To VPN or not to VPN?

[frichardson]

I'm currently enjoying pretty fast internet (over 500Mbps) and I have a router that should be able to run a VPN client pretty well. I'm wondering if anyone has an opinion on the cost/benefit of a personal VPN for the home:

• This is assuming I can find a relatively low latency VPN with reasonable throughput in my area.
• From what I've read here, you take a pretty big hit in throughput running a VPN.
• If I want a good tradeoff between privacy and bandwidth am I better off ditching the idea of a VPN and leveraging the scripting capability of the router as much as possible?

Thanks for any advice and/or opinions on personal VPNs!

 

[L&LD]

There is no cost. Simply enable an OpenVPN or IPSec VPN connection on your router and you're done.

Highly recommended!

With your hardware and ISP connection, you will still take a 'hit' on potential speed, but that would have still been tempered with any ISP connection you have to use to connect with anyways.

 

[ColinTaylor]

There is no cost.

Yes there is. He's talking about a VPN client on his router so he'll need to pay the VPN provider.

Cost/benefit? Impossible to quantify really. With a VPN provider you're predominately talking about anonymity (not privacy or security), so only you can say how much "value" you put on that.

Regarding scripting; your signature says you're running stock firmware so that's not an option.

 

[L&LD]

Yes there is. He's talking about a VPN client on his router so he'll need to pay the VPN provider.

Cost/benefit? Impossible to quantify really. With a VPN provider you're predominately talking about anonymity (not privacy or security), so only you can say how much "value" you put on that.

Regarding scripting; your signature says you're running stock firmware so that's not an option.

No, there is no cost to run what I suggested OpenVPN or IPSec that is built into the router. A VPN provider is a waste of money for the hope of anonymity too, IMO.

 

[ColinTaylor]

No, there is no cost to run what I suggested OpenVPN or IPSec that is built into the router.

If you're talking about the router's built-in VPN server then I don't believe that was what he was asking about.

 

[Butterfly Bones]

Have you looked at Algo?
https://www.snbforums.com/threads/meet-algo-the-vpn-that-works.55160/

 

[L&LD]

If you're talking about the router's built-in VPN server then I don't believe that was what he was asking about.

You may be right. If that is the case, then his need for privacy is misplaced in hoping a paid for VPN solution will give that (I think we both agree on this).

Running something like Stubby and/or Algo is a better or at least a more direct approach towards that goal.

 

[frichardson]

Thank you guys for responding!

Oh, and to be clear I am planning on moving away from the stock firmware and running RMerlin's version at some point (probably the next release).

I can see that I am definitely confused about the value of VPN. It sounds like if you don't control both ends then there isn't a lot of value. I was originally thinking that encrypting my network traffic might help avoid some bad actors intercepting data that isn't going over an SSL. I also thought having some service like this could be handy for when I'm connected to a public wifi router. I've heard that some people encrypt their traffic to keep their ISP from throttling certain types of traffic, but I think RCN at least tries to practice net neutrality.

I'll look into Algo and Stubby since it sounds like those may be better solutions. Any other advice or opinions you guys have is very welcome, thanks!!!!

 

[umarmung]

• VPN server = privacy. Set up a VPN server at home then connect in with a VPN client, e.g. on phone, to home network. Many routers support this.
• VPN client = secrecy. Buy an account at a VPN provider, then connect in with a VPN client. Most routers do NOT support this.
• VPS (technically more than just VPS since its VPN tunnel from VPS) = "hosted" privacy. Buy a VPS in the cloud/host provider, create a VPN server, then connect in with a VPN client.

There is also:

• Tor = anonymity. Run Tor client from anywhere, then browse, tunnel other Internet services, or use (Hidden) Onion services.

They can all be secure, all have different functions and can all be used at the same time and in many combinations.

VPN server is often used to securely connect in to your home router, home network and access Internet securely from open networks, e.g. public WiFi, via your home network. This is one reason why it is a popular feature on routers, since it is much more secure than directly enabling remote router management from the Internet. It is also likely to perform better than Tor.

People who use VPN providers or VPS, often have no choice or it is their only realistic choice for secure and secret Internet access. This is the case in countries with draconian Internet control or legally enforced mass surveillance, e.g. China, Russia/CIS countries, Middle East, South Korea and the UK.

 

[L&LD]

• VPN server = privacy. Set up a VPN server at home then connect in with a VPN client, e.g. on phone, to home network. Many routers support this.
• VPN client = secrecy. Buy an account at a VPN provider, then connect in with a VPN client. Most routers do NOT support this.
• VPS (technically more than just VPS since its VPN tunnel from VPS) = "hosted" privacy. Buy a VPS in the cloud/host provider, create a VPN server, then connect in with a VPN client.

There is also:

• Tor = anonymity. Run Tor client from anywhere, then browse, tunnel other Internet services, or use (Hidden) Onion services.

They can all be secure, all have different functions and can all be used at the same time and in many combinations.

VPN server is often used to securely connect in to your home router, home network and access Internet securely from open networks, e.g. public WiFi, via your home network. This is one reason why it is a popular feature on routers, since it is much more secure than directly enabling remote router management from the Internet. It is also likely to perform better than Tor.

People who use VPN providers or VPS, often have no choice or it is their only realistic choice for secure and secret Internet access. This is the case in countries with draconian Internet control or legally enforced mass surveillance, e.g. China, Russia/CIS countries, Middle East, South Korea and the UK.

And I believe that 'legally enforced mass surveillance' is easier for them to do when they just have to monitor a few so-called secure and private VPN's.

If you don't control it end to end, you don't control anything.

 

[frichardson]

@umarmung - thank you for this break down! So I think maybe VPN server is what I should think about. If I can get the router pretty well locked down that should give me a decent remote solution. The only real downside is that my uplink speeds are pretty slow.

 

[L&LD]

I think this is relevant here too?

https://www.snbforums.com/threads/openvpn-question.55585/#post-472396

 

[umarmung]

And I believe that 'legally enforced mass surveillance' is easier for them to do when they just have to monitor a few so-called secure and private VPN's.

If you don't control it end to end, you don't control anything.

As I have already said, it is not only about privacy.

Most people cannot realistically guard against the strongest adversaries, i.e. state actors, not even in aggregate, e.g. it is quite possible that not only are some VPN providers secretly or otherwise forced to aid states (even though the VPN providers know it will eventually get out), but in addition states may have sufficient control of some secure networks to be able to track any particularly interesting traffic.

However, none of that matters when:

1. clandestine surveillance is not legally enforceable <-- this is the biggest protection for people in open societies because it means domestic laws cannot be used against you from clandestine surveillance
2. your threat model has no relevance to domestic state actors <-- the vast majority of peoples activities extend mostly to accessing information, meaning state actors even in closed societies very often have little to no interest with the millions of you
3. growth of personal information on the Internet accessible to all, including corporates, is a threat to all <-- this is forever, retroactive and applies to everybody including politicians, even those not on the Internet and not yet born.

So, you do not need maximum control and therefore privacy to mitigate the risks to any typical individual. Domestic laws, especially constitutional rights are often sufficient for point 1. Offshore secrecy and lack of strong international laws are almost always sufficient for point 2. Anonymity and security are sufficient for point 3.

In fact, only privacy can work against you if for some reason a state actor, host or other corporate were to become interested in you or if any information leaks. Since, by definition, you would be in control of such Internet access and it would be relatively trivial for them to track it to you.

These tools have different functions, all exist for a reason and until someone comes up with something demonstrably better, they are not going away; quite the opposite will occur, given the growth trend in data, political control of the Internet and surveillance capitalism.

 

[L&LD]

As I have already said, it is not only about privacy.

Most people cannot realistically guard against state actors, not even in aggregate, e.g. it is quite possible that not only are some VPN providers secretly or otherwise forced to aid states (even though the VPN providers know it will eventually get out), but in addition states may have sufficient control of some secure networks to be able to track any particularly interesting traffic.

However, none of that matters when:

1. clandestine surveillance is not legally enforceable <-- this is the biggest protection for people in open societies because it means domestic laws cannot be used against you from clandestine surveillance
2. your threat model has no relevance to domestic state actors <-- the vast majority of peoples activities extend mostly to accessing information, meaning state actors even in closed societies very often have little to no interest with the millions of you
3. growth of personal information on the Internet accessible to all, including corporates, is a threat to all <-- this is forever, retroactive and applies to everybody including politicians, even those not on the Internet and not yet born.

So, you do not need maximum control and therefore privacy to mitigate the risks to any typical individual. Domestic laws, especially constitutional rights are often sufficient for point 1. Offshore secrecy and lack of strong international laws are almost always sufficient for point 2. Anonymity and security are sufficient for point 3.

In fact, only privacy can work against you if for some reason a state actor, host or other corporate were to become interested in you or if any information leaks. Since, by definition, you would be in control of such Internet access and it would be relatively trivial for them to track it to you.

These tools have different functions, all exist for a reason and until someone comes up with something demonstrably better, they are not going away; quite the opposite will occur, given the growth trend in data, political control of the Internet and surveillance capitalism.

Again, we are at opposing viewpoints on this topic.

You seem to believe that laws help here. I don't see how they even remotely help.

Anyone breaching your privacy (for lack of a better term, here) is doing it illegally, and they know it. They don't care what the laws may state.

The only reason these tools exist is for one reason only. Someone is making money from it somehow.

 

[umarmung]

Again, we are at opposing viewpoints on this topic.

You seem to believe that laws help here. I don't see how they even remotely help.

Anyone breaching your privacy (for lack of a better term, here) is doing it illegally, and they know it. They don't care what the laws may state.

The only reason these tools exist is for one reason only. Someone is making money from it somehow.

That's like saying an ISP, that you have already paid for, makes more money by also hacking your network directly. In fact, almost any ISP could technically achieve it far more effectively and clandestinely because you have literally put their hardware not only onto your network but your premises.

Are you saying you believe it is routine that ISPs and VPN providers do anything remotely like this?

 

[L&LD]

That's like saying an ISP, that you have already paid for, makes more money by hacking your network directly. In fact, almost any ISP could technically achieve it far more effectively and clandestinely because you have literally put their hardware not only onto your network but your premises.

Are you saying you believe it is routine that VPN providers do this?

I don't let my ISP put any of their hardware on my network, never have.

And I'm not saying anything is routine. The mere possibility though is enough to keep my guard up against their lofty claims. And that possibility will always exist because I have no control over their end of the connection or how aggressively they try to always and constantly protect it from anyone else.

No. There is no trust there.

 

[frichardson]

I don't let my ISP put any of their hardware on my network, never have.

And I'm not saying anything is routine. The mere possibility though is enough to keep my guard up against their lofty claims. And that possibility will always exist because I have no control over their end of the connection or how aggressively they try to always and constantly protect it from anyone else.

No. There is no trust there.

With the caveat that I have relatively little background knowledge in this area, I tend to agree with you. Currently I wonder if the best I can do is lock down my own network (starting with the router) as much as possible and run a VPN server so I can benefit from this when I am remote.

 

[L&LD]

With the caveat that I have relatively little background knowledge in this area, I tend to agree with you. Currently I wonder if the best I can do is lock down my own network (starting with the router) as much as possible and run a VPN server so I can benefit from this when I am remote.

From what I have learned from mostly this forum, that is about the best we can do.

 

[frichardson]

From what I have learned from mostly this forum, that is about the best we can do.

Okay, I think I have the right mind set now. Thank you!

 

[Klueless]

As a novice to VPNs take what I say with a grain of salt but here's what I "think" I've learned. There is a VPN client and a VPN host (server). What flows between the two is encrypted. The result ranges from actual security to the mere illusion of security and anonymity.

The tunnel host or the tunnel client can be your computing device or your router. If you've only one device you'll likely install VPN on it, if you've multiple devices you'll likely install VPN on your router.

VPN encryption is intensive. Sometimes to often it cannot keep up with your Internet service speeds. For example I've an 86U which does encryption in hardware. I believe it encrypts at about 200 Mbps. My Internet service is only 100 Mbps so I see virtually no degradation. The OP has 500 Mbps, he will see some degradation in performance.

If the OP set his router to be a VPN host he could take his laptop to the corner pub and view data on his home file share or view video from his home media share securely.

Now let's take this same laptop, same bar and connect to the Internet at large. It's possible that someone else could eavesdrop on him. If, instead, he connects to a VPN service his data is encrypted thus protecting him from eavesdroppers.

Now the OP was talking about setting his router up to be a VPN client which implies he wanted all his users to connect to a VPN service. That means his data goes to the router where it is encrypted, sent to the VPN host where it is decrypted and sent to the Internet at large using a different IP address. What does this buy him?

• Well, his wife could possibly hack him (because she's on the same router) but that's probably not an issue.
• The ISP no longer sees what he's doing. It's not that I think any ISP is going to hack his data but they can track his behavior and monetize his data (by selling his behavior to direct marketers).
• His IP address is changed thus camouflaging naughty behavior.

So you've made it harder for your ISP to rat you out but what about the VPN service? Especially the "Free" ones? Are they running a charity? Ha, probably not. We have moved the potential for monetization from the ISP to the VPN service. (Nah, I'm probably just overly cynical in my old age : -)