NetworkToolbox news

About VPN – be careful what you do

VPN is a buzzword, used for different things, sometimes for something which is the complete opposite.

Most people think of increased protection or privacy in connection with VPNs.

That is not fully true and, in some cases, (read further below) you can instead jeopardize your security and privacy when using a VPN.

I am personally using a VPN almost whenever I am outside my home. I am using it regardless of whether I want to connect to my devices at home or any other website or server. This way, I can use virtually any WiFi hotspot without risking a Man-in-the-Middle (MITM) attack or other common issues like tracing by browsing activities etc. Moreover, I can benefit from my Pi-Hole installation (see here for more about Pi-Hole) from any location so I can enjoy ad-free and faster browsing.

Evil VPNs

However, some people are using so called “VPN” Apps or VPN providers. DON’T DO THAT!

Recently, it was revealed that several of these Apps and services are spying their users out. Very popular names are on a list of Apps that have been identified to track their users, possibly to make money by selling this information. As I used to say, “don’t trust the evil”.

You may ask, which VPN App or service I would recommend? The answer is simple: None of them.

But why? And what is the difference between those and “my” VPN.

The thing is, I would not even call those solutions a “VPN” because “VPN” stands for Virtual Private Network. These solutions might be virtual and a network, but they are by no means private because your data is routed through their servers and at any point, technically, they have access to your data. You will never know if they respect your privacy or (as it happened) tapping into your data. And if you would trust a VPN provider today, can you trust them in the future? After they found they are not making enough money and are looking for additional opportunities. Some of these providers are even free of charge. How crazy is that? How can one maintain a secure infrastructure for people around the world and give it away for free? There is probably something they don’t tell you.

So should you rather omit any VPN? No, just use the right one and the right one needs to be your own, private VPN. It is essential that the starting point of the encryption and the endpoint is under your control.

A typical VPN is “tunneling” your data over the line. Tunneling means you data can’t go any other than the predefined route and it is usually encrypted from the beginning (of the tunnel – which is the device from where you want to access the network) and decrypted not sooner than at the end (of the tunnel – which is where it goes back to the public or ideally the destination server).

Corporate VPNs

VPNs can be used between your device and the destination network. This is, what companies are using (or I should rather say have to use) for their employees if they want to give their employees access to the company infrastructure like mail, access to files etc. while they are not located inside the company. For example, if they are working from home. Of course, this is getting more popular these days due to Covid-19. In these cases, the tunnel goes from the PC or mobile device of the employee up to the company’s network. Regardless which internet provider is being used or if the employee is working from a Hotel or insecure WiFi in a coffee shop. Such a solution is secure.

VPNs to access a Server

The very same solution can be used if you want to securely connect from your home network to another server on the internet. I am using that whenever I am maintaining my Servers around the world.

Home VPN – my recommentation

But such a solution is also viable for home networks. If the tunnel would start on your mobile device and would end on your network at home, you could benefit from the much higher protection degree of your home network (which is hopefully under your control) even if you are on the road and using any (probably insecure) network.

And that’s exactly what I would suggest to everybody. Setup or use your own VPN and don’t rely on or trust anybody outside your network.

Of course, this needs a bit extra work and at least some networking knowledge but it’s not as complicated as you may think. And it’s really worth to dig into this. Once you set it up, you don’t want to miss it anymore. Especially if you are also using Pi-Hole.

I can suggest at least two possibilities.

VPN on a Raspberry Pi

One would be to buy a cheap Raspbarry pi and use it as VPN server. Better use a separate one which will solely run the VPN. There are several instructions available on the web, especially for installing a VPN on a Rasperry pi. Just use your favorite search engine and look for instructions that best suits your skills and requirements. My favorite VPN software is Softether. I am not fond of the old OpenVPN and the new WireGuard technology, but both are better than nothing. At least WireGuard might be worth a try. But I personally don’t like VPN solutions that require an App or additional software on your device because chances are, that this software might have a security vulnerability.

When setting up a VPN, normally you can decide between different VPN technologies to be used. My recommendation is to use L2TP with IPSec which is very secure and doesn’t require an App on your mobile device because it is natively supported by iOS (and Windows and Android – by the way).

“L2TP” is the name of the technology for the Tunnel and “IPSec” the name of the technology for the encryption. There are others but for the aforementioned reason I would recommend L2TP/IPSec. However, by no means use PPTP instead because that’s outdated and insecure.

So the basic steps are:

  • Install the piece of Software (e.g. Softether) on a Raspberry pi
  • Open the necessary ports (and only those) in your router so that it lets traffic of these ports pass through to your Raspberry pi (usually these ports are 500 and 4500 for UDP traffic).
  • Configure the VPN on your mobile device

While talking about ports: If you currently have additional ports open because you want to access your NAS or Camera from outside your home, you can now close these ports because in the future you will not need them anymore because once you switch on you VPN on your mobile device, it’s like if you would sit at home, inside your home network.

Or use a device with built-in VPN Server

So this is one possibility. The other possibility, if you don’t want to (I say “want to” because you definitely can, believe me) setup a VPN on a Raspberry pi, you can see if your Router or any other device on your network offers a VPN feature. Some Routers do. If not, you can even buy and attach an additional Router just for the purpose of a VPN. However, and that’s why this is not my preference, you never know how good their VPN Server implementation is and if it is being updated timely. Often they also “just” offer openVPN but it’s probably worth an investigation.

Give it a try!

So I really recommend to give it a try. You will not regret it.

But still you might say: wait, what about watching Streaming videos that are not offered in my country and what about my privacy?

Yes, these are two things that might have been another reason why people are using a so called VPN Service. But again, this has nothing to do with privacy but both can not be accomplished by a home VPN as described before.

If you want to hide your identity on the Web, better use Tor with a Tor Browser.

If you really have to watch streaming videos that are not available in your country, better use one of those browser plugin based solutions – but ideally use it on a separate PC because even plugins can be harmful.

Looking forward to your feedback.

Stay safe and healthy – and, don’t trust the evil.