Navigating the VPN Hellscape

The VPN Hellscape


While i find it encouraging that more people are becoming concerned with their on-line privacy, i find it equally disturbing that so many are turning to highly unethical companies which have no intention of protecting the privacy of their customers and, in fact, are purposely violating and profiting from that trust.

Given the exceedingly grim nature of this article, i should say at the outset that i am in no way suggesting that one leave their network activities solely in the hands of their Internet Service Provider (ISP), some of which are quite inquisitive. I am of the strong opinion that an ISP should act as a service provider and nothing more, however that is obviously not the case in this era of surveillance capitalism and thus a VPN can act as a tunnel through your ISP in which all data is encrypted. While a VPN can provide a degree of privacy and insulate one from some of the many threats posed by ISPs and other bad actors, utilizing such a service requires a large degree of blind trust in the company. Furthermore, a VPN is only a piece of a larger threat mitigation architecture the privacy conscious person must consider.

The vast majority of Virtual Private Network (VPN) providers are, simply put, garbage. Over 100 VPN companies are owned by approximately two dozen corporations, some headquartered in China, an authoritarian, communist country with a notoriously poor track record of spying on and manipulating its people. Some of the biggest players in the market are Kape Technologies, an Israeli owned company, Ziff Davis, Nord Security, Aura, Innovative Technologies, Actmobile Networks, Gaditek, NortonLifeLock and SuperSoftTech.

Together these corporations own some of the largest VPN service providers including ExpressVPN, CyberGhost, Private Internet Access (PIA), ZenMate VPN, IPVanish, NordVPN, HideMyAss, Atlas VPN, Surfshark,, SaferVPN, Perimeter 81, Buffered VPN, StrongVPN, Hotspot Shield VPN, TouchVPN, PureVPN, Ivacy VPN, Unblock VPN, JustVPN, Avast SecureLine VPN, Free VPN and many others.

Conveniently, some of these ethically challenged companies also own VPN "review" websites including SafetyDetectives, vpnMentor, Webselenese,,, and A 2021 article, Former Malware Distributor Kape Technologies Now Owns ExpressVPN, CyberGhost, Private Internet Access, Zenmate, and a Collection of VPN "Review" Websites, on the Restore Privacy website provides some insight:

In another twist to the plot, Kape Technologies also purchased a collection of VPN review websites in 2021. Yes, you got that right. The parent company that owns these VPNs now also owns a few high-profile websites that "review" and recommend VPNs to users around the world.

This is clearly a conflict of interest, but that goes without saying.

In May 2021, news broke that Kape had purchased a company called Webselenese. Like Kape, Webselenese also operates out of Israel and runs the websites and Collectively, these two websites have monthly search traffic of around 6.1 million visitors according to Ahrefs traffic analysis tool (September 2021).

An article on the TechNadu website, Which Companies Own Today's Most Popular VPNs? – Hidden & True Owners Revealed!, further reveals the shady history of some of these VPN companies.

Naomi Brockwell provides an excellent introduction into the chicanery taking place in the massively profitable VPN market in her video, The DARK side of VPNs.

By the time you read this it is not unlikely that these corporations will have ingested more companies, or changed their name in order to escape their rotten reputations. Kape Technologies for example, is known for distributing malware and Ziff Davis, formerly J2 Global, Inc., was reported to be offering money to tech websites to secretly track users. Meanwhile, Nord Security, which has offices in Lithuania, the United Kingdom, Panama and the Netherlands, and which operates the widely advertised NordVPN, has been caught with their privacy and security pants down around their ankles multiple times.

According to Market Screener, Kape Technologies, with annual sales in excess of $600 million U.S., employs 850 people and "operates two reportable segments: Digital Security, Digital Privacy and Digital Content".

The Digital Security segment comprises of software and software as a service (SaaS) product offering security, endpoint protection and personal computer (PC) performance. Its Digital Privacy segment comprises of virtual private network (VPN) solutions and other privacy SaaS products. Its Digital Content comprised digital platforms which provide reviews and content. The Company's subsidiaries include CyberGhost SRL, Neutral Holding Inc, Intego SA, Intego Inc, ZenGuard GMBH and Reimage Limited.

Kape Technologies, formerly Crossrider, is owned by Israeli billionaire Teddy Sagi. In 1996 Sagi was sentenced to 9 months in jail after being convicted of bribery and fraud. According to Wikipedia Sagi was one of 565 Israelis listed in the Pandora Papers published by the International Consortium of Investigative Journalists. As reported by The Times of Israel, The Pandora Papers is "a trove of nearly 12 million leaked documents detailing the financial secrets of the rich and famous around the globe.".

The documents detail secretive financial transactions carried out by the wealthy individuals — many of which are legal in Israel — often aimed at hiding assets offshore or concealing their connections to businesses and other financial endeavors and holdings.

In the latest trove of documents released on Wednesday, details were revealed about transactions by the Ofer brothers, Sagi — who was allegedly the recent target of a plot to harm Israelis in Cyprus — Moshe Hogeg, an entrepreneur and the owner of the Beitar Jerusalem soccer team, and Eytan Stibbe, who is slated to become the second Israeli in space early next year.

In a 2014 article by Mail Online, Teddy Sagi, jailbird pornographer behind Britain's crack cocaine gambling machines, we learn more about Sagi's criminal activities.

While it is bad enough that Sagi has helped turn Britain into a nation of gamblers, even more disturbing is the fact that he learned some of the tricks of his controversial trade from the world of internet pornography.

Not only that, I have established he is a convicted criminal who comes from a family with a murderous past.

Born in Tel Aviv in 1972, Sagi became accustomed to the finer things in life. His father ran a travel agency and his parents appeared in newspaper gossip columns. But he and his family were to find far greater notoriety for their criminal activities.

In 1983, Sagi’s older stepbrother, Ronen, was convicted of the murder of an investment consultant. There was little doubt about his guilt — he stole his father’s gun, fitted a silencer and fired ten bullets at his victim after a disagreement believed to be about money.

Then in 1994, when Teddy Sagi was just 22, he was arrested along with seven other businessmen on suspicion of insider trading. They were charged with buying and then manipulating the value of stock in a widespread banking fraud.

Sagi, one of the youngest among those arrested, admitted grave deceit, bribery and insider trading. He was jailed for nine months.

When he was released, he became hellbent on making his fortune. He teamed up with his father trading on the stock market and buying and selling property. But he realised the internet was the means to make large sums, regardless of the morality of how the money is made.

Daniel Gericke, the CIO of ExpressVPN, has also run afoul of the law. The following is from a 2021 article by Restore Privacy, High-Level ExpressVPN Executive Ensnared in Criminal Surveillance Operation.

The Chief Information Officer for ExpressVPN, Daniel Gericke, has entered into a plea deal with the US government for his role in facilitating the United Arab Emirates in hacking and surveilling state dissidents. Gericke, who was formerly employed by the US military, has admitted to violating US hacking laws and facilitating the UAE in a covert cyber espionage operation called Project Raven. These activities transpired before Gericke was employed by ExpressVPN.

Based on these records, it appears that Gericke is under the thumb of the FBI “or any other U.S. government organization” that wants information from him. Given this fact, it would seem concerning to have such a person holding a high position in a VPN service that must resist government demands for user data.

Uzair Gadit, a Pakistani, is a co-founder and current CEO of PureVPN, a "no logs" VPN owned by GZ Systems Ltd.. In 2017 PureVPN turned over data to the FBI in regard to a cyber-stalking case. The article FBI uses PureVPN's 'non-existent' logs to track down internet stalker offered the following warning:

[...] a recent case shows that the FBI used the logs of PureVPN to track down a user believed to be an internet stalker. This may make PureVPN users think twice about just how anonymous they really are, particularly when the company claims: "We do NOT keep any logs that can identify or help in monitoring a user's activity."

The current Wikipedia page for PureVPN contains the following:

PureVPN stores logs containing information about what Internet service provider a customer used to access it service and which day the service was used. PureVPN does not store the exact time a customer accessed VPN. To prevent misuse and monitor quality, it records how much bandwidth customers are using. PureVPN also stores HTTP cookies for online advertising purposes as well as user account information like email address and credit card data.[4] It does not store what websites a customer is accessing.[15] Brian Nadel of Tom's Guide criticized PureVPN for requiring real names for user signups, even when users employ Bitcoin or gift cards for payment.[7] VPNs largely do not require real names.[7]

In 2017, PureVPN provided information to Federal Bureau of Investigation agents that helped result in the arrest of a Massachusetts man for cyberstalking.[15] The company concluded that the man had accessed PureVPN through two IP addresses: one from home and one from work.[15] Max Eddy of PC Magazine noted that the company's privacy policy says it will cooperate with investigators who give them a proper warrant and concluded, "In the case of PureVPN, it doesn't appear that the company breached the trust of its users".[15] TechRadar's Mike Williams disagreed, writing that PureVPN "made a big deal of its 'zero log' policy" on its website but did keep logs that enabled investigators to link the man to what he did on the service.[5]

In 2013 PureVPN customer data was obtained when its website was apparently hacked.

Customers of VPN provider PureVPN recently began receiving e-mails stating that the company was shutting down due to legal issues - but PureVPN quickly announced that the e-mails were fake, and had been sent by hackers who had accessed customers' names and e-mail addresses

Hari Ravichandran, CEO of Aura, also founded Endurance International Group (EIG), a widely disliked company which bought a plethora of up and coming web hosting companies which they made more profitable by cheapening services and outsourcing support. EIG was itself absorbed by Warburg Pincus and Goldman Sachs Capital Partners for approximately $975 million and today it apparently operates under its new name, Newfold Digital.

The above is but a brief sampling of some of the shady business practices occurring within the rapidly growing, multi-billion dollar virtual private network market, a market where criminal activity and a complete lack of ethics seems to be the norm rather than the exception.

Findings from a VPN whitepaper

The VPN whitepaper, Security and Privacy of VPNs Running on Windows 10, provides us with some valuable information regarding the state of the VPN market today. Following are some of the key findings contained in the paper.

Many people turn to VPNs in large part to either avoid risks on untrusted networks or to protect themselves from advertisers and internet service providers (ISPs) that might monitor, disrupt, or even tamper with internet traffic. Unfortunately, some people might not realize that apps and websites may be identifying them even when they’re masking their IP addresses.

Many VPNs have configured their applications to use public DNS services instead of their own DNS resolvers. Astrill VPN, Speedify, Touch VPN, and Windscribe used Cloudflare, a third-party public DNS service., Kaspersky, Steganos, Trust.Zone, and Turbo VPN used Google public DNS service. Le VPN and ZoogVPN used the OpenDNS public DNS service, and Le VPN additionally used Google public DNS.

Many of the VPNs we tested had shortcomings in build quality and reliability, security oversight, security over time, and the ways VPNs engage with security researchers and respond to vulnerability reports.

We identified some specific areas that could use improvement industry-wide.

  • We looked for WireGuard support and for IPsec/OpenVPN configurations with good primitives (P-256 with AES-256 GCM), if offered. Some VPNs are still using poor IPsec or OpenVPN configurations, while another is using PPTP.
  • Only six of the 16 VPNs had open source software and reproducible builds.
  • Three VPNs left users vulnerable to brute force attacks, and three left them vulnerable to account lockouts.
  • In many VPNs’ terms of service or privacy policy, there was no evidence of robust internal procedures for audits or for preventing unauthorized access by employees. And some VPNs that had third-party security audits did not make them available to the general public or conducted them inconsistently.
  • Given that software updates often have bug fixes and that VPNs are a security product, we’d like to see signed updates that are easy to install, if not automatic. And we’d like official documentation that VPNs will be kept up to date for security issues, with a clear period of support.
  • Though the majority of VPNs had a vulnerability disclosure program for researchers to report security issues, only one (F-Secure Freedome VPN) had a time frame to review vulnerability reports, and only three stated without stipulation that they will not pursue legal action against security researchers.

In addition to our data security evaluation, we also looked at VPNs’ data privacy. Data privacy is a measure of how the VPN and its service provider collect, share, and use a consumer’s personal data, and the user’s ability to control the flow of their data. [...] We found that every company we analyzed could do better when it comes to allowing consumers to obtain all public-facing and private user information the company holds about them.

We looked at whether the companies claimed, on their own, to either delete outdated and unnecessary personal information or render it to be reasonably deidentified.

In last place were CyberGhost, F-Secure Freedome VPN, IPVanish, NordVPN, PIA, and Surfshark, all of which claimed not to delete outdated or unnecessary user information or were vague as to what they do after they no longer need to retain personal data either internally or contractually. Faring only a tiny bit better were Betternet, ExpressVPN, and Hotspot Shield, which made vague reference to not retaining outdated or unnecessary information if they are legally obligated to do so.

We looked to see whether each company clearly discloses its purpose for collecting each type of user information. NordVPN did the worst here, storing executables (presumably indefinitely) without making it reasonably apparent that the collection justifications benefit the user. Reasons for why data were collected were vague.

Recommendations for Industry Improvement in Privacy

We identified some specific areas that could use improvement industry-wide.

  • We found that every VPN company we evaluated could do better when it comes to committing to allow users to obtain the public-facing and private user information that the company holds, including users not covered under CCPA or GDPR.
  • Many of the VPNs we tested could improve by providing specific retention periods for any data they do collect.
  • VPNs would better serve their users by explaining in detail how user data is handled in case of a merger, bankruptcy, or acquisition.
  • The industry could improve by giving specific retention periods for destroying or getting rid of outdated or unnecessary personal information. Almost every VPN, including Mozilla VPN and Mullvad, failed to state in their documentation that they will delete user information immediately and permanently in a reasonable time (in this case, 30 days) if service is terminated or inoperable.
  • We’d like to see VPNs clearly outline in their documentation which information outside parties require, provide options, and host first- and third-party tools on their own servers—something only IVPN has done.

Consumers should be aware that while many VPN providers indicate that they do not keep logs, this usually cannot be verified, and in many cases logs were found on the local Windows system that included usernames, emails, IP addresses, and other potentially sensitive information.

Some VPNs left logs that might contain sensitive information on their Windows machine in a variety of places, such as C:/ProgramData and %AppData%, that can persist even after the
program is uninstalled.

For example, in IPVanish, the username and all IP logs (with time stamps) are saved locally. This shows what IP the user came from, what IP the user connected through, and when the connection happened, as well as a username.

In the past, NordVPN was called to task in a subreddit called r/assholedesign for disabling features when users turned off auto-renewal and for a “70% off” ad with fake timer that reset if users didn’t subscribe.

Though we didn’t come across either issue, we did come across other dark patterns, where four VPNs made it difficult to stop auto-renewal or cancel.

Our testing team found that ExpressVPN had an unusual user interface to cancel a subscription, requiring a consumer to click a button to turn off automatic renewal a total of three times.

NordVPN required multiple clicks to unsubscribe, followed by accessing an email confirmation (which expired in 15 minutes) to complete the cancellation process.

PureVPN had no menu method to unsubscribe and required consumers to either use the third-party payment processor or create a support ticket to do so.

Similarly, Surfshark made it hard to cancel the subscription: A tester on our team needed to send an email to do so.

ExpressVPN is owned by Kape Technologies, which was previously named Crossrider. And Crossrider was a plugin development platform that allowed users to distribute ad injection software, which some considered malware. (Kape did not respond to a request for comment.) Kape also previously operated software called Reimage, which is said to enhance computer performance but has been reported to signal false positives on its security tests in order to sell its premium service. Teddy Sagi, the owner of Kape Technologies, was listed in the Panama Papers as a sole shareholder of at least 16 offshore companies—primarily real estate—established through Mossack Fonseca, according to Haaretz. In 1996, 16 years before he acquired Kape Technologies, Sagi was sentenced to nine months in prison for bribery and fraud, according to the Financial Times.

PIA is also owned by Kape Technologies. Before its acquisition, the company hired Mark Karpeles, who was the former CEO of Mt. Gox Bitcoin platform. According to CNN Business, Karpeles was found guilty of illegally altering Mt. Gox’s electronic records to falsely inflate the company’s holdings by $33.5 million and was sentenced to 21⁄2 years in prison, with a four-year suspension, which means he won’t have to serve time unless he commits a criminal act during that time. Karpeles was acquitted “on the more serious allegations of embezzlement and aggravated breach of trust,” according to CNN. He maintained his innocence throughout the trial and hasn’t made any recent statements to the media.

PIA founder Andrew Lee owns Freenode Limited, where there were mass resignations of staffers after a dispute over changes he imposed, according to Vice and Ars Technica.

Kaspersky Lab has faced allegations of engaging with the Russian FSB, which it has denied. In fact, the U.S. Department of Homeland Security banned Kaspersky products from U.S. government departments in 2017, and its ads were subsequently banned on Twitter, according to Reuters. There have also been news reports about allegations that hackers working for the Russian government stole confidential data from an NSA contractor’s home using Kaspersky antivirus software, and the Wall Street Journal reported on allegations that the Russian government uses Kaspersky antivirus software to “secretly scan computers around the world for classified U.S. government documents and top-secret information, modifying the program to turn it into an espionage tool.” Kaspersky denies these allegations as well. (It was found in 2015 that the antivirus software was not using security best practices.) CEO Eugene Kaspersky has worked for the Russian military, which was mandatory, and was educated in a KGB-sponsored technical college, though the company denies direct ties or engagement with the Russian government. Kaspersky Lab has committed to increased accountability, migrated some of its core infrastructure from Russia to Switzerland, and has solicited independent reviews and analysis of its source code.

VPNs often promise to not keep logs, leading privacy enthusiasts and criminals alike to falsely assume that their data is private. This idea is often dispelled in court documents, like when IPVanish handed over logs that weren’t supposed to exist. This happened when IPVanish was owned by Highwinds Network Group. Its next owner, StackPath, told TorrentFreak that the VPN under its management did not keep logs. IPVanish is now owned by Ziff Davis, previously called J2 Global. According to the site ProPrivacy, the IPVanish site itself claimed not to keep logs both before and after the incident.

ExpressVPN, on the other hand, told investigators it did not have any logs or customer data on a server in Turkey, which was raided by Turkish authorities, according to Hurriyet Daily News. According to the site, authorities said the server was used to hide details regarding an assassination of a Russian ambassador. ExpressVPN released a statement about the incident.

VPNs can offer some protection on untrustworthy WiFi networks, help circumvent some censorship blocks, keep your browsing habits away from ISPs, and limit some types of tracking—such as your IP address from websites you visit and the domains you connect to from your ISP. But masking an IP address is not the same as granting anonymity.

Not only can VPN providers see your real IP address but companies can also use many other methods to track users, such as device fingerprinting, browser fingerprinting, web cookies, tracking pixels, and more. Websites often request data that can pinpoint people’s geographic location, such as WiFi networks, device location based on GPS, cell tower identification (CDMA or GSM cell IDs), and more. Various companies collect wide-ranging data, beyond IP addresses, and sell that information to data brokers. Many of the risks that consumers use VPNs to try to protect against are already largely mitigated through the use of HTTPS. And many risks, such as social engineering, are not mitigated by using a VPN.

However, a number of VPNs do not refrain from making sweeping claims, or using potentially misleading or overly broad language to describe their tool and what it can do.

It’s worth noting that many of these VPNs are owned by the same companies, as previously mentioned. Aura (or Pango, in the U.S.) owns Betternet and Hotspot Shield. Ziff Davis owns IPVanish. (This was formerly J2 Global, which acquired Ziff Davis in 2012 and changed its name to Ziff Davis in 2021.) Kape owns CyberGhost and PIA, and recently acquired ExpressVPN.

Some of these companies have questionable histories.

TunnelBear was acquired by McAfee in 2018—and McAfee has had its own share of controversies prior to the acquisition. Without admitting wrongdoing, the company paid a $50 million penalty in 2006 when the Securities and Exchange Commission filed securities fraud charges saying the company overstated its net revenue, a type of accounting fraud that inflates revenue to investors. And in 2012, the company’s antivirus product turned off its AV protection and in some cases prevented connection to the internet—and, according to community posts, the company was slow to address the problem.

In the past, ExpressVPN, NordVPN, and Surfshark were not public about their ownership, though they have since released names.

In 2017, Hotspot Shield had an FTC complaint filed against it by the Center for Democracy & Technology (CDT). The complaint alleges undisclosed and unclear data sharing and traffic redirection. CDT claimed that Hotspot Shield intercepted and redirected web traffic to partner sites, including those belonging to ad companies, and that it monitors information about user browsing habits and transmits cell carrier data over an unencrypted connection. Hotspot Shield is owned by the same company that owns Betternet. It was formerly called AnchorFree and rebranded to Pango, and was later acquired by Aura. This complaint was filed when the VPN was owned by AnchorFree—and AnchorFree’s CEO told ZDNet that he disagreed with the complaint. We are not aware of any Federal Trade Commission investigation having been opened into this matter. The FTC declined to comment on whether it investigated.

VPN-Owned VPN Review Sites

Many publications that review VPNs use affiliate links, which doesn’t necessarily mean that these programs affect the reviews. However, there are some instances where companies that own VPNs also run the lists and do not fully disclose that they do so.

For example, Kape (which owns CyberGhost, ExpressVPN, PIA, and ZenMate) owns Webselenese, a marketing firm that runs the VPN review sites SafetyDetectives and vpnMentor.

And Ziff Davis, formerly J2 Global, which owns IPVanish, StrongVPN, and (which is becoming StrongVPN, according to its landing page), also owns PCMag, IGN, Mashable, ExtremeTech, RetailMeNot, and more. However, it does not appear to be promoting its brands heavily on the sites it owns in the way that Kape does.

NordVPN received flak for failing to immediately disclose a security breach to customers and the public until after a security researcher tweeted about it, 17 months after it took place. In that breach, attackers gained access to one of its servers through a remote management system and stole encryption keys that could be used to mount decryption attacks on some users. NordVPN reportedly stated that it had planned to reveal the breach after internal audits were completed. It also terminated its rental contract with the data center involved in the incident.

As separate independent research, VPNalyzer tested a total of 80 VPN providers—that also included the 51 VPNs tested for this report—and found several previously unreported issues such as traffic leaks during tunnel failure, and in some cases DNS and other traffic leaking even with the VPN’s kill switch feature turned on. It found that a majority of VPN providers and servers do not support IPv6. VPNalyzer identifies that adoption of good security and privacy practices such as doing DNSSEC and RPKI validation, and implementing a DNS proxy, is not uniform across VPN providers. Finally, it also found that malicious and deceptive behaviors by VPN providers such as traffic interception and manipulation are not widespread but are not nonexistent. In total, the VPNalyzer team filed more than 29 responsible disclosures, 19 of which were for VPNs also studied in this report, and is awaiting responses regarding its findings.

Selecting a potentially good VPN provider

As i've stated multiple times on this website, one can never fully trust a VPN provider, but that doesn't mean that there aren't any ethical, high quality providers around. It only means that, ultimately, we don't have a comprehensive way to verify whether the claims they make are accurate. Many people will recommend using the freely available Tor network instead of a VPN, however there are valid concerns and technical limitations with Tor as well (see: Tor versus a VPN – Which is right for you?).

The previously quoted VPN White Paper provides a lot of good information for navigating the muck and mire of the VPN landscape, however i think it fails to sufficiently elaborate on the importance of physically owning and securing their hardware. An ethical VPN provider may do everything right but if they don't own and physically secure their hardware, they leave their customers open to potential threats of all sorts.

As Michael Horowitz writes in his excellent article, VPNs and Defensive Computing, "Picking a VPN provider is mind bogglingly difficult" and agree wholeheartedly. Michael provides lots of tips for weeding out the bad apples and following are some of my own for based on my research and personal experience.

  • Never, ever trust a "free" VPN provider! Some may offer a free trial period however and that's OK.
  • No proper VPN will require the installation of any software in order to use their service and those offering client applications must provide the source code.
  • Any decent VPN provider will support the newer WireGuard protocol.
  • A good VPN will provider have physical ownership of their servers and will have secured them prior to installation in the data center.
  • A good VPN will provider run the operating system in RAM only (no hard drives).
  • A good VPN will provider not require any personal information whatsoever in order to create an account.
  • A good VPN will provider accept payment anonymously using cryptocurrency or mail-in cash.
  • A good VPN will provider be transparent in their operations, including any security issues that arise.
  • Needless to say, any decent VPN provider will have a strict no-log policy and will not block any ports.

The number of VPN providers that appear to meet the above criteria is stunningly small, so small in fact that there's only 3 of which i'm currently aware, they being AzireVPN, OVPN and Mullvad, though most servers for the latter are leased (you can filter Mullvad's servers a variety of ways using their own tool). Of these i currently use AzireVPN, however i think OVPN might be a better fit for some users. I say this because some of Azire's setup guides are outdated and they don't seem to be as mature as OVPN. Having said that however, i have virtually no complaints with the Azire's service or support.

Resources used to write this article:

Recent changes to this article

  • added information about PureVPN
  • added info about Hari Ravichandran and EIG
  • corrected an error regarding Mullvad's owned vs. leased servers thanks to 'Mark'
  • added a link to Mullvad's 'Servers' page

9 thoughts on “Navigating the VPN Hellscape”

  1. I have never used a VPN as an always-on solution, like so many people seem to do. And for some of the very reasons outlined here. And even if/when you find a “good” one, it is only a matter of time before they turn against you a la startpage.

      1. i had the same thought; you’re either knowingly giving data to your ISP, and whoever they’re “sharing” with, or put it in the hands of a company that is at least potentially trustworthy

        i’ll be anxious to hear Phil’s response because i know for a fact he’s both very smart and *very* privacy aware

        1. >i’ll be anxious to hear Phil’s response

          Well… now I’m obligated I suppose. The thoughts ended up coming together in their own writeup. Likely too much to fit here. The short of it: Putting everything all through the one VPN exit point is fraught with peril. Break apart that network traffic signature into little bits and scatter them everywhere.

          1. read it – ok, split-tunneling, but for WireGuard (so not vpnh), and Linux, and preferably application-based

            found some interesting things along the way, but no viable solutions yet…

            * WireSock – High-Performance WireGuard VPN Client for Windows with Application Split Tunneling
            * dlenski/vpn-slice: vpnc-script replacement for easy and secure split-tunnel VPN setup
            * Routing & Network Namespaces – WireGuard
            * vpn-minute · GitLab
            * Policy-Based Routing – OpenWRT

  2. three points:
    1. Not trusting a free VPN is a bit too simplistic. A number of commercial VPNs have a free tier they offer as a sampler. Perhaps the most trustworthy of these is ProtonVPN. Other commercial VPNs with a free offering are Tunnelbear and Windscribe. I feel these three (and probably others I am not aware of) are in a very different category than VPNs that only have a free option.
    2. Windscribe does not use Cloudflare for their DNS, nothing could be further from the truth. Their DNS service, known as R.O.B.E.R.T. is outstanding.
    3. Thanks for the link :-)

    1. when i mention ‘free’, i’m referring to VPNs that advertise their services as being “free” – i don’t mean to condemn those offering a trial period

      as for the 3 VPNs you mentioned, and given how wildly shady this market is, i have set my bar pretty high; if they don’t claim physical ownership of their servers, i’m not interested – matter of fact, i’m about to mail Azire, which i’m currently using, and ask that they provide receipts for their hardware

      and you’re very welcome for the link!

Leave a Reply

Your email address will not be published. Required fields are marked *