Navigating the VPN hellscape

hi all - 1st time poster here :nerd_face:

i think Henry is a sharp guy and i appreciate the knowledge he and the rest of the Techlore team shares, as well as the non-confrontational way in which they share it

i’m a little bit different however - i tend to be quite direct and more apt to say “do this or else” instead of “here’s why this might be a good idea” - admittedly my approach is more likely to fail, but i’m older and more cynical (or is it senile?)

with that out of the way, regarding VPNs, i disagree with some of what Techlore and Henry have said and advise…

  • first of all, VPNs should be thought of as proxies, not virtual private networks, since they do little or nothing by themselves to protect privacy, however this is not to say they are not valuable in certain cases
  • no VPN can be trusted, period - they can make any claim they want, advertise 3rd party audits, etc., but unless you run the company, or personally know those who do, there is no bullet-proof way to verify whether all their claims hold water

with that understanding, allow me me provide some criteria which i think is logical when choosing a VPN provider…

  • they must physically and technologically own and secure their hardware - this means they purchase, configure, deploy and secure each server - this criteria alone eliminates the vast majority of VPN providers, including those in the Techlore list (
  • the operating system must run in RAM only - no hard drives
  • unnecessary ports must be physically sealed
  • the server must be physically secured in the rack
  • the service must not require any personal information in order to utilize it - by extension this means they must accept payment anonymously (crypto, cash mailed in an envelope, etc.)
  • accessing the server must not require the use of an “app”
  • they must be transparent about their operations and ownership
  • and then there’s all the usual stuff; no logs, no port restrictions, no throttling, no bandwidth limits, blah blah blah…

at this time there are only 3 companies i’m aware of that appear/claim to meet this requirements - there are very likely more, however i simply haven’t searched around enough to find them - these companies are OVPN, Mullvad and AzireVPN

i currently use AzireVPN, though i might recommend OVPN or Mullvad to new, less technical users, however do note that Mullvad leases the majority of their servers (and they are clear about this)

note also that all 3 support the WireGuard protocol which i think is proving to be far superior to OpenVPN

parent companies to avoid (incomplete list)...
  • Kape Technologies
  • Ziff Davis
  • Nord Security
  • Aura
  • Innovative Technologies
  • Actmobile Networks
  • Gaditek
  • NortonLifeLock and SuperSoftTech
service companies to avoid (incomplete list)...
  • Atlas VPN
  • Avast SecureLine VPN
  • Buffered VPN
  • CyberGhost
  • ExpressVPN
  • Free VPN
  • HideMyAss
  • Hotspot Shield VPN
  • IPVanish
  • Ivacy VPN
  • JustVPN
  • NordVPN
  • Perimeter 81
  • Private Internet Access (PIA)
  • PureVPN
  • SaferVPN
  • StrongVPN
  • Surfshark
  • TouchVPN
  • Unblock VPN
  • ZenMate VPN

further resources…

as a 1st time poster i can’t post a lot of links yet, however you can do a phrase search for “navigating the VPN hellscape” and you’ll land on an article i wrote on 12bytes org in which i provide a lot more info - i would particularly recommend the video by Naomi Brockwell as she did an excellent job of detailing some of the problems with VPNs in general

Why is owning the server a requirement for a “good” VPN provider?

The company that provides the network infrastructure has access to at least the encapsulation data from all traffic going thought their network, it would be a juicy target for any actor that wants to monitor a lot of users.

They are not going to be able to read your TLS encrypted traffic, but they are going to know what servers you connect to.

1 Like

expanding on what OrwellianDenigrate said, if the hardware isn’t secured, then that leaves open ports which can be used to surveil, do damage, etc., and physically sealing ports (such as USB, etc.) likely cannot be done unless you own the hardware

furthermore, owning and installing the hardware provides some degree of trust that it hasn’t already been compromised, though law enforcement has been known to intercept packages in transit and backdoor them before they arrive at their destination (i think it might be PinePhone that takes special precautions to avoid this)

Privacy Guides has an overview on VPNs, and have a well vetted selection. Hopefully this helps solve your problems!

You have some interesting takes on VPNs.

I recall viewing some of your articles, especially on Firefox. I have your blog bookmarked.

I do think it’s a bit extravagant to suggest you cannot trust any VPN. The truth is, there is nothing stopping someone from trusting x. It would be more accurate to suggest that while no service is 100% reliable, you can choose to put your trust in some services over others based on appropriate criteria. In other words, trust and integrity are independent; you are taking a leap of faith by trusting x service to be reliable in the ways they say they are. By extension, you are taking a leap of faith by simply using the internet. You have to take a step back and accept that nothing can be 100% secure, except in limited circumstances and “until it isn’t”.

the same reason TOR is unsafe. every physical traffic node can see all trafic in plain text. and the u.s.a. gov owns more nodes then anyone else. the biggest terrorist owns the most privacy trusted network. think about that.

i agree and that’s essentially what i meant when i used the word trust

as you say, nothing is full-proof

i don’t know what to make of Tor and i largely agree with your view regarding the U.S. government, though i’m not sure whether, ultimately, the U.S. is the biggest exporter of terrorism, but that’s a whole other matter

i’m more interested in your reason for suggesting that “every physical traffic node can see all trafic in plain text”

this is going to take a while. i am having a braindead day.

  1. pleas look at the original architect of who published TOR. think carefuly. would this entity have any exploits they are not making known? if so let us count the exploits we already know of in the wild. pleas keep a ready list on hand because this is a long list.
  2. TOR Nodes Explained!. Block it, Track it or Use it. But… | by Raja Srivathsav | Coinmonks | Medium
  1. privacy - Analyzing Tor traffic through Deep Packet Inspection? - Information Security Stack Exchange

  2. alternate fork deviation variable switch. encryption unlocked. when i was driving comercial vehical for the postal service my signal messenger was hacked. almost 1 week to the day after the world was notified america bought decryption from isrealy hackers. the workers on the dock were able to read and discuss my personal messages to my fiance as i taught her Biblical standards of marriage. the two retards were about 14 feet away from me and mocked me and her real time for what we wrote in detail as they watched it on thier phones. this experiance was a long time ago. DPI is without effort using filters and decryption passed through an A.I.

privacy is dead.

of course - another factor is the computing power of the “intelligence” communities which is unknown and this, alone, makes me wonder about the sanctity of any encryption algo … and now, as you mentioned, AI

in addition to 0-days, DPI, compromised nodes (including the entry/guard nodes on occasion) and unknown capabilities/computing power, it is also apparently possible to run an entire Tor network on a single machine, though this can only be done by something like an ISP from what i understand

i fully get what you’re saying, but you seemed to imply earlier that any operator of any Tor node can decrypt the payload and that’s what i wanted to ask you about, but i think you meant that the operator would have to be intel/gov or some entity having such a capability … and in there you mentioned the israelis which immediately caught my attention for several reasons (and this is who i was alluding to earlier when we touched upon the topic of terrorism)

so is privacy dead as you say? well, i would argue that it depends upon who the adversary is and for this audience (techlore) i think much of the advice given is a step in the right direction for protecting against the more trivial adversaries employing known tracking/fingerprinting/data collection tech … at least for now

i don’t know what the state of AI is, not in the public domain and certainly not in the domain of secret/black projects, but a friend who writes neural nets and who has worked in defense for decades tells me that a) its capability is hugely overblown and b) that the guy who wrote the white paper (i forget his name) which everyone considers to be the AI bible, apparently doesn’t know what the hell he’s doing - our discussion followed the google dev’s publicity stunt that the AI in the project he’s working on had become ‘sentient’

This is plainly untrue and void of any conclusive evidence. I won’t bother debunking your overblown claims about Tor being “unsafe” as there are other threads highlighting that, and also the discussion doesn’t quite fit here.


Pulled from the homepage:

Your traffic is relayed and encrypted three times as it passes over the Tor network. The network is comprised of thousands of volunteer-run servers known as Tor relays.

And this is a quote from one of the sources YOU provided. Please stop spreading false information.

Encryption and decryption mechanism is used in an onion routing fashion to limit the knowledge of each node about the data that passes through it. Each node will only know the relay path in which it is involved, but not the whole path from the source to destination.


I think Tor page mention that

As mentioned above, it is possible for an observer who can view both you and either the destination website or your Tor exit node to correlate timings of your traffic as it enters the Tor network and also as it exits. Tor does not defend against such a threat model.


However it’s of a very low probability that you find yourself in such a position where an attacker has control of both the entry and exit node.

is it?
how can one know?

and that such a probability exists at all seems to me like a gaping hole in the Tor topography - a topography which can apparently be run from entry to exit on a single machine by a properly outfitted adversary

i’m not knowledgeable enough to competently bash Tor, but i have read enough about it, including about critical vulnerabilities that went unpatched for too long (perhaps intentionally), as well as its funding, that i simply don’t trust it

i also think Tor is a poor solution for the average user that wants to watch videos that YouTube ThemTube geo-fences or who wants to avoid nasty-grams from their ISP for downloading… stuff - i think a VPN… which can’t be trusted either… is the better solution

were i a whistleblower who wanted to transmit sensitive stuff to a journalist however, i might consider a VPN → Tor combo

I think private relay is also good option that eliminate the trust issue that exist with VPNs. Private relay do this by sending traffic through two separate internet relays.

The first relay is operated by Apple and the second relay is operated by a third-party content provider like Cloudflare, Akamai, Fastly.

1 Like

Always a lot of noise surrounding VPNs.

Especially for something that really doesn’t do much. Two times that it is necessary - the rest is just faux privacy:

  1. needed to access internal servers externally (such as logging into an internal work server from home - which cloud computing has almost eliminated)
  2. when on a ‘public’ network such as starbucks, airports, etc…

Outside that VPNs are superfluous.

Based on that - I use an internal wireguard VPN (on OPNsense), so I can access my internal network - externally but also so I am secure when using one of those aforementioned public vpns.

1 Like

Or transferring your trust from your ISP to the VPN. My ISP is a POS. I trust Proton with my data way more than them. Same goes with my phone carrier.