Best privacy-friendly VPN recommendations?

Hi all

My MullvadVPN subscription is expiring soon, so I’m interested in exploring some other providers and would love to hear your recommendations or inputs! My VPN requirements are pretty basic - Speed is not my main priority. I want a reliable, fully anonymous VPN (that is, no logs recorded) for a reasonable price. The VPN should allow for P2P. Extra brownie points if their no-logs policy has been proven in court or they have had any recent audit proving this.

For now, I’ve mostly been using Mullvad VPN and ProtonVPN, and whilst I’m happy with both (I prefer Mullvad and the fact that they don’t even require any email or details when you buy a subscription), a couple of people have also told me about PIA (Private Internet Access). After some research, PIA sounds like a great option - They accept multiple cryptocurrencies as payment, and apparently they’ve indeed proven their no-logs policy in court (according to this comparison: Mullvad vs Private Internet Access in 2022 | VPNpro , although I’ve not been able to find much more about that). PIA has an amazing offer for a 3 year subscription (something like 60$ for 3 years) which is way cheaper than ProtonVPN or Mullvad.

One of the main cons about PIA is the fact that they require an email in order to sign up (which shouldn’t be that much problem using any alias or throwaway email), and the fact that they’re based in the US.

I’ve also recently heard about Cryptostorm (https://cryptostorm.is), which also sounds great on paper. They only have a native application for Windows, where Linux and MacOS require setting up through OpenVPN (although this wouldn’t be a problem), but after some research it sounds like they may not be fully transparent about their own company or where they’re actually based (to the point where some people speculate this can actually be a honeypot, lol)

I’d love to hear if anybody here has tested PIA or Cryptostorm for a while, if you would recommend this provider or if there is any other privacy-friendly provider you’d recommend more.

Many thanks!

VPNs don’t offer anonymity use ‘TOR’ If you want to be anonymous, VPNs providers in my opinion are full of shit, you can easily set up a VPS in any country you like and route traffic over Tor this makes it much safer, and gives you control. keep in mined Tor isn’t a panacea nothing is truly anonymous there is always a catch, Also there have been successful attacks against Tor The reality is that while Tor isn’t perfect, it works quite well.

5 Likes

I appreciate your input, and apologies as I may not have explained myself well enough. I understand VPNs will most likely never be truly anonymous (There’s another recent thread about an anonymous setup recently where this was discussed).

To clarify, my main inquiry is about data privacy and what steps do each VPN provider take to protect their user’s data, what type of info do they log or whether they record any potentially identifiable user details at all.

Thanks again!

1 Like

I’d say just create one yourself not only it is a good learning experience but also you’re more in control of what you do here is a video from mental outlaw I suggest you to watch How To Create Your Own VPN (and why) - YouTube. I’d say try to look for a VPS that has a good privacy policy you can use the one in the video but if you don’t trust that you can look for one on your own. Another way would be getting a different computer and running that computer as your VPS.

2 Likes

Thanks c0rruptm3.dll , appreciate your input and the video :slight_smile: - That’s actually a very interesting approach! Whilst running a VPS will be more expensive than most of the VPS subscription licenses I’ve seen around, as you say it’s also a good learning experience so I’ll definitely look into it.

Maybe make your own VPN?

Yours sounds better… :wink: But yeah.

I would personally use Orbot. It is a free and open source alternative to most good VPN’s.

@CKjones,
Yeah, but it’s not for Linux.
Maybe set your system wide socks5 proxy to the tor config - though not all applications may respect this.
Or DNScrypt…

Private Internet Access was once a well-respected VPN provider, but in 2019 they were acquired by a company that has a history of publishing malware/spyware. That company also owns ExpressVPN, CyberGhost, Zenmate, and several “VPN review” sites. (The review sites, shockingly, find that the VPN services with the same owner have the highest rating.)

1 Like

It’s not smart to trust any VPN provider to protect your privacy. Even if it had been “proven in court” that some VPN provider didn’t have logs on some date in the past, you can’t assume that means they’re not keeping logs today, or tomorrow. It’s also possible that hostile actors are monitoring inflows/outflows of data for the VPN provider and can correlate your activity without the provider’s cooperation.

For example, consider HideMyAss - a VPN provider who promised anonymity to customers. Their FAQ contained the following on July 17, 2011:

What logs do you keep? Do you monitor my activity?

We only log the times you connect and disconnect from our service. We do not log what activity you get up to behind our VPN service, such as what websites you visit and who you talk to.

(from VPN FAQ - Hide My Ass! )

… but it turns out they were also logging source IP addresses, and complied with a UK court order and turned over that information to support a prosecution in the United States of a person accused of computer crimes.

It’s simply not prudent to believe marketing claims of “no logging”.

It’s always important to consider “what’s the threat model”? If you don’t want your local network administrator to know what websites you’re visiting, don’t want people sniffing your Wifi traffic, or want to pretend you’re in a different country to get around geographical restrictions, VPNs still work well and whether or not they keep logs is unimportant.

If you’re doing things that are going to make the government of your country angry, that’s likely not good enough. Same thing if you’re going to piss off the government of another country who’s capable of exerting power or influence internationally.

And if that’s your threat model, you’re going to have to do a lot more than just subscribe to the right online service.

I use VPNs every day - I use Speedify, not for privacy but because they bond multiple IP connections for improved speed/reliability. I run a VPN endpoint on a VPS if Speedify isn’t working (some sites/services block any connections sourced to a known VPN provider). And I use TryHackMe’s VPN to connect to their machines to work on their challenges. Tailscale and Cloudflare’s tunnel products are also pretty interesting. So I’m not saying VPNs are useless or stupid. But trusting them for anything beyond casual privacy/anonymity is naive and can lead to great misfortune.

Under no circumstances would I ever use a free VPN service - the only possible explanation for their business model is that they’re somehow monetizing the information they’re getting about who/what is using their service.

You can get a free tiny VPS on Amazon AWS; other providers have them as low as $3.50 USD/mo, and I’ve seen (but not used) others apparently as low as $1/mo. Those machines don’t have enough memory/disk/processor to do anything demanding, but running a Wireguard or OpenVPN endpoint isn’t a significant load.

1 Like

Thank you very much for your response, that was very insightful :slight_smile:

My concerns are mostly about online privacy from a regular user perspective - I’m not planning on using a VPN for anything illegal really, but knowing those “proven in court” scenarios gives me some additional peace of mind (Although as you mentioned, the fact that they didn’t record logs in the past doesn’t necessarily mean they may not be recording logs now).

1 Like

Personally, I use the Riseup VPN when doing my infosec research or going out to public hotspots. But there are limitations with this approach:

  • Specifically regarding the Riseup VPN, it can be buggy at times and slower than most mainstream VPNs. I think that the reason for this is because it’s ran by anarchists and non-profit volunteers (as opposed to for-profit knobheads who overspend on advertising their cr*p).
  • Users @0xf00 and @tummybadger rightly point out that VPNs do not provide “full” anonymity. It would be wise to use a proper VPN (read NOT ExpressVPN or NordVPN) with the Tor Browser or even an entire Tor-based VM like Whonix or Tails.

Furthermore, user @Richie suggests that you should make your own private custom VPN service for yourself and a select few. This is typically done by purchasing a VPS (preferably where the service doesn’t KYC and through a private cryptocurrency like Monero, not Bitcoin). Miessler (c.a. 2020) has a tutorial for making your own VPN.

  • Do note that running your own VPN does give you a responsibility for administrating it and making sure that everything is up-to-date. It’s like being self-employed in the sense that you have more freedom, but more responsibility. In this case, you need to audit your VPN, review logs, make sure that there aren’t any h*ckers trying to get you, et cetera. “OccupyTheWeb” (2018) and Siever et al. (2009) are good stuff for being a decent sysadmin. But the best advice imo is to reduce the attack surface as much as possible.

For more anonymity, try to find a public wifi whilst using a custom VPN and the Tor onion router. If you can’t leave your home for whatever reason, procure or make a Cantenna and crack your neighbour’s wireless hotspot (see Oriyano 2017).

Kaspersky (2005, chapter 3) demonstrates a somewhat outdated technique for anonymity that could still be applied today. Basically, you would obtain a burner phone and use it to build a GPRS Modem for anonymous internet access through cellular networks. I will confess that my knowledge of telephony is quite limited, and that I may be misrepresenting Kaspersky’s method. So I recommend that you research this yourself and ask more experience folk in this forum :wink:

2 Likes