way… The vpn provider just becomes your new isp, so if theirs any ““trust”” in that, thats for you to decide.
Eden is always ethical. Definitely helps when you explain it this way.
If you just want to protect from your ISP, I would suggest getting a very, very cheap VM from somewhere like BuyVM or LowEndSpirit and running Wireguard or OpenVPN on it. LES is literally €3.50 per year.
https://lowendspirit.com/locations.html
https://buyvm.net/kvm-dedicated-server-slices
If you’re concerned about well lets just say it, piracy, pay for a commercial VPN service like iVPN or TorGuard.
Anyone telling you to use a VPN and Tor is pulling your leg. Tor is waaaaay too slow for regular use unless you’re actually concerned for your life.
If your goal is to obscure your activity from your ISP, https + a secure form of dns gets you most of the way there with relatively little effort. As for a “secure form of dns,” It is trivial to setup dnscrypt-proxy or Cloudflare’s argo on an individual linux host or your linux router. The advantage of dnscrypt-proxy is that it will work with multiple providers of dns-over-https, dns-over-tls, dns-over-ssh, and argo only connects to cloudflare’s dns-over-https.
I put dnscrypt-proxy in front on my local bind instance and connected it to cloudflare’s dns-over-https and have not had complaints. The newest version 2.0.15 fixes a startup issue where the proxy would hang if the network wasn’t fully ready.
You can always put openvpn on an AWS ec2 instance and roll your own.
Https still exposes metadata including the IP address you’re connecting to, how long you’re engaged there, and potentially full URLs from referrer data from unencrypted hosts, stuff like CSS layouts and javascript can be kept there. Metadata is important stuff, and can be used to correlate activity and ultimately trace your identity. Of course your ISP knows who you are anyway.
It would be insanely expensive to VPN through AWS. That’s a very bad idea.
I don’t want to hijack the thread, but I’ve been wanting to create a more robust VPN solution for myself. I just don’t know if it’s all that practical.
I’ve had a VPS for a couple years, but have never really made much use of it. Basically I’d like to create a VPN relay, if that makes sense. I’d connect to the VPS (which is in Europe) using my own VPN (OpenVPN), then I’d connect back to the States using a commercial VPN (PIA in my case)
Is this practical? Is it possible? Maybe I wouldn’t use it all the time, for everything, but would that be “more secure” in any way?
It’s both practical and possible. It would add one more step to anyone trying to get your identity; they would need a court order for your VPS provider rather than going straight to your ISP. That isn’t really more secure, though, it’s just slightly more effort. I wouldn’t bother. If you really need to protect your identity you should be using Tor with Tails, but that level of security is only appropriate for political dissidents and serious criminal activity.
I have been doing it for almost three years, and a few basic policy routes (like no netflix/prime video and no https over the vpn) keeps my bill to under $3 per month.
In fairness though, the primary purpose of my ec2 instance is a central connection for my geographic separate networks (new orleans and 2 in las vegas), so I use it as a vpn for regular http traffic only because it was already there, and my routing policy keeps most high bandwidth traffic off the vpn. at $0.09 per gb per month 1 tb would be $92 and not worth it.
