To VPN or not to VPN?

[L&LD]

As a novice to VPNs take what I say with a grain of salt but here's what I "think" I've learned. There is a VPN client and a VPN host (server). What flows between the two is encrypted. The result ranges from security to the illusion of security and anonymity.

The tunnel host or the tunnel client can be your computing device or your router. If you've only one device you'll likely install VPN on it, if you've multiple devices you'll likely install VPN on your router.

VPN encryption is intensive. Sometimes to often it cannot keep up with your Internet service speeds. For example I've an 86U which does encryption in hardware. I believe it encrypts at about 200 Mbps. My Internet service is only 100 Mbps so I see virtually no degradation. The OP has 500 Mbps, he will see some degradation in performance.

If the OP set his router to be a VPN host he could take his laptop to the corner pub and view data on his home file share or view video from his home media share securely.

Now let's take this same laptop, same bar and connect to the Internet at large. It's possible that someone else could eavesdrop on him. If, instead, he connects to a VPN service his data is encrypted thus protecting him from eavesdroppers.

Now the OP was talking about setting his router up to be a VPN client which implies he wanted all his users to connect to a VPN service. That means his data goes to the router where it is encrypted, sent to the VPN host where it is decrypted and sent to the Internet at large using a different IP address. What does this buy him?

• Well, his wife could possibly hack him (because she's on the same router) but that's probably not an issue.
• The ISP no longer sees what he's doing. It's not that I think any ISP is going to hack his data but they can track his behavior and monetize his data (by selling his behavior to direct marketers).
• His IP address is changed thus camouflaging naughty behavior.

So you've made it harder for your ISP to rat you out but what about the VPN service? Especially the "Free" ones? Are they running a charity? Ha, probably not. We have moved the potential for monetization from the ISP to the VPN service. (Nah, I'm probably just overly cynical in my old age : -)

I can mostly agree with you, but I don't think I'm too cynical in my old age! I've been the same at every age.

In your example above where he connects to the internet at large, instead, he should be connecting back to his router and network which he has hardened as much as possible (algo?), that way, a third (potentially irresponsible or worse) party is never needlessly involved.

I'm also under no illusions that changing IP addresses via VPN's camouflage 'naughty' behavior. But as mentioned above, you need bigger actors (state, etc.) to see clear images at that zoomed in/out level (depending on your point of view).

 

[Klueless]

In your example above where he connects to the internet at large, instead, he should be connecting back to his router and network which he has hardened as much as possible (algo?), that way, a third (potentially irresponsible or worse) party is never needlessly involved

Point well taken!

I was also starting poke at security versus the illusion of security. If I use a tunnel service I'm putting a lot of trust in my provider. The "bad guys" use randomized networks of proxy servers, tunnels and more ("oh my") to hide behind. If only the bad guys used them it'd be easier to trace them but all of us "naughty" and "vanilla users" generate so much white noise it becomes rather tedious to track them down. Why doesn't government do more? I think counter espionage also hides behind all this white noise. Now how's that for cynical ; -)

 

[frichardson]

@Klueless - yes, where I was a bit confused was if there was a reason to encrypt all traffic using some VPN provider. Based on what I understand so far, the answer is "no". I'm better of locking things down as best as I can on my end (via good router hygiene) then becoming my own "VPN provider" that I can use when I am out of the house. I'm still learning so I guess all that could change lol!

 

[Klueless]

I'm still learning so I guess all that could change lol!

Me Too!

yes, where I was a bit confused was if there was a reason to encrypt all traffic using some VPN provider. Based on what I understand so far, the answer is "no". I'm better of locking things down as best as I can on my end (via good router hygiene) then becoming my own "VPN provider" that I can use when I am out of the house

Some don't trust their ISP but the counter point is if you don't trust your ISP then why trust a VPN service? Myself, I think most ISPs in the States are trustworthy but that doesn't mean they're going to protect you from targeted marketing. There are some "pay for" VPN services that seem trustworthy (presumably because they're happy with the monthly revenue stream) and the extra layer of abstraction does sound comforting.

becoming my own "VPN provider"

True enough although the ISP could still see what websites you are going to, yes?

 

[coxhaus]

I agree with a lot of what you are saying but whether you use a VPN service or your ISP they can track you because all routing data is not encrypted. Even if you use a VPN service your ISP will know you are going to a porn site. They just will not know what pictures you are looking at because that data is encrypted.

 

[frichardson]

@coxhaus - one use case for VPN I've heard is for people who don't like the way their ISPs throttle certain types of traffic (gaming or video or some such thing) and they try to use a VPN to obfuscate the packets. I don't know if this really works or not...

 

[coxhaus]

There is no way running VPN is going to be as fast using a small SOHO router as just connecting and using your ISP. There is too much overhead for running VPN especially in the high end encryption.

 

[umarmung]

I agree with a lot of what you are saying but whether you use a VPN service or your ISP they can track you because all routing data is not encrypted. Even if you use a VPN service your ISP will know you are going to a porn site. They just will not know what pictures you are looking at because that data is encrypted.

This is completely wrong. The fact that you have now repeated that claim across these forums means you have no real understanding of either encryption or tunneling. At best, you seem to be confusing TLS/SSL protocol usage with VPN. At worst, you have no understanding of either.

For everyone else reading, assuming you setup a strong encrypted tunnel in such a way that there are no obvious leaks like you left your DNS still pointing back to your ISP, there is no way any third party, less than a sophisticated actor with huge resources attacking that encryption or someone hacking your network, can monitor the content of transmissions from within the tunnel directly. This is the entire purpose of encrypted tunneling protocols.

Modern business and much of the Internet uses this basic principle and was the original purpose of a "Virtual Private Network" (minus the strong encryption and protocols of modern comms.), which is relied on for private site-to-site tunnels over the Internet or WAN. It does not take an ounce of effort to verify this by checking Wikipedia, reading a book on encryption, or asking anyone with more networking expertise than you.

 

[Klueless]

Uh, I tend to agree with @umarmung but, ouch, that was just a little harsh ...

There are other easy to read sources (besides Wikipedia) that also agree, such as "AskLeo" (whoever he is : -)

"It’s important to realize while your ISP can see that you are using a VPN, they cannot tell what you are using it for.

"For example, you might connect to askleo.com through your VPN. Your ISP can see only the VPN portion. That you are connecting to askleo.com, and the information being sent to and from askleo.com through the VPN, is encrypted and inaccessible.

"Remember, however, that your VPN provider can see everything, just as your ISP might otherwise. In a sense, your VPN is acting as your ISP, as they’re providing the final connection to the rest of the internet."
​

In partial support of that I'm thinking; turn on a computer, connect to the Internet, do a (from your browser) "what is my IP?", then connect to a VPN and do another "what is my IP?" ... the results should be different?

 

[RMerlin]

I agree with a lot of what you are saying but whether you use a VPN service or your ISP they can track you because all routing data is not encrypted. Even if you use a VPN service your ISP will know you are going to a porn site. They just will not know what pictures you are looking at because that data is encrypted.

They won't, since the packet headers will be encrypted. The only routing info visible to the ISP will be the headers of the VPN packet, which will show your VPN provider's IP as its destination.

Basically, look at VPN like putting your traffic inside a box, with a different destination address on the box. The VPN provider opens the box, looks at the destination address on the content inside the box, and sends it there.

 

[L&LD]

They won't, since the packet headers will be encrypted. The only routing info visible to the ISP will be the headers of the VPN packet, which will show your VPN provider's IP as its destination.

Basically, look at VPN like putting your traffic inside a box, with a different destination address on the box. The VPN provider opens the box, looks at the destination address on the content inside the box, and sends it there.

Thanks, RMerlin. Trying to get my head around this...

Doesn't the VPN need an ISP too though? Can't that ISP be 'your' ISP (at least sometimes)?

From my viewpoint and current understanding, there is nowhere to hide. Even with a paid-for VPN service.

 

[RMerlin]

Doesn't the VPN need an ISP too though? Can't that ISP be 'your' ISP (at least sometimes)?

Yes, although they aren't called ISP. But they do have (often multiple) upstream providers that connects the servers in the datacenters to the rest of the world.

So, if I were the NSA (or any similar organization), I would be very interested in knowing which upstream provider is used by all the big VPN tunnel providers, and tap into these networks, for all that nicely aggregated traffic...

From my viewpoint and current understanding, there is nowhere to hide. Even with a paid-for VPN service.

The ONLY things guaranteed by a VPN service provider is:

1) Hides the traffic from your ISP, and any provider sitting between your ISP and the remote destination
2) Can hide the traffic from your LAN if the VPN client runs on your computer (useful while in a public hotspot, for instance)
3) Replace your ISP-provided IP address by one provided by the tunnel provider

Nothing more. It won't hide your traffic between the VPN provider and your remote destination.

 

[coxhaus]

Your are right. You are encrypted from point a to b. But after that your are not. The routing info is not encrypted but the tunnel gives you protection from point a to b.

My info is worth what you pay for it. Sometimes I have wine or/and bourbon distractions. I may have been distracted as I obviously did not think it out well. My original point is the routing info is not encrypted.

 

[Klueless]

... wine or/and bourbon distractions

<lol> Me too. Get some of my best thinking done with a double in front of the fire. What kind of bourbon do you recommend : -)

 

[coxhaus]

<lol> Me too. Get some of my best thinking done with a double in front of the fire. What kind of bourbon do you recommend : -)

Elmer T Lee bourbon...hard to find but worth it.

 

[Hadley]

I’ve been using Private Internet Access for almost a year now and have been very happy with it. It’s fast and allows manual selection of a variety of servers around the US and the rest of the world. Last year they had a sale on Black Friday, so I’d recommend waiting until Black Friday vpn deals again, if you don’t need to buy one right now.

I tried CyberGhost before using PIA and didn’t like it as much, it was slower and didn’t have manual server selection (only automatic).

 

[#TY]

This is a very interesting topic because it was something I was having a hard time wrapping my head around as well before I first landed on this awesome forum. However, with time I have come to understand that there are definitely things you can do to improve your online security and privacy but there is no (and never will be a) 10000% bulletproof solution to anything. If someone "really" wanted to target you, they will eventually find a way even if you are using the best tech money can buy. Why/How? Well it's called human error. When developers write code, they do it to the best of their abilities but there is always someone, somewhere, with enough time and determination that will stop at nothing to find a "bug" or exploit that lets break the code and have access to data they were never meant to obtain. Just look at Apple. A trillion dollar company and yet some Israeli company finds a glitch that allows them to extract an iPhone's data. Granted it's a cat and mouse game but my point is, even with a trillion dollar budget, flaws can exist in the end product and so, you have to be aware of this and accept it.

What you also need to know is that unless you're some VVVIP, chances of anyone wanting to target you for anything is pretty close to zero. A lot of people develop this paranoia online as if they are always being watched. They're not, so there is no point in driving yourself crazy over it

That being said, you have 2 options in my opinion.

1) Subscribing to your local internet provider and leaving it at that. Just know that they technically know absolutely everything you're doing online but is there someone specifically sitting at a desk there waiting and watching everything you do? Lol, very unlikely.

2) If you do somewhat care about online privacy, and I'm assuming you do otherwise you wouldn't be here, then there are things you can certainly do to solidify your network:

- make sure you have a capable router. Asus offers a great line of routers at all price points.
- make sure you properly set up that router. There are excellent resources in this forum that have put in a lot of time and effort into making these steps easy to follow. Here is a great starting point that I've used recently that has been nothing but perfect. (thank you @L&LD ) Follow them in the order listed.

https://www.snbforums.com/threads/major-issues-w-rt-ac86u.56342/page-4#post-495710
https://www.snbforums.com/threads/amtm-step-by-step-install-guide-l-ld.56237/

Once all that is done, you should have a damn solid router setup and I would highly recommend you switch on and configure the built-in OpenVPN server at this point so that you can connect to it from wherever you are around the globe. This will give you the comfort knowing that everything you do via that VPN connection will be secure and no different from what it would be with you being at home.

In my case, I also have ExpressVPN which I have configured on my router as well for all my network to use. They have tons of very fast servers and I've been lucky to have one in the city where I live so my internet speed is barely affected. They also seem to be privacy oriented with no logging of anything whatsoever which is why I chose to go with them. By doing this, I am basically choosing to trust them over my ISP which I am comfortable doing. They do offer a lot more via their VPN services obviously but fundamentally, its about who you prefer trusting more.

I hope this helps make sense of it all.

We live in the digital age now, so for the ultimate form of privacy imo, you cannot cannot touch the internet or use any phone whatsoever. How many will go that far? I have yet to meet one

 

[Kingp1n]

@Klueless - yes, where I was a bit confused was if there was a reason to encrypt all traffic using some VPN provider. Based on what I understand so far, the answer is "no". I'm better of locking things down as best as I can on my end (via good router hygiene) then becoming my own "VPN provider" that I can use when I am out of the house. I'm still learning so I guess all that could change lol!

This also depends...are you using kodi to stream any movies/videos? I am...so I use a paid VPN service to hide my streaming activities im not saying this 100% full proof but I feel a lil better when I'm watching a new released movie thru kodi, than being naked and my provider seeing all haha that's just me but it's not for all. Good luck.

 

[Val D.]

The ONLY things guaranteed by a VPN service provider is:

1) Hides the traffic from your ISP, and any provider sitting between your ISP and the remote destination
2) Can hide the traffic from your LAN if the VPN client runs on your computer (useful while in a public hotspot, for instance)
3) Replace your ISP-provided IP address by one provided by the tunnel provider

For the reasons above I prefer to VPN. Not always and not on every device. When needed and on selected devices.

 

[SilverLarva10]

VPN has it's use cases and limits. I'm glad you don't see that they ensure online anonymity anymore, 'cause they don't. There are tons of ways to track a user online despite IP address or encryption. However, the parts that it's advised on public Wi-Fi and it adds an extra layer of privacy IMHO are true. If you have a no-logs service provider then rerouting your traffic from your ISp server to no-logs server is pretty useful. Additional encryption on public Wi-Fi as well. But IMHO majority use it to bypass geo blocks and for streaming and so on, because it's really comfy to bypass those using a VPN. You can use it for smart TVs also if you set up on a router just check the ip address per instructions to see if you really got the one you need and you're good to go.