Selecting the Right VPN Service

I first published this in 2013 but since I’ve been asked recently by several friends, I figured I update it with more current information.

For the record, I’m a CISSP, and as such, computer security is always in the top of my mind. For me, that also extends to privacy.

Since I spend a good amount of time at airports, hotels, coffee shops and generally roaming around, having a VPN service has become a necessity for me as well as for anyone who values their online privacy and safety, even at home.

Unfortunately, after the revelations of snooping from certain government agencies, along with the well-known harvesting of information done by “free services” with marketing purposes, VPN services became essential even at home if you care about your privacy.

And of course, using a VPN alone will not protect your identity, but it will be the first step: protecting your IP address and your application traffic, which encrypted or not, can reveal a great deal about yourself.

For that reason, selecting the right VPN provider became even more complicated since now it’s necessary to review very carefully their terms of service documents, log retention policies and company operations. I used to use WiTopia in the past but upon further examination of their policies, I opted to find another provider.

My selection criteria for VPN services were simple:

  • No logs and no association with my IP address.
  • The business itself should be located outside the USA, preferably in a country with strong privacy laws.
  • Payment options should include Bitcoin, which allows me to pay them without having my personal identity directly compromised.
  • Multiple gateways all over the world, and the free capability for me to choose to which one I want to connect without extra cost.
  • Service should be fast and reliable.
  • Should include multi-hop technology to mitigate traffic analysis.
  • Support for OpenVPN with AES-256-CBC ciphers and above.
  • Authentication should use SHA-256 or higher, preferably protected with HMAC.
  • Support for UDP as well as TCP when behind more restrictive firewalls.
  • Capability to tweak the settings to avoid DNS leaking.
  • Support for multiple simultaneous devices, in particular Linux, Mac OS X (with TunnelBlick) and rooted Android.

Fortunately, the folks at TorrentFreak keep a very good article detailing the list of providers they consider serious to do business with. This is updated yearly, and the link here corresponds to the 2016 version.

I looked at all of them one by one, and I ended up settling with iVPN since it matches all of my requirements. It’s by no means the cheapest of the bunch, but I personally don’t care about paying more for a high quality service. Their adherence to the principles of the EFF, of which both of us are members of, was the bonus for me to go with them.

I’ve been using them now for over three years and I find it flawless. The performance is great, even in Multihop mode. They don’t discriminate against any type of traffic.

I also use AirVPN as a secondary service, primarily due to the capability of selecting each individual server endpoint which is good in some cases. They have interesting features, like inbound port forwarding, but only with points of presence outside the US. Similar for Torrent traffic, which is blocked in the US POPs.

IPv6 Leaks

If you use a service like Comcast, you can now get a native, real IPv6 address in your computer. Kudos to them, since this is long term coming. But IPv6 implies that every device is directly routable and connected to the Internet. There is no (practical) NAT for end users in IPv6 to mask or hide their addresses.

In these cases, VPNs can give you a false sense of security. Even if you are connected to a VPN, you can still leak IPv6 traffic with your unique IP. Short of completely disabling it (which is a pity given the need for it), I’ve opted to setup a pfSense virtual interface with a permanent OpenVPN connection against one of my providers, and enable policy-based routing by hand. If I want to be really safe, I use an IPv4-only profile on my Mac pointing to that one as a gateway. Firewall rules in that interface explicitly deny IPv6. So far, that’s the only way I’ve found not to leak your identity. I’ll keep working on this and I expect to report more when I know of a better way.

comments powered by Disqus