English

What VPN to go for in in my FP?

vpn
Tags: #<Tag:0x00007fb121ad6ba8>

#1

I just got an FP for my FYP and I need to install a secure VPN in it. I have had some recommendation for Ivacy VPN for android but I am not quite sure. It is running on android 6.0 for now although it can be updated. I need suggestions for good and truly secure VPNs for android.


#2

I removed the link from your post, because a first post already containing a link to a commercial product is very spam-suspicious.


#3

I’m not sure if you’re asking for services or a technology you can deploy and self-host in a machine of yours (or VPS). Since I can’t recommend any of the former, I’ll go for the second.

«Truly» means transparent. Secure means «independently audited». Free and open source software technologies are transparent by default and can be independently audited (payed or not). So I won’t recommend anything closed-source. Therefore:

  • OpenVPN is an open VPN protocol based on the standarized TLS end-to-end protocol, same that powers HTTPS sites and your bank website (HTTPS means HTTP over TLS).
    • It can be easily deployed on a Linux machine e.g. with PiVPN, or can be subscribed to a service provider.
    • Great thing about this protocol is that you can deploy it to be served on TCP at the port 443, so it can’t be distinguishable from any other HTTPS communication (and thus, can’t be blocked).
    • It can be used on Android with the official client OpenVPN for Android or Bitmask.
  • WireGuard is a new open VPN protocol which promises to be more performant (faster and modern).
    • It is backed by the security firm Edge Security LLC and is gaining momentum in the community thanks to its simplicity and easy-of-review.
    • It can be deployed on your machine or suscribed to (a few) providers.
    • «As of June 2018 the developers of Wireguard advise treating the code and protocol as experimental, and caution that they have not yet achieved a stable release compatible with CVE tracking of any security vulnerabilities that may be discovered.» (emphasis mine)
    • It can be used in Android with the WireGuard app.

#4

Thank you Roboe for this simple and explicit post !


#5

Pi-Hole is pretty neat. I heard of Yunohost before, I’m curious about that.

I can recommend WireGuard instead of OpenVPN. Easier to set up, and far better performance. Though an SDN like ZeroTier also yields better performance than OpenVPN. My Pi-Hole is using Dnsmasq without the frontend and I’m using a DNS over TLS server (Unbound) on the same (low power) machine for additional data integrity and privacy. Though you could also use a VPS or Raspberry Pi for this.

I can recommend to support the smaller projects not backed up by large funds but I’m not sure WireGuard qualifies for that.

There’s also NLnet who donate to a lot of open source projects.


I introduce: Free Software Donation Day
#6

@jfdhuiz Wireguard seems nice, but I do not yet see how I can combine it with pihole on one server and, at first sight, it is not as easy to setup as OpenVPN. Also performance is not a real issue as it is me plus a handful of other people using the VPN.

Also, if I were to go with another VPN solution, I would mos def try LEAP.


#7

I just don’t understand how you can find WireGuard more difficult to set up than OpenVPN. There is a ton less options. The config file for both server and client is miles less complex than OpenVPN or IPsec. We’re talking about 3 or 4 lines versus for each. There’s even wg-quick.

What do you mean you do not see how you can combine it with Pi-Hole on one server? I run both on an EdgeRouter Lite (a MIPS64 router) and ran both on a RPi 2. But it runs on OpenWRT (aka LEDE) an a myriad of other OSes such as macOS just as well (except, for now, on Windows (the 3rd party one is from the same developer as uTorrent who included spyware in their software, and the code is a mess; don’t use it) so yeah people on a Microsoft Surface device are left out, for now, but an official Windows port is in the work). You can run both in Docker as well with Jessie Frazelle’s unofficial WireGuard Docker image. See the howto. So again, I really don’t understand what your problem is running both on the same server.

WireGuard, once you fire it up, works in 1/10 of a second compared to OpenVPN’s 8-30 sec. You can verify the stated method yourself. It is 4k LoC compared to 100k+ of OpenVPN, meaning a smaller attack surface. WireGuard is endorsed by Linus Torvalds. I already linked that you can achieve far better throughput with WireGuard than OpenVPN.

Providers such as AzireVPN [1] and Mullvad have WireGuard support, allowing you to achieve good speeds on P2P networks (something VPNs are often used for these days); better than OpenVPN.

The Arstechnica post I linked to also describes how it is more stable than OpenVPN, especially with multiple users.

Finally, WireGuard will provide better performance on Android -without the kernel module- than OpenVPN. It should use less battery as well.

Its only a matter of when it becomes the defacto standard; not if. Being included in the official Linux kernel tree is going to help there.

[EDIT] added [1]

[1] They had a 1 day trial for it, and the trial is now for free. If you link your BitTorrent container with the WireGuard one as explained on Jess’ blog you got free and anonymous VPN for BitTorrent.


#8

I don’t know who brought up the BitTorrent over VPN thing, but the Tor Project doesn’t recommend using BitTorrent over Tor if you don’t know what you are doing because your IP will likely be leaked. There are some differences between WireGuard (over UDP) and Tor socks (over TCP) that may mitigate some of the attack, but anyway. Be cautious.


#9

I brought it up, because I know that’s a purpose a lot of people use VPNs for these days. It isn’t the reason I use WireGuard but that’s irrelevant.

You can test if your IP is being leaked at ipleak.net

As for it not being anonymous. I never argued it is. VPNs are very easy to beat with correlation attacks which the NSA can execute. If you’re afraid the NSA knows what you download over BitTorrent, you got different worries. Copyright infringement -what we discuss here- doesn’t fall under criminal law.

TL;DR it is safe against the RIAA & their bullies.


#10

I think it depends on your starting point and what you already know. The manual I linked to here allowed me to setup OpenVPN and PIhole very fast, without even having to look at lines or something called wg-quick(?), and it works 'till this day.

Wireguard might be even easier, but I do not even understand where to start. And that has probably more to do with me then with Wireguard :wink:


#11

The official Quickstart guide should have you covered. A slightly easier write-up is this one:

https://www.stavros.io/posts/how-to-configure-wireguard/


#12

I’ve modified my setup:

  1. The NAS runs Pi-Hole and DNS over TLS (dnsmasq and unbound via Docker) with Quad9. (NEW)

  2. The router also runs Pi-Hole (without the frontend) and DNS over TLS [2] [3] with Quad9.

  3. DHCP gives 2 DNS servers, the NAS and the router. (NEW; used to be just the router)

  4. However all DNS requests not to the router get forwarded to the NAS. (NEW; not to the router anymore)

This has the following effect:

A) All DNS is ad-filtered and uses DNS over TLS.

B) if my NAS is down, DNS still works.

C) My router gets less load.

D1) If my router is down, I don’t have WireGuard server nor internet but that’s a given.

D2) Quad9 shouldn’t go down as they have anycast. [Famous last words]

Net effect:

Slightly slower DNS than using my ISP’s DNS server however pages load quick, no ads (including on iOS and Android “apps”), porn sites blocked for my kid, roaming devices have secure DNS and secure connection. Now all I gotta do is add some internal entries for both Unbound servers.

Resources used:

[1] Everything I already mentioned about WireGuard

[2] https://www.chameth.com/2017/12/17/dns-over-tls-on-edgerouter-lite/

[3] https://community.ubnt.com/t5/EdgeRouter/CLI-Integrated-dnsmasq-Adblocking-amp-Blacklisting-v3-7-8-Easy/m-p/1344740#M78132

[4] Some Docker images.


#13

so you run wireguard on your router at home?

I’d prefer to have Wireguard and pihole on a VPS. Do you happen to know about tutorials for that setup as well?


#14

Yeah, and also on my RPi before I retired it. A bunch of other RPis still run it.

Algo should be very easy. To be fair, it should also make it easy to set up IKEv2 with Algo.

or, if you don’t have a VPS yet and you’re OK with AzireVPN (Swedish), you can run a WireGuard VPN with them for free