VPN 2023-10-20 VPN stands for a Virtual Private Network and it's purpose is to connect together computers that are in different physical networks. This allows them to access and share resources as if they were all in the same LAN and even reach devices behind NAT. With proper routing they can also provide an exit to the internet somewhere else from the original point of connection and therefore serve as a proxy for connected devices. The proxy feature was not the point of a VPN, but because of heavy advertising online, many people started to see it that way. There are a few problems with using commercial VPNs as a proxy for the sake of security; I'll go through them briefly. Commercial VPN providers claim it is more secure to use a VPN, because then your connection is encrypted. The truth is, if you're using HTTPS (and you most likely are - see the lock icon in the URL bar), then your connection is encrypted by default anyway. As long as the Certificate Authority (CA) is not compromised, the connection between you and the website is private. People on your network will not be able to "steal your passwords" easily. They might be able to see what you connect to, what website you are talking to, but they will not see what you "talk about" with the online service. Snooping on the traffic used to be possible back in the plain HTTP days, but now it's only viable if your machine trusts a compromised CA. On your work machine that could be the case: it might be set up to trust a CA of your employer so they would be able to see what you're doing. When you click on the padlock in the url bar you can see details that will tell you who the CA is, so you can know whether certificates in use were compromised by your employer. VPN will not help you if the CA is compromised for real by someone malicious. The advertisement claim is about MITM attacks in an outdated scenario and for the criminal it won't work out as easily as they claim anymore. Yes, a VPN will make a MITM attack harder, but MITM in of itself is not really that useful, and definitely not as powerful as they claim, thanks to the common use of encryption nowadays. Check out my post on ARP to see an example of a MITM attack. As I said, people on the same network might not see what you're talking about, but they can see what server you're trying to talk to. When you connect to a VPN you only talk to one server and the rest of your traffic goes out to the internet from there. People on your network might not see who you're talking to besides the VPN server, but the VPN server does! And everyone still knows what VPN server you were connected to! If this is a commercial VPN, the provider most likely has a KYC (know your client) policy that makes it way easier to indentify you than if you were simply connecting to the endpoint directly. They might claim to never store logs, but: someone might still monitor that traffic, perhaps collect it and analyze it in a different way, exit nodes might be under heavier surveilance than your regular connection, with servers under foreign jurisdiction you can't always be sure what is going on there and how much the provider can or can't tell you about it. At the end of the day, you don't know what's going on with your traffic at the provider's side and there is no way for them to prove what is really happening with it. The only way to ensure security and privacy is through encryption end-to-end. For anonymity VPN is not a very good idea. The key question is: who do you trust more - your ISP or the VPN provider? Maybe in your case it makes sense to access the internet with a connection originating from a different country. Commercial VPN advertisements often mention bypassing geoblocks. If that is your goal, you might want to read more about Tor or check out my previous post on piracy. Commercial VPN providers also claim to hide your IP address and thus make you anonymous. That's not how it works. Anonymity is more about how you use the service than what exact service you use. If you want to be more anonymous you should use Tor instead of commercial VPNs. The VPN provider can most likely identify you already. They know the account you use to connect, they can see all the details such as where you connect from, when, for how long, the details of your payment method, your browsing patterns, perhaps your web browser fingerprint, and perhaps a lot more details in case they have a stronger KYC policy. That's not even the biggest issue here. When you're using the VPN as a proxy with the same IP address during the whole session - everything you do during that session is still interconnected. If you deanonymize yourself by logging into any account, you deanonymize the whole session. Tracking by IP is also not the only option for anonymity adversaries. Devices we use and the software we choose can also be used to fingerprint and track us, even between different connections and websites, while being much more reliable and precise. Let's just say that anonymity and online tracking is a wide topic. Your anonymity will crumble if you manage your online identities wrong and no VPN can help with that. Ideally you would like to have a common fingerprint and use a different exit node for each connection. That's what Tor aims to accomplish. It's what it does for free. In summary, commercial VPN gives a false sense of security and you more than likely do not need it. Nevertheless, you might want to set up a VPN for a lot of different reasons, but not necesarilly for the sake of "security". In future post I might explain how to do it. There are many VPN technologies to choose from. - PPTP - unsecure 90s protocol spawned by Micro$$oft, avoid this one - L2TP - another 90s protocol, to be used in tandem with IPsec, be careful with this one - OpenVPN - popular open-source solution, both protocol and server software, requires additional client software, but everything about it is fairly easy to set up and works great - IKEv2 - strongSwan, Openswan, Libreswan - family of FOSS servers implementing IPsec, IKEv2, very cool - SSTP - another protocol spawned by Micro$$oft, supported OOTB on Window$$, uses SSL/TLS on port 443 by default - WireGuard - modern, fast and simple, secure protocol, included in the Linux kernel, but with wide support for all the platforms. If you're wondering what you should use, this is what you should use. There are some commercial VPN server solutions too, but I am convinced that WireGuard trumps them all. If you want to deploy a server quick and easy then OpenVPN is also a pretty good choice.