Do you know if it's supported using OS-native VPN client implementations as well (i.e. Wirecard, IKEv2, or maybe OpenVPN), or only using their official client?
$5/month vs eg $2/month with a long running sub with e.g. PIA (Chinese owners) though... I wish mullvad provided long running subs with better prices then what they currently provide.
Buy a year voucher off Amazon, comes to $4.75/mo. Or be lucky like me and buy the 6 month for $29 from them and receive a 12 month voucher instead when they grab the wrong one.
You are correct:
"Kape Technologies is a United Kingdom-based cybersecurity software company. Kape owns VPN services and cybersecurity tools, including CyberGhost, Private Internet Access (PIA), ZenMate, ExpressVPN, and Intego."
Hi, I'm the author of the blog post and just wanted to say thanks for the discussion.
I agree that relying solely on desktop VPN clients (especially closed-source ones) is risky... The network namespaces approach is new to me, but it looks like a solid way to isolate traffic and avoid these kinds of leaks entirely. Thanks for the suggestions.
I just built the same thing using `systemd-nspawn --directory=/ -b`. The nice part about using nspawn is that you have access to all of the normal network configuration tools like systemd-networkd to configure the devices and networks, rather than using a python script. It also provides a nice place for running services inside of the container, since process management is also included.
They are one of the few VPN providers that give out public IPv4 addresses, and you can even get a static one. So, if you are using them for having a public IP, not for privacy, please continue doing so.
There are better options for that. One of them: https://njal.la/ (this service was formerly known as IPredator and run by former piratebay/piratebyran people)
Interesting, do you know if they actually assign them to the VPN interface (rather than just passing through inbound connections to a public IP to the private IP of the VPN interface)?
That could come in handy for hosting things behind double NAT.
They assign it directly to the interface, and letting others connect to stuff behind CGNAT is indeed my use case.
Two other VPNs working for this purpose are OVPN (+1 for them using WireGuard, but their Singapore node is slow) and SwissVPN (limited to only 30 Mbps by contract, but they do provide these contracted 30 Mbps).
I'm not surprised, given that I received 140% cashback(!) on their 2 year plan a while ago. Unless the hope is that most users forget to cancel before it renews, I'm assuming that I'm paying with my personal information.
It still does the trick for accessing bank and other websites from abroad (that somehow consider a VPN IP more trustworthy than a residential ISP in a Western European country, but that's a different story), but I wouldn't use it for anything sensitive.
I also definitely wouldn't run their client locally, and their Wireguard configurations are annoyingly only valid for 15 minutes after creation. (Weirdly, there doesn't seem to be any limitation on IKEv2.)
There are many VPNs on TopCashback offering 100%+ cashback. I assumed most of them were trying to build up user numbers in order to sell or get acquired, since I can't logically understand why a VPN would pay so much for an affiliate bonus.
You do need to trust Intel as it relates to SGX. SGX has had issues, but these are fixed pretty quickly [1]. Creating the isolated layer like SGX gives you verification of what is running on VP.NET's servers though, and the code is available to review and compile yourself so you can verify it is the same [2].
From a defense in depth standpoint, the more layered and isolated securities, the better.
I strongly suggest that you use something like Network Namespaces through Vopono[0] or Gluetun[1] if you use a commercial VPN for "privacy" or "security" aka torrenting and shitposting. Relying on these clients is always a gamble and if your software (Browser, Torrentclient, etc.) cannot know you public IP only the internal IP of the VPN you are also safe against some exploits and misconfigurations a desktop client won't protect you against.
In the case of PureVPN, the only way of preventing leaks is by switching to a different provider. There is definitive proof that they keep logs despite their claims to the contrary. I have linked to a federal criminal complaint where the FBI requested logs after the offense and was given them by PureVPN. The relevant portion is on page 22.
IPv6 allows for more direct connections for services like VoIP or Tailscale, since UDP hole punching between two firewalled public IPv6 addresses usually just works, but doesn't between two clients both behind a "port-restricted cone" or "symmetric" NAT.
As a result, connections have to be relayed, which increases latency and is just outright infeasible for some non-profit services that don't have a budget for relaying everyone's traffic.
Anecdotally, I've also heard that you can get better routing via IPv6 on IPv4-via-NAT-only providers these days, as the provider's CG-NAT might be topologically farther away than the IPv6 server you're connecting to.
That's not really true anymore. I've used a connection with both IPv4 and 6 for the past two years. There's a number of times where my stuff magically works, whiles others have issues, because my traffic is mostly over IPv6. Not once have I had an issue because my setup is dual stacked.
And before you say "change the ISP": Globe is the only one that does not refuse to provide services to foreigners and does not lock you up into a 24-month non-cancellable contract, which is longer than any available non-resident visa.
Unfortunately this is not true, loads of cool techy stuff (Sentry, GitHub) etc still don't work properly on IPv6, less techy stuff really didn't care at all.
You can use nat64 to talk to legacy networks. Ipv6-only networks (with nat64 or 464xlat etc) are becoming increasingly popular. There is also this new concept called "ipv6-mostly network" that is getting rolled out: https://www.ietf.org/archive/id/draft-ietf-v6ops-6mops-02.ht...
Lots of things will break if you disable ipv4, including my work provided zscaler windows laptop (and not break in the good way where it fails open when you block traffic to zscaler nodes on your router)
Both of them really advertise too much (IMHO) to be trusted. They rely on introductory pricing and hoping people don't realize and get billed at a much higher rate, a model I personally hate.
But ExpressVPN has an additional reason: ties between it, its founder and Israel. There's a BDS argument against right there but additionally, there are accusations that ExpressVPN traffic is or can be monitored by Israeli intelligence.
That last one is a risk of many VPNs, which is why you have to be careful about who the owners are and where the company is incorporated. I personally prefer VPNs that are located in more privacy-focused jurisdictions (eg Iceland, Switzerland).
Mullvad is a popular option on HN. I'm also relatively positive on PrivadoVPN (located in Switzerland). Some Redditors question the quality of the service. So far it's been fine for me.
Given their need to advertise with pretty much any YouTube channel willing to take their money, I'd be inclined to question the quality the likes of NordVPN and SurfShark.
It boggles me how one can see them as anything but sus after tops 30 minutes of looking into it. You get that all those "top 5 vpn" sites and youtube recs are sponsored, right?
I donwt know any single VPN provider apart from Mullvad with proper v6 implementation.
Do you know if it's supported using OS-native VPN client implementations as well (i.e. Wirecard, IKEv2, or maybe OpenVPN), or only using their official client?
You could run wireguard thru CLI directly instead of jumping through the mullvad app itself
You can download the WireGuard/OpenVPN config files all at once in their web interface.
I've seen that, but I just wasn't sure if that also works for IPv6.
According to their own docs, it seems to work for at least OpenVPN:
> Those not using the Mullvad client program can just add the directive "tun-ipv6" to their OpenVPN configuration file.
Yas. When you download the config files you can choose between IPv4 and IPv6
Solid dev + OSS ecosystem + Flat rates
I'm satisfied!
$5/month vs eg $2/month with a long running sub with e.g. PIA (Chinese owners) though... I wish mullvad provided long running subs with better prices then what they currently provide.
Buy a year voucher off Amazon, comes to $4.75/mo. Or be lucky like me and buy the 6 month for $29 from them and receive a 12 month voucher instead when they grab the wrong one.
"sub" as in subsidized by your data eh?
Would love a source for Chinese owners of PIA. Last I knew, it was Israeli owners.
-source, former employee.
You are correct: "Kape Technologies is a United Kingdom-based cybersecurity software company. Kape owns VPN services and cybersecurity tools, including CyberGhost, Private Internet Access (PIA), ZenMate, ExpressVPN, and Intego."
https://en.m.wikipedia.org/wiki/Teddy_Sagi#Kape_Technologies
Yes, I missremembered. It was bought by Isreali after all. I dont think my point is affected by this however.
And I feel quite illiterate right now. I somehow managed to misread both your comments twice
SwissVPN provides a /64.
Do they allow inbound ports?
Hi, I'm the author of the blog post and just wanted to say thanks for the discussion.
I agree that relying solely on desktop VPN clients (especially closed-source ones) is risky... The network namespaces approach is new to me, but it looks like a solid way to isolate traffic and avoid these kinds of leaks entirely. Thanks for the suggestions.
network namespaces provide a clean host/vpn split.
https://blog.thea.codes/nordvpn-wireguard-namespaces/
I just built the same thing using `systemd-nspawn --directory=/ -b`. The nice part about using nspawn is that you have access to all of the normal network configuration tools like systemd-networkd to configure the devices and networks, rather than using a python script. It also provides a nice place for running services inside of the container, since process management is also included.
For the love of God, don't use PureVPN! They have been proven in court to log traffic, despite claiming not to.[1]
[1] https://cyberinsider.com/vpn-logs-lies/
They are one of the few VPN providers that give out public IPv4 addresses, and you can even get a static one. So, if you are using them for having a public IP, not for privacy, please continue doing so.
There are better options for that. One of them: https://njal.la/ (this service was formerly known as IPredator and run by former piratebay/piratebyran people)
Interesting, do you know if they actually assign them to the VPN interface (rather than just passing through inbound connections to a public IP to the private IP of the VPN interface)?
That could come in handy for hosting things behind double NAT.
They assign it directly to the interface, and letting others connect to stuff behind CGNAT is indeed my use case.
Two other VPNs working for this purpose are OVPN (+1 for them using WireGuard, but their Singapore node is slow) and SwissVPN (limited to only 30 Mbps by contract, but they do provide these contracted 30 Mbps).
Separately, PureVPN is one of the providers you can’t trust [1].
[1] https://www.makeuseof.com/worst-vpns-you-shouldnt-trust/
I'm not surprised, given that I received 140% cashback(!) on their 2 year plan a while ago. Unless the hope is that most users forget to cancel before it renews, I'm assuming that I'm paying with my personal information.
It still does the trick for accessing bank and other websites from abroad (that somehow consider a VPN IP more trustworthy than a residential ISP in a Western European country, but that's a different story), but I wouldn't use it for anything sensitive.
I also definitely wouldn't run their client locally, and their Wireguard configurations are annoyingly only valid for 15 minutes after creation. (Weirdly, there doesn't seem to be any limitation on IKEv2.)
There are many VPNs on TopCashback offering 100%+ cashback. I assumed most of them were trying to build up user numbers in order to sell or get acquired, since I can't logically understand why a VPN would pay so much for an affiliate bonus.
Given what you said about not using it for anything sensitive, I'm assuming you're not actually logging into your bank... right?
Everything is TLS-encrypted anyway these days, so the primary concern is metadata privacy.
When it comes to that, I trust VPN providers about as much as ISPs (i.e. absolutely not).
VP.NET doesn't require any trust at all [1][2].
[1] https://vp.net/l/en-US/blog/Don%27t-Trust-Verify
[2] I work for VP.NET and can answer any questions regarding the technology as well!
Interesting! But "no trust required" is a strong statement; don't I need to trust at least Intel? :)
My advice is never to trust bad intel ;).
You do need to trust Intel as it relates to SGX. SGX has had issues, but these are fixed pretty quickly [1]. Creating the isolated layer like SGX gives you verification of what is running on VP.NET's servers though, and the code is available to review and compile yourself so you can verify it is the same [2].
From a defense in depth standpoint, the more layered and isolated securities, the better.
[1] https://sgx.fail
[2] https://github.com/vpdotnet/vpnetd-sgx
I strongly suggest that you use something like Network Namespaces through Vopono[0] or Gluetun[1] if you use a commercial VPN for "privacy" or "security" aka torrenting and shitposting. Relying on these clients is always a gamble and if your software (Browser, Torrentclient, etc.) cannot know you public IP only the internal IP of the VPN you are also safe against some exploits and misconfigurations a desktop client won't protect you against.
[0] https://github.com/jamesmcm/vopono [1] https://github.com/qdm12/gluetun
Wouldn't blocking IPv6 and using a kill-switch prevent leaking?
In the case of PureVPN, the only way of preventing leaks is by switching to a different provider. There is definitive proof that they keep logs despite their claims to the contrary. I have linked to a federal criminal complaint where the FBI requested logs after the offense and was given them by PureVPN. The relevant portion is on page 22.
https://www.justice.gov/archives/opa/press-release/file/1001...
Block IPv4 as well and you're pretty solid.
No, not in all cases. Imagine your Browser gets 0-dayed and just send all IPs it sees to an endpoint.
I strongly suggest you disable ipv6, as nothing will break by disabling it but many things break with it enabled.
That's not true anymore.
IPv6 allows for more direct connections for services like VoIP or Tailscale, since UDP hole punching between two firewalled public IPv6 addresses usually just works, but doesn't between two clients both behind a "port-restricted cone" or "symmetric" NAT.
As a result, connections have to be relayed, which increases latency and is just outright infeasible for some non-profit services that don't have a budget for relaying everyone's traffic.
Anecdotally, I've also heard that you can get better routing via IPv6 on IPv4-via-NAT-only providers these days, as the provider's CG-NAT might be topologically farther away than the IPv6 server you're connecting to.
That's not really true anymore. I've used a connection with both IPv4 and 6 for the past two years. There's a number of times where my stuff magically works, whiles others have issues, because my traffic is mostly over IPv6. Not once have I had an issue because my setup is dual stacked.
This is still true for ISPs that don't monitor their IPv6 connectivity. I was forced to disable IPv6 recently because of this: https://www.reddit.com/r/ipv6/comments/1nf3ytq/how_do_i_comp...
And before you say "change the ISP": Globe is the only one that does not refuse to provide services to foreigners and does not lock you up into a 24-month non-cancellable contract, which is longer than any available non-resident visa.
Alternatively, disable ipv4. The same statement holds true.
Unfortunately this is not true, loads of cool techy stuff (Sentry, GitHub) etc still don't work properly on IPv6, less techy stuff really didn't care at all.
You can use nat64 to talk to legacy networks. Ipv6-only networks (with nat64 or 464xlat etc) are becoming increasingly popular. There is also this new concept called "ipv6-mostly network" that is getting rolled out: https://www.ietf.org/archive/id/draft-ietf-v6ops-6mops-02.ht...
Lots of things will break if you disable ipv4, including my work provided zscaler windows laptop (and not break in the good way where it fails open when you block traffic to zscaler nodes on your router)
Very little will break if you disable ipv6
Enterprise malware not doing v6 properly hardly counts, it’s a good day for them when they don’t just bsod your entire network.
A lot of stuff breaks when you run Zscaler.
What about NordVPN and ExpressVPN are those somewhat trustworthy?
I wouldn't trust either, for different reasons.
Both of them really advertise too much (IMHO) to be trusted. They rely on introductory pricing and hoping people don't realize and get billed at a much higher rate, a model I personally hate.
But ExpressVPN has an additional reason: ties between it, its founder and Israel. There's a BDS argument against right there but additionally, there are accusations that ExpressVPN traffic is or can be monitored by Israeli intelligence.
That last one is a risk of many VPNs, which is why you have to be careful about who the owners are and where the company is incorporated. I personally prefer VPNs that are located in more privacy-focused jurisdictions (eg Iceland, Switzerland).
Mullvad is a popular option on HN. I'm also relatively positive on PrivadoVPN (located in Switzerland). Some Redditors question the quality of the service. So far it's been fine for me.
Given their need to advertise with pretty much any YouTube channel willing to take their money, I'd be inclined to question the quality the likes of NordVPN and SurfShark.
Trustworthy enough to shitpost behind? Sure.
Trustworthy to break some actual laws behind? Absolutely not.
It boggles me how one can see them as anything but sus after tops 30 minutes of looking into it. You get that all those "top 5 vpn" sites and youtube recs are sponsored, right?
Define trustworthy? In my experience, no.
also look up tunnel-crack if u want