Connection Security and Privacy
Cone of Silence


There are two "directions" of VPN:
This section is talking about the first type.


How your traffic looks:

Encryption IP address on outside
Browser Src Dest
None  v request v    ^ response ^ WebSite
 v request v    ^ response ^
PC LAN WebSite
VPN client
 v request v    ^ response ^
PC's Wi-Fi adapter
 v request v    ^ response ^
 v request v    ^ response ^
Router's Wi-Fi adapter
 v request v    ^ response ^
 v request v    ^ response ^
Router public VPN Srv
 v request v    ^ response ^
Router public VPN Srv
 v request v    ^ response ^
Router public VPN Srv
 v request v    ^ response ^
Router public VPN Srv
VPN server
 v request v    ^ response ^
VPN Srv WebSite
 v request v    ^ response ^
VPN Srv WebSite
 v request v    ^ response ^
VPN Srv WebSite
 v request v    ^ response ^
VPN Srv WebSite
Site server
 v request v    ^ response ^
VPN Srv WebSite
Server OS TCP/IP
None  v request v    ^ response ^ VPN Srv
Web server

The "LAN" and first ISP could be your home LAN and ISP, or ones used by your school or library or restaurant where you use Wi-Fi.

If instead of a browser, you use a secure-messaging application such as Wire or Signal, that adds its own additional, innermost layer of encryption.

Advantages of using a VPN:

Some drawbacks of using a VPN:
[To avoid the last four issues, you may be able to add VPN exceptions or a proxy so that some sites don't go through the VPN, or set one browser or browser profile to use the VPN and another to not use it.]

Search Encrypt Blog's "The Case Against VPNs"

Some latest VPN stacks:


  OpenVPN strongSwan WireGuard
User application: Browser or SSH or SFTP
or any other app or service;
may have its own use of SSL/TLS
VPN client application: OpenVPN Connect, Tunnelblick, many others strongSwan or Libreswan or Openswan Standard utilities such as ifconfig, ip-link, ip-address,
and a new utility "wg",
applied to new virtual network devices "wg0", "wg1", etc
Authentication: OpenSSL, HMAC ?
Pre-shared keys (PSKs) ?
IKE Cryptokey Routing
Pre-shared keys (PSKs)
Associates public keys with IP addresses,
and associates network device with private key and peer.
Session key-exchange: TLS
Sometimes ECDH
IKE Curve25519, Noise IK (plus optional PSK)
Transport-level Encryption: SSL/TLS
(usually AES or Blowfish)
Uses HTTPS port, so hard to block
none none
IP-level Encryption: none IPsec
(usually AES)
ChaCha20 and Poly1305
Transport protocol: UDP or TCP ESP or AH or UDP UDP
Link and physical layers: Ethernet, Wi-Fi, etc.

There are more stacks: PPTP/IPsec (old), L2TP/IPsec (slower), SoftEther, SSTP/SSL (a bit Windows-oriented).
Jason A. Donenfeld's "WireGuard: Fast, Modern, Secure VPN Tunnel"
Rob Mardisalu article
Douglas Crawford article

From Windscribe Support about WireGuard, in 2020:

We are adding it to our service at some point, it's on the roadmap.

But there's nothing special about WireGuard. It's very barebones which requires us to basically build our own framework for it.

It's also NOT made for consumer VPNs like Windscribe, it's made for the actual definition of VPNs which is to connect a group of people on the internet to a virtual private network.

Then as a VPN provider like us, we have to completely remove that functionality because we're not trying to connect multiple people together, we just want them connecting to the server. There's tons of firewalling involved to ensure that even though a bunch of people are on the same virtual network, nobody sees anyone else. You don't want to connect to a VPN server and a bunch of people can now reach your computer as if they were on the same network as you. That's not private at all and only puts you at way more risk than not using a VPN to begin with.

From what I know, there's no special care given to the WireGuard protocol to make it more in line with the privacy and anonymity-based consumer definition of a VPN, it's still just a different way of connecting a group of people together on the same network. But since everyone keeps asking for it and other companies are now starting to implement it, we'll have to do the same in order to keep up with the most current tech. We've got a lot on our plate right now though so it'll still take some time to get it implemented into our service.

pcWRT's "Performance comparisons of three VPN protocols on a budget router"

VPN client software:

To use a VPN, you have to have some client-side software installed at some level. Could be:

The client software could be:
OpenVPN is:
WireGuard is:
strongSwan is:
If the client piece is proprietary software from the VPN vendor, you're trusting it to a great degree: it can see all of your unencrypted traffic and encrypted traffic. Also it could install something else: Ctrl blog's "Installing VPN root certificates leaves you more vulnerable to snooping"

From someone on reddit's /r/VPN:
> On Android, should I install VPN provider's app directly, or
> should I set up OpenVPN per instructions on provider's website?

Often the custom VPN client supplied by a VPN service has nice features that make it preferable to use. The stock Android OpenVPN client is spartan. 'OpenVPN for Android' by Arne Schwabe is better. You choose based on features/convenience.

I tried OpenVPN client on Windows 10 with Windscribe VPN 4/2018:

Michael Horowitz's "An introduction to six types of VPN software"
corrad1nho / qomui (Qt OpenVPN Management UI; Linux GUI client)

Who can monitor/log your activity ?
The choice is:

Definitely, use your VPN's DNS server:
The VPN company already knows every domain you're accessing, to no harm in using their DNS.

The major benefit of using their DNS is that the connection to DNS goes through the same encrypted tunnel to the VPN server.

Their DNS server may include ad-blocking.

Ask if their DNS server uses DNSSEC to talk to other DNS servers; it should.


From /u/wilsonhlacerda on reddit:
> Which is the cheapest vpn app out there? That won't sell my info?

You never know if they will sell or not. If they will give it away or not. If they will spy on you or not. Or if they will give info when justice, government, cops, or similar demand them or not. If not the company itself, then an employee, will get your info or not.

Yegor S's "Free VPN Myths Debunked"
William Chalk's "Who's Really Behind the World's Most Popular Free VPNs?"
Jan Youngren's "Hidden VPN owners unveiled: 97 VPN products run by just 23 companies"
Osama Tahir's "What VPN services aren't telling you about data logging"

Don't use a VPN provided by your email service or browser company or social media company. Use a VPN that is separate from all your other services, to reduce the knowledge that any one company has about your activities.

Excerpted from an FT article, on reddit 11/2018:
More than half of the world's 30 most popular smartphone apps for browsing the internet privately are owned by Chinese companies, according to a new study that raises significant privacy concerns.

Seventeen of the apps, which offer to connect users to the internet through a secure tunnel known as a "virtual private network" (VPN), were owned either by Chinese companies or companies appearing to have links to China.


But the companies operating them often had very limited privacy policies, said Simon Migliano, the head of research at, which reviews VPN services.

"We found a few apps that explicitly stated that users' internet activity was logged, which we have never seen anywhere else with VPNs. [VPN] policies usually state that they never ever log data," he said.

"We even found that in some cases they stated they would share your data with third parties in mainland China, which is clearly anti-privacy."


"It's pretty crazy that 60 per cent of apps we looked at didn't have a company website. Over half hosted their privacy policies on free wordpress blogs, that had ads on the page, full of typos and when you looked at them together, they had copied and pasted from each other in a sloppy way. This is far from what you'd expect from an internet company trying to protect your privacy."

Three of the apps - TurboVPN, ProxyMaster and SnapVPN - were found to have linked ownership. In their privacy policy, they noted: "Our business may require us to transfer your Personal Data to countries outside of the European Economic Area ("EEA"), including to countries such as the People's Republic of China or Singapore."

From someone on reddit:

VPN Kill Switch For Linux Using Easy Firewall Rules

If you're connected to a VPN, you need a killswitch. No, it's not as metal as it sounds. It's just a mechanism that stops your Internet connection when you're disconnected from the VPN. It protects you from inadvertently leaking sensitive information onto the Internet when the VPN connection drops.

Some VPN services provide clients with a built-in killswitch, but none are as reliable as using iptables. Since iptables is independent of your VPN service, and it's integrated into the kernel itself, it won't fail when your VPN does. Iptables is also a well-proven security technology that can and will keep your computer safe.

The Tin Hat's "The Best VPN Kill Switch For Linux Using Easy Firewall Rules"

Testing to see if all traffic actually goes through the VPN:

Testing performance:


Down and Up speeds are in Mbps. Latency in msec.
Each test run twice and rounded and averaged.
Not all tests from same VPN locations and to same test locations.
Firefox browser. Vodafone ISP with fiber 100/100 service.

My tests with Windscribe on Ubuntu GNOME 20.04 6/2020:
Site Ethernet
Down / Up / Lat
Down / Up / Lat
Down / Up / Lat
SpeedOf.Me 100 / 85 / 55 95 / 75 / 45 45 / 60 / 40 90 / 75 / 45 80 / 55 / 80 90 / 75 / 70 90 / 90 / 60 90 / 70 / 70 85 / 85 / 75

Alan Henry's "Why You Should Be Using a VPN (and How to Choose One)"
Thorin Klosowski's "The Biggest Misconceptions About VPNs"
Viktor Vecsei's "Why you don't need a VPN"
joepie91's "Don't use VPN services"
Dennis Schubert's "VPN - a Very Precarious Narrative"
Max Eddy's "The Best VPN Services for 2020"
TheBestVPN's "Best VPN Services"
Amul Kalia's "Here's How to Protect Your Privacy From Your Internet Service Provider"
ProtonVPN's "VPN Threat Model" (what a VPN can and can't protect you from)
Troy Wolverton's "No perfect way to protect privacy"
Jonas DeMuro's "7 good reasons why a VPN isn't enough"
VPN Scam's "How to Avoid VPN Scams in 2017-2018"
reddit's /r/VPN
Wikipedia's "OpenVPN"

Private Internet Access (PIA) VPN

Some "VPNs" are just data-collecting operations:
Dell Cameron's "Do Not, I Repeat, Do Not Download Onavo, Facebook's Vampiric VPN Service"
Justin Cauchon about Verizon Safe Wi-Fi VPN

General complaint, from /u/wombtemperature on reddit 5/2017:

This VPN industry needs a wake-up call, ELSE a better way at helping the average joe at Starbucks. Guys. Like. Me.

I read. As such, I know the importance of a VPN. In fact, I have spent hours/days reading up on them. I have made excel spreadsheets to compare them (and looked at the ones on "that site"). I even WANT to give you my money to insure I have a good one. As such, I have tried 4 paid popular ones I won't mention as I don't want to call them out, and spent a ton of time testing them on my PC and mobile.

They all are frustratingly SLOW. Or interfere with connections.

No matter what, all I want is a FAST secure connection I don't have to think about. Yet, I can't find a VPN that doesn't bring my public and often home networks connections to a crawl. The expected "30% drop" is BS. And none automatically find me the best servers, and in fact often I can get faster servers 5000 miles away, but I have to manually select them.

I understand its complicated. But I have stuff to do. Seriously. Which is why I want to pay someone else to think about these things and give me a good product.

You all sales-pitch me the "fastest speeds" but then I watch as my connection up and down speeds drop to pathetic - and I have the spreadsheets to prove it.

To anyone listening I speak for the masses ... take my money and give me a decent, secure VPN connection.

And if I am just not "reading enough" to know how to get what I am looking for, then it highlights my point that there is a problem out there for the non-technical guys like me who just want security without massive compromise and hours of research.
From /u/Youknowimtheman on reddit:

When we talk about speed drops, you're going to lose ~9% just because of how the encapsulation and encryption works. You're also going to lose about 10ms on pings because the actual encrypting and decrypting takes time.

It is also important to manage expectations when we talk about privacy networks that are based on shared connections. We have had a rash of users on our service that are unhappy with our "slow" performance because their gigabit connection slows down to 190Mbit. They don't understand the nature of VPNs and that in order to keep their information private, their traffic has to be mixed with other users on a server, and these servers are running the same 1Gbit connection that they have. Yes, it is 20% of your line speed, but at the same time it is extremely fast for the market generally, and pretty much the limits of what you'll see on a server with proper user densities to protect your information.

If you're talking about a 30% drop on 10 Mbit that is significant. If you're getting a 30% drop on 200Mbit that's absolutely normal.

There's also other factors that play into VPN performance like distance from the server, which protocol they are using, etc.

In other words, you're always going to have some loss. If all factors are good, you can minimize that loss up to a limit in speed. More than 200 Mbit just isn't going to happen on a safe and private connection generally.

IPv6, from someone on reddit 6/2017:

> why do many VPN setup guides advise you to disable IPv6 ?

A lot of VPNs only handle IPv4, so on those any IPv6 traffic bypasses the VPN.

Easiest fix is to disable IPv6. Better long-term solution would be to get a VPN that properly handles IPv6.


... the main reasons are:

That's why, if you really care about security, your first concern is finding a strong VPN provider. Something like supporting IPv6 is not on most people's priority list, including not your VPN provider, except the best-in-class ones that at least prevent leaks at the client no matter which IP protocol they use.


Most budget/end user VPNs only cover IPv4 traffic, and anything sent over IPv6 is ignored.


I have seen anecdotally IPv6 messing up network applications. On more than one occasion.

Apparently there are a number of ways of setting your IPv6 address, and this has been increased since IPv6 first came out. Addresses can be permanent/unvarying (for servers), but outbound client traffic by default uses a temporary address (IPv6 "privacy extensions") so you can't be tracked. Generally your address is the same on LAN and WAN ?

Campbell Simpson's "CSIRO: Most Mobile VPNs Aren't Secure"
Sven Taylor's "VPNs are Using Fake Server Locations"
Violet Blue's "Is your VPN lying to you?"
Sunday Yokubaitis on companies behind various VPN brands

If you want to host your own outbound-to-internet VPN, you shouldn't do it on your home network, because you'll still be using your home ISP. Instead, you need to have a different ISP for your VPN server. Which probably means hosting the VPN server in a cloud service.
Jim Salter's "How to build your own VPN if you're (rightfully) wary of commercial options"
Romain Dillet's "How I made my own VPN server in 15 minutes"

One reason to build your own outbound-to-internet VPN (maybe hosted on a cloud service): some public networks (in hotels or schools or fast-food places) may block access to the IP addresses of well-known commercial VPNs, but the IP address of your personal VPN won't be in their block-list.

I tried ProtonVPN free, starting 9/2017:
Torrenting not allowed when using free version.

I don't see any slow-down, but I am in Spain and mostly using USA web sites, so my speeds probably already were slightly low.

If I'm using a VPN server in another country, and do a Google search, Google changes country to France or Latvia or wherever the VPN server is. So I get results in French or Latvian or whatever.

Each time I change to a VPN server in a new country: In Windows 10, if you run the VPN and then click on the Network icon in the system tray and connect to Wi-Fi, it's possible to get connected to both the VPN and the normal Wi-Fi simultaneously. To fix this, I think you have to disconnect from both, then connect to Wi-Fi, then run the VPN.

I started using Windscribe 2/2018.

You could use the Tor network as a VPN:
GouveaHeitor / nipe

If you're doing illegal things, don't expect a VPN or proxy company and their ISP to shield you if they're served with a court order. They may be forced to log your activity and trace you and give the data to law enforcement.

If you're abusing the VPN itself, such as sending out millions of spam emails through the VPN, don't expect a VPN or proxy company and their ISP to shield you. They may report you to law enforcement, or happily cooperate with law enforcement.

Sven Taylor's "OpenVPN vs IPsec, WireGuard, L2TP, & IKEv2 (VPN Protocols 2019)"
Sven Taylor's "WireGuard VPN: What You Need to Know" (status as of 6/2019)

Sven Taylor's "Multi-Hop VPNs for Maximum Privacy & Security (How-To Guide)"

Windscribe VPN

I started using Windscribe 2/2018, still using it 1/2020.

Free license. I installed only the Windows (VPN) part, not the Firefox (ad-blocker) part.

Limited to 10 GB per month in free version, less if you don't give an email address when you sign up. And 10 GB goes faster than you'd expect. Torrenting works.

Has a "kill switch": if the VPN connection goes down, your internet connection gets severed, instead of silently becoming non-VPN. Misleadingly, Windscribe calls this "firewall".

I'm sure some privacy-guys will say don't use Windscribe because they're a Canadian company, and 2/3 of their servers are in USA or Canada.

Seems to work well, good reviews online, turns out there are discount codes you can use to get a great deal. So I paid $41 for a Lifetime Pro subscription, unlimited devices, unlimited usage.

Installed it on my Android 6 phone, works okay. Apparently you're supposed to mark your home network as "untrusted", so that Windscribe automatically reconnects if connection drops and comes back ? I guess the theory is that you don't need VPN on a "trusted" network ?

But later, Windscribe kept failing to re-connect after Wi-Fi went down and back up. Changed to use Strongswan app and IKEv2 protocol, instead of Windscribe's app.
Windscribe's "IKEv2 Profile Generator"
Saved credentials in my password manager.
Someone else said you can do same with "OpenVPN for Android" app. strongSwan with IKEv2 is better at reconnecting than Windscribe client was, but maybe not 100%. Go to (System) Settings / More / VPN / strongSwan VPN Client, or "...", but no way to select "always-on" or any kill-switch, probably because I'm using Android 6.
Open strongSwan app and highlight the VPN connection and click on Edit, see lots of settings, enable two settings "Block IPv* traffic not destined for the VPN".
Wiki "strongSwan VPN Client for Android 4+"

I've done some occasional speed tests using my cheapo Dell laptop, Windows 10, Firefox, Vodafone fiber internet in Spain, VPN server in Spain or France. I'd say I see a performance penalty of 0 to 20% when using the VPN.

A few sites behave badly if I use Windscribe:
Have to use a USA Windscribe server to use PayPal USA.
If I'm using Windscribe, Ryanair won't let me log in.
If I'm using a non-USA Windscribe server, TaxAct Online won't let me log in.

I was able to connect from my location in Spain, to a Windscribe server in USA, and then to a streaming web site, and stream a football (soccer) game in Spain, although the window was only 640x480, I think.

There are several ways to install Windscribe client on Windows:

There is a special setup procedure for uTorrent application: Windscribe's "uTorrent Setup Guide". But you're still protected if you don't do that.

Windscribe client can be installed in a router: see "Windscribe for Your Router" section of Windscribe's "Setup Guides". Only one Windscribe server can be listed, so if that one goes away, no internet. Windscribe firewall runs in the client OS, not the router. If connection to server drops, what happens depends on your router firmware, nothing to do with Windscribe.

If you run Windscribe in the router and nothing at all in the clients, all traffic does go over the VPN.

People online say that in IOS (Apple), the "firewall" doesn't work, because of the architecture of IOS. What functionality is lost ?

I changed my laptop to Linux Mint 19, and installed Windscribe client Beta on it. If I try to turn on Linux firewall, the two firewalls fight each other, apparently. Windscribe Support says use one or the other. Support also says:
"There is currently no way to add rules to the Windscribe Firewall unfortunately. It either blocks everything that isn't coming from the VPN IP or it allows any connections to your direct IP. On and off. The only rule that we have built-in as an option is to allow LAN traffic so you can have the Firewall on and still connect to devices on your location network."
And then they said:
"The Windscribe Firewall is the Linux Firewall. The Windscribe CLI is using IPtables. Windscribe makes a rule to block everything that isn't in the VPN tunnel. The LAN traffic rule is just there if you do need it. The Firewall will block LAN traffic as well unless you don't want it to. And yes, there are instances where you'd want the Firewall to have exceptions for certain apps or services but since the Windscribe CLI is still in beta, we don't have those whitelisting options yet."

Client log file: /var/log/windscribe/windscribe.log
Also OpenVPN log file: /var/log/windscribe/ovpn_log.txt

10/2018 Windscribe announced their servers block IPs of known sources of malware, and soon their DNS's will be doing ad-blocking. The level of filtering will be adjustable.

12/2018 Found out that Windscribe VPN is blocking a domain I need; when it blocks something, it does it by mapping to localhost. A user can't whitelist a domain; user either turns all blocking down to a lower level, or file a Support ticket asking for that one domain to be whitelisted (for everyone).

3/2019: They confirmed that their DNS's use DNSSEC to talk to other DNS's. Later someone on reddit said "DNSSEC is not required when IKEv2 is secured by SSL certificates (Let's Encrypt). It's only required when you are distributing the certificates via DNS itself."

7/2019: Found that their filter/firewall "Robert" supports redirecting (spoofing) domains. This is dangerous, if someone gets into your account.

3/2020: stopped working through Windscribe, because of some changes Windscribe made. Work-around: in Windscribe account, set "Unblock Streaming" to "off".

About using Windscribe client instead of OpenVPN client, on Linux, from someone on reddit: "The advantages for the Windscribe client are the firewall, you don't need to set up the openvpn certs (you can just pick any location), you can connect to the best location with windscribe connect best, and you can change the port/protocols easier."

Configuring Windscribe with Network Manager on Linux (guide)

1/2020: Changed my Linux Mint 19 system to stop using proprietary Windscribe client, and use strongSwan / IKEv2 / IPsec client instead.

Alternative architectures:
I think you have your choice of these stacks (from oldest to newest):

Windscribe's "IKEv2 Profile Generator"
Saved credentials in my password manager.

"The IKE protocol uses UDP packets and UDP port 500."
Open-source implementations of IKEv2 include: OpenIKEv2, Openswan, and strongSwan.
It's less feasible for a network admin to block OpenVPN (which uses HTTPS port 443), than to block IKEv2 (which uses UDP port 500).

I tried things a bit out of order, got things mixed together, hope I've sorted out things properly in the following sections:

IPsec config method:

Mostly following first half of /u/nosmokingbandit's "Using IKEv2 on Linux":
sudo windscribe stop
sudo systemctl stop openvpn
sudo systemctl disable openvpn

apt install strongswan-starter libstrongswan-extra-plugins libcharon-extra-plugins

sudo xed /etc/ipsec.conf
# and add:
conn windscribe-es      # name I picked
  dpdaction=restart     # restart if connection drops
  dpddelay=300s          # how often to send packet to do Dead Peer Detection
  keyingtries=%forever      # keep trying to connect, forever
  eap_identity=MYUSERNAME   # username from
  right=   # address from ping
  auto=start            # start at system boot; if not, set to "add"
# man ipsec.conf

sudo xed /etc/strongswan.d/charon/kernel-netlink.conf
# and after line "# mtu = 0" add:
mtu = 1300
# use "tracepath" to see how hops in a route might be changing MTU

sudo xed /etc/ipsec.secrets
# and add (with the spaces exactly in the places shown):

# check that this directory is empty:
ls /etc/ipsec.d/cacerts

# then make IPsec just use the OS certificates:
rmdir /etc/ipsec.d/cacerts
ln -s /etc/ssl/certs /etc/ipsec.d/cacerts

# Edit /etc/resolvconf/resolv.conf.d/tail to contain (first line is a comment):
# following is from /etc/resolvconf/resolv.conf.d/tail
nameserver       # OpenDNS
# If you wanted to remove other lines, maybe
# edit /etc/NetworkManager/NetworkManager.conf and add "dns=none" in [main] section

sudo ipsec restart
sudo ipsec up windscribe-es     # or whatever connection name you picked
# see message "connection 'windscribe-es' established successfully"

# to switch from one connection to another, take old one down before putting new one up:
sudo ipsec down windscribe-es     # or whatever connection name you picked
sudo ipsec up windscribe-usa     # or whatever connection name you picked

cd /tmp && rm -f ip && wget -q && cat ip && rm -f ip
# or
curl --get && echo
# and you should see an address in same subnet as the "right=" address you used
# probably 89.238.178.n
# see if it's similar

# run leak tests such as and
# tests passed, for me

# Tried unplugging from Ethernet, waiting a minute or two, plugging back in.
# Checked IP address and saw ISP's address not VPN address.
# Waited 10-15 seconds (dpddelay), checked IP address and ran leak tests again,
# all is well, system is connected to VPN again.

# But: there is a time-window where the VPN is not being used, and traffic
# still can go out.  Not sure if same would happen if you're using VPN
# and Windscribe server crashes for some reason.  How to stop this ?
# Need a "kill switch".
# Need to create another connection with "type=drop" ???
# ipsec _updown script ?
# need to install swanctl (see section below)

# from Windscribe Support: to make a "kill switch", create iptables
# rule to DROP all packets that are not UDP on 500+4500 (ports IPsec uses)
# so I created a file with (simplified) these commands:
iptables -P INPUT DROP
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --match multiport --dports 500,4500 -j ACCEPT
iptables -A INPUT -s -j ACCEPT
iptables -A INPUT -d -j ACCEPT
iptables -A INPUT -d -j ACCEPT
iptables -A INPUT -s -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -P OUTPUT ACCEPT   # want to change to DROP, but keep getting DNS traffic
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s -j ACCEPT
iptables -A OUTPUT -d -j ACCEPT
iptables -A OUTPUT -p udp --match multiport --dports 500,4500 -j ACCEPT
iptables -A OUTPUT -d -j ACCEPT
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP

sudo ipsec statusall
sudo journalctl | grep Windscribe
sudo journalctl | grep charon

# There is a HUGE amount of logging in the journal by Charon and IPsec
man strongswan.conf   # see LOGGER CONFIGURATION section
sudo xed /etc/strongswan.d/charon-logging.conf
# in syslog section, add line:
    default = 0
# rebooted
# but that doesn't seem to have done much, removed it and tried:
man ipsec.conf    # parameter "charondebug"
sudo xed /etc/ipsec.conf
# and in section "config setup" add:
charondebug = dmn 1, mgr 1, ike -1, chd 0, job 0, cfg 0, knl 0, net -1, asn 0, enc -1, lib 0, esp 0, tls 0, tnc 0, imc 0, imv 0, pts 0

# COULD do this, I haven't done it:  in ipsec.conf connection section:
leftfirewall=yes  # disables use of iptables once VPN is connected ?

# Wanted to make a connection to disable the VPN so I can use some site that
# won't tolerate a VPN.  Couldn't get the new conenction to work.
# But (with DNS addition in /etc/resolvconf/resolv.conf.d/tail), just
# taking down the Windscribe connection (and resetting iptables) is enough;
# don't need this connection definition (which doesn't work anyway).
sudo xed /etc/ipsec.conf
# and add:
conn no-vpn      # name I picked
    rightsubnet=        # also tried %any
#    auto=route
sud xed /etc/swanctl/swanctl.conf
# and add:
connections {
    no-vpn {
        remote_addrs =
        children {
            passthrough-1 {
                local_ts = %any
                remote_ts = %any
                mode = pass


strongSwan config method:

apt install strongswan-swanctl

# charon daemon probably is running already, but check:
sudo ps -ax | grep charon
# if not:
sudo /usr/libexec/ipsec/charon

sudo systemctl enable strongswan.service
systemctl status strongswan

# list connections
sudo swanctl -L

man swanctl
man swanctl.conf      # /etc/swanctl/swanctl.conf
man strongswan.conf   # /etc/strongswan.conf and /etc/strongswan.d/*

Main config file is /etc/strongswan.conf, but make any changes in /etc/strongswan.d/*
After any configuration change, do "systemctl restart strongswan" and "sudo ipsec restart".

"strongSwan is basically a keying daemon, which uses the Internet Key Exchange protocols (IKEv1 and IKEv2) to establish security associations (SA) between two peers." Charon is a keying daemon that implements the IKEv2 protocol for strongSwan.
"The actual IPsec traffic is not handled by strongSwan but instead by the network and IPsec stack of the operating system kernel."
Introduction to strongSwan

strongSwan through Network Manager method:

Tried installing from Mint's Software Manager ("Strongswan IPsec VPN solution metapackage" and "Strongswan-nm"), didn't work. Tried other things, no luck.

"sudo apt-get install network-manager-openvpn-gnome"
"apt install strongswan" and "apt install network-manager-strongswan" and "apt install strongswan-charon" and "apt install libcharon-extra-plugins". Click network icon in system tray, Network Settings, Network Proxy, "+", get "Add VPN" dialog, choose "strongSwan", get another "Add VPN" dialog where you specify details. If you have a username and password, set "Authentication" to "EAP". Specify username, but there's no way to specify password ? Click "Add" button. Dialog closes and back to "Network" window. Select the VPN you just created and click "On". But fails to connect, every time.

4/2020: installed Linux Ubuntu 20:

Went to Settings / Network / Wired.
Clicked "+" next to VPN.
Types offered are OpenVPN and PPTP and "Add from file".

sudo apt install strongswan network-manager-strongswan libcharon-extra-plugins
Now have another choice "IPsec/IKEv2 (strongSwan)" in there.

Tip: In Network Manager, keep connection profile names descriptive and short, so they appear well in the desktop menu. E.g. "Winds-Open-NYC" instead of "Windscribe-OpenVPN-NewYorkCity".

Create an IKEv2 connection:

Gateway address from ping
Authentication = EAP.
Username from Windscribe.
Enable "Request an inner IP address".
Enable "Enforce UDP encapsulation".
Click "Add" button.
Copy password into clipboard.
Move slider to enable VPN.
Paste password into dialog.

Password is NOT remembered once the IKEv2 connection profile is set; you have to type it in each time you connect.

Connection is unreliable for some sites.
sudo gedit /etc/strongswan.d/charon/kernel-netlink.conf
# and after line "# mtu = 0" add:
mtu = 1300
# then reboot
# that helped a bit, but still not 100%


Logged into Windscribe account and got (contains ca.crt and ta.key files) and Windscribe-*.ovpn files and username and password.
Move the ca.crt and ta.key files to somewhere permanent; Network Manager seems not to keep its own copies of them.

sudo apt-get install network-manager-vpnc   # doubt this is needed

Go to Settings / Network / Wired.
Click "+" next to VPN.
Click "Add from file".
Select the Windscribe-*.ovpn file.
See dialog; Gateway field should be populated, Authentication type = Password.
Type in username and password.
CA certificate field should be a .pem file.
Click Advanced.
Click TLS Authentication tab.
Under "Additional TLS authentication ..." should be Mode = TLS-Auth, Key-file = ta.key, Key Direction = 1, Extra certificates = ca.crt.
Click Okay.
Click Add.

Move slider to enable VPN.
In upper-right of desktop, see white rectangle "VPN" appear !
Do browser leak-tests.

After reboot, OS does not reconnect to VPN automatically.
Do "sudo nm-connection-editor" to set that.
Now after reboot, OS does not reconnect to wired ethernet automatically (!), but when you manually turn on wired ethernet, it WILL reconnect to VPN automatically.
Behavior is different for Wi-Fi ? Will connect to Wi-Fi automatically, but won't reconnect to VPN automatically ? Not sure.

Later, Windscribe sent me some configuration files, one per VPN server. They're .txt files that each have a complete Network Manager (or is it OpenVPN ?) VPN definition in them. [They're OpenVPN "unified connection profile" files, sometimes named with .ovpn extension; see OpenVPN's "Connection Profile creation".]
Do Settings / Network / VPN + / Import from file, give it one of these files, type in your username and password, done.
[nm-connection-editor will export a VPN connection to a file, but only for OpenVPN connections.]

Password is remembered once the OpenVPN connection profile is set; don't have to type it in each time.

To see connections: "nmcli". Also "nmcli general status".
To get GUI version for bug-reporting: "NetworkManager --version".
"ls /etc/NetworkManager/system-connections"

Note: Network Manager is a component: NetworkManager / issues

Same issue with all types of VPN: when boot system, wired ethernet will be off. Have to turn it on before VPN's "connect automatically" setting works.

WireGuard with Linux Ubuntu 20.04:

[Caution: later heard from someone on reddit who installed WireGuard into Mint 19 (probably 19.3) and something destroyed all his network interfaces, he had to re-install the system.]

I don't have a VPN service that supports WireGuard yet. Just curious.

sudo apt install wireguard
sudo modprobe wireguard
lsmod | grep wireguard
sudo ls /etc/wireguard

# 5/2020: I think no Network Manager GUI support yet;
# can't click "+" to create a WireGuard connection profile

nmcli connection add type wireguard ifname wg0 con-name Winds-WireG-Spain
# profile doesn't appear in Network Manager GUI
nmcli --overview connection show Winds-WireG-Spain

Thomas Haller's "WireGuard in NetworkManager"


A proxy just redirects your traffic, making it come out from a different computer with a different IP address. It doesn't add any encryption.

Proxies have most of the same drawbacks as VPNs (added point of failure, some sites may not allow, have to trust provider, etc), but the performance penalty for a proxy should be much less than that for a VPN.'s "What proxy servers are and how they differ from VPNs"
Jason Fitzpatrick's "What's the Difference Between a VPN and a Proxy?"

Hide My Ass! (free proxy server)
Public CGI (Web, PHP) anonymous proxy free list
search for Firefox proxy add-ons

Router And Modem

Parts of a router/modem:
These parts may be packaged into two devices (modem and router) or one device (router/modem).

General functional block diagram:

  WAN connection
(fiber, cable, phone line)
(many LAN devices share
one public IP address)
(filter traffic to
prevent attacks)
(DHCP to assign LAN addresses;
map IP addresses to external/Ethernet/Wi-Fi)
LAN Ethernet ports   Wireless Access Point
connected via Ethernet
connected via Wi-Fi

Typical configurations:
Implications: From someone on reddit 7/2019:
You should have only one device functioning as a router. It's fine to have other routers in the network, so long as they are configured to operate purely as Wi-Fi Access Points (AP). If you have multiple functioning routers, then you'll have double or even triple NAT. While it's possible to get port forwarding to work through multiple routers, it's messy and unnecessary. UPnP won't work at all through multiple routers.

If you have separate modem and router, plugging your PC directly into the modem for troubleshooting or something is a bad idea. You expose your PC directly to the internet and lose any protections implemented in the router.

Router operating systems:

OPNSense is derived from pfSense. OPNSense is more community-oriented; pfSense is more enterprise-oriented and more stability-oriented. Instructions/answers/support for pfSense mostly apply to OPNSense too.

Nick Congleton's "DD-WRT vs. Tomato vs. OpenWrt: Which Router Firmware Is the Best?"

Router features:

Features that seem unimportant to me: parental controls, dual-band, built-in anti-malware, MU-MIMO, smartphone app to control router, Quality of Service (QoS) or Wi-Fi Multimedia traffic controls, mesh networking, USB port to make a NAS. Your priorities may be different.

Heard this, not sure if it's standard terminology/functionality: a device on a VLAN can talk to any other device on same VLAN, and to internet; a device on a guest network can only talk to internet.

Turris MOX (open-source router)

Ethan Robish's "Home Network Design - Part 1"

Michael Horowitz's "Router Security"
Michael Horowitz's "Using VLANs for Network Isolation"

Sean Gallagher's "InvizBox 2 redefines what 'privacy' routers can do"

Router features you probably want to turn off:

Fixed IP address assignment on home LAN, from discussion on reddit:


A firewall lets you control what kinds of traffic flow in and out of your network.

Some types:

Wikipedia's "Firewall (computing)"
Palo Alto Network's "What Is a Firewall?"
Cisco's "What Is a Firewall?"
Chris Hoffman's "Do I Need a Firewall if I Have a Router?"

A firewall could be:

Torrent Seedbox

A Seedbox is a torrent client on a cloud/server computer. All torrents go to that server, then you FTP from that server to your computer. So if your ISP doesn't allow torrenting, or you're downloading copyrighted material, this evades those problems.

Seedbox Guide's "What is a seedbox?"

DNS (Domain Name Service)

DNS is how domain names such as "" are resolved into IP addresses such as "".

Most likely, your computer is using either Google's Public DNS ( or, or a DNS run by the ISP or VPN you are using, or is set to find a DNS automatically (which probably means: DNS run by the ISP or VPN).

To find out what DNS you are using:

A few other settings are shown by Cloudflare's "Browsing Experience Security Check".

Test both with VPN on and with VPN off. There WILL be times you need to turn the VPN off to access some site.

The DNS can see what sites (domains) you are connecting to, but not which pages or URLs or searches you are doing on those sites.

What to use:

How to set DNS for the case when VPN is off:

I'm surprised that I couldn't get ANY of this to work !!!

  1. Turn off VPN.

  2. Run to see what DNS server is being used.

  3. In router:
    1. Login to router's admin page.
    2. You may have to set "expert mode".
    3. Look for any DNS settings.
    4. My Vodafone router only has a "Secure DNS" setting. The text for this implies that it overrides DNS settings in individual devices, but I'm not sure. Turning it off did not let me specify a DNS server address. Turning it off did not make Linux use its own DNS settings. Power-cycling router didn't help.
    Tim Fisher's "How to Change DNS Servers on Most Popular Routers"

  4. Run to see what DNS server is being used.

  5. In Linux Ubuntu/Mint:
    1. Click on network icon in system tray and choose "Network Settings".
    2. Click on the network interface (Wi-Fi or Wired).
    3. Click on "gear" icon in lower-right.
    4. Click on "IPv4".
    5. In the "DNS - Server" field, put the value you want, such as "".
    6. Set the "DNS - Automatic" switch to "off".
    7. Click on "Apply".
    8. Close "Network Settings" app.
    9. Click on network icon in system tray and turn the network interface (Wi-Fi or Wired) off and then back on.
    10. Reboot.
    11. Didn't work, still using ISP's DNS.
    12. Later set DNS on other network interface, and got different results ? Have to do both same way ?
    Another try:
    1. Edit "/etc/network/interfaces" as root, add line "dns-nameservers".
    2. Run "cat /etc/resolv.conf"
    3. Reboot.
    4. Run "cat /etc/resolv.conf", now new line appears in it.
    5. Didn't work, still using ISP's DNS.
    Ended up worse than before: now, with VPN on, I'm getting a DNS leak to Removed the line from /etc/network/interfaces and rebooted, that fixed it.

    Maybe should remove "nameserver 127..." line from /etc/resolv.conf somehow ?

  6. In Windows:
    1. ???
    Mauro Huculak's "How to configure Cloudflare's DNS service on Windows 10 or your router"

  7. In Android:
    1. Turn off VPN.
    2. XSLab's "How to Change DNS Settings on Android" or Xtremerain's "How to Change DNS Settings on Android Devices (WiFi and Cellular)"
    3. Followed the "long-press on Wi-Fi network" instructions, everything fine except you really have to specific static addresses for phone (maybe and router/gateway (maybe

  8. Run to see what DNS server is being used.

  9. In Firefox:
    1. Click on hamburger icon / Preferences.
    2. Click on General.
    3. Scroll to bottom, click on Network Settings.
    4. In "Configure Proxy Access to the Internet", click on "No Proxy".
    5. Scroll to bottom, click on "Enable DNS over HTTPS", set "Use Provider" to desired value.
    6. Didn't work, now getting DNS requests from both the provider I chose AND from my ISP's DNS. One request from provider, plus N from ISP's DNS. Could be that first is for the main page and then others are for images/scripts on the page ?

  10. In Chrome / Chromium:
    1. ???

  11. Run to see what DNS server is being used.

  12. Turn VPN back on.

  13. Run to see what DNS server is being used.

If you're using a VPN or proxy or Tor to hide your normal traffic from your ISP or someone spying on your network, yet your DNS traffic is NOT going through the VPN etc, this is called a "DNS leak". A web page may be able to use JavaScript to find out your real IP address, even though you're using a VPN etc.
Wikipedia's "DNS leak"
DNS leak test
Anonymster's "VPN Free DNS Leak Test & DNS Leak Protection"
Bill Hess's "What Is a DNS Leak And How To Fix It"

Nykolas Z's "DNS Security and Privacy - Choosing the right provider"

Some good reasons to use Google's Public DNS:
Joseph Caudle's "Why and How to Use Google's Public DNS"
Vijay Prabhu's "How to Change Your Default DNS to Google DNS for Fast Internet Speeds"

Choosing a DNS by speed:
John E Dunn and Tamlin Magee's "Best free DNS services 2019"
Remah's "How to Find the Best DNS Server"
Chris Frost's "Clearing the DNS Cache on Computers and Web Browsers"

My computer (running Windows 10) was set to "find DNS automatically", which meant it was using the DNS run by my ISP. I ran namebench several times, and results varied, but generally the DNS run by my ISP was fastest or among the fastest. So I left my computer set to "find DNS automatically".

From someone on reddit:
"some routers ignore individual device settings, so if that's the case you have to change the DNS settings on your router to whatever server you want to use"

There are various flavors of encrypted connection to DNS, it's confusing:

Test with: and Cloudflare's "Browsing Experience Security Check".

Sean Gallagher's "How to keep your ISP's nose out of your browser history with encrypted DNS"
DNSCrypt Proxy
Domain Name System Security Extensions (DNSSEC)

OpenDNS (includes blacklist of bad sites, at the DNS server)

To check what software a DNS server is running:
"sudo apt install fpdns" and then "fpdns -D YOURDOMAIN"
"dig @NAMESERVERNAME version.bind chaos txt"
"nslookup -type=txt -class=chaos version.bind NAMESERVERNAME"

MAC Address

This is an address unique to the network access card/hardware in your device.

Your MAC address doesn't get out to the Internet. Only people/devices on the same LAN as you can see your MAC address. (That sometimes includes people sharing Wi-Fi with you.) But if you're using public or store or hotel Wi-Fi, now the operator of that network knows your MAC address, and can sell that info. It can be used to track your activity across networks and sites.

In TCP/IP, your MAC address doesn't go beyond your local network (if using a router) or your ISP (if using only a modem). It would be possible for an app on your computer/phone to grab the MAC address and send it out in some custom way.

Change your MAC address:
Mac Makeup
Technitium MAC Address Changer (Windows only)
Linux Geekster's "3 Ways to change the MAC address in Linux and Unix"
OSTechNix's "How to change MAC address in Linux"

Certificates in the browser

What are the security and privacy implications of these ?

Some questionable certs may appear under "Authorities": a couple from China, DigiNotar. Various CA's have been hacked from time to time. Firefox is in process of removing trust for Symantec-issued certs.

Certs that appear under "Servers" reveal a little bit about your browsing history: they may show what domains you've visited.

As far as I know, there is no downside to removing Server certificates, and removing a few Authorities is okay too (as long as you don't remove them all).

Will any of the browsers report "hey, a new certificate was installed since last time the browser was running" ? I think they should.

Ctrl blog's "Installing VPN root certificates leaves you more vulnerable to snooping"
Pieter Arntz's "When you shouldn't trust a trusted root certificate"
Hanno Bock's "Check for bad certs from Komodia / Superfish"

Location Leaks

Probably we're all familiar with IP leaking, when some outside person/app gets your real IP address and usually can determine your approximate location, and if they get help from your ISP can determine your identity.

But is there "location leaking" inside the software in our computers ? Apps can query our Wi-Fi or router or ISP to get our GPS location or at least postcode ? I assume apps all can get our real IP address, even if we're using a VPN.

And yesterday, my Linux Mint 19 system installed an update which included "freedesktop" which runs a "GeoClue" location service for applications. I don't know quite what this does and how much it knows and how to turn it off (eventually I was able to uninstall it).

Any software inside our system that gets our real location or IP address potentially could leak it, accidentally or routinely or maliciously. The information might be included in crash dumps or traces in bug reports.

How do we stop this ? What other sources of location data are there inside our systems ? How do we set them all to report "none" or some fixed value of our choosing ?

Inside Android, an app can use Google Location Services API or Network Location Provider.

Inside Linux, while running a VPN and through a router, there are four kinds of IPv4 address: I haven't found a way yet that an app on my computer can get the Router's WAN address, either with VPN on or VPN off. But with VPN off, an app could talk to a server outside and ask it "what IP address am I coming from ?".

Browser is a key point for storing/providing location data. Set preferences in each browser you use. And maybe use an add-on such as Location Guard

Inbound Traffic

From discussion on reddit 7/2019:

Normally, a router's firewall blocks all incoming traffic unless it's related to outgoing traffic. The firewall will temporarily open ports used by the outgoing traffic.

Port forwarding allows unsolicited incoming traffic to a port or range of ports through the firewall to a specific IP address in your LAN.

By opening a inbound port, you are exposing a device to unsolicited traffic from the Internet. Unless you can restrict the incoming traffic to a trusted remote address, the device may be at risk of being compromised. Open ports only when there is no option, such as gaming. Only open the necessary ports, and close them when finished. For other use cases, [carefully evaluate how much you can restrict access and what kind of authentication is being used.]


Tunneling home over an inbound VPN will give the outside client machine access to everything in your network, and apps like Hamachi work great for playing games that are only designed to work over LAN. However, inbound VPN is not suitable for services that need to be accessible by clients you don't control or clients that you don't want to have access to your whole internal network. You would not use an inbound VPN just make a web server accessible, nor would you use an inbound VPN for most services designed to work over the Internet.


Low-security file sharing protocols like SMBv1 are only safe to use over a secure LAN and should never be exposed to the internet.


UPnP is a multi-purpose protocol. One of its functions is to enable a device to dynamically set up port forwarding on a UPnP-enabled router. This can be convenient when multiple devices (such as multiple gaming consoles) need port forwarding. The application/game must work on multiple, different ports. If it doesn't, then it's impossible for multiple consoles to work in the same network. While UPnP can be convenient, there are documented instances of security vulnerabilities associated with it.

Most people will want to set up port forwarding manually on the router or use UPnP. In most cases, it makes sense to pick one method. ... Using a combination of both will give the static rules precedence. Some people disable UPnP port forwarding entirely for security reasons, but using both doesn't create any issue. The only reason to say "I'm only using UPnP" is to avoid confusion between the static and dynamic port forwarding rules. You can use both. While it's true that UPnP is insecure by design, the convenience it offers home users is usually well worth the concerns in small networks where you manage all the devices. ... For any given application/game, you only need to use one. It's certainly possible to use static port forwarding for one application and UPnP for another.


In a home network, it's strongly recommended to have only one device functioning as a router. It's fine to have other routers in the network, so long as they are configured to operate purely as Wi-Fi Access Points (AP). If you have multiple functioning routers, then you'll have double or even triple NAT. While it's possible to get port forwarding to work through multiple routers, it's messy and unnecessary. UPnP won't work at all through multiple routers.


Usually, you need only concern yourself with opening ports for incoming traffic. All consumer-grade routers open all ports in the outgoing direction by default, so you can generally ignore any application- or game-specific requirements to open outbound ports. You may come across some applications and games where it's not specified which direction (inbound/outbound) needs to be opened. This is really unfortunate, as you end up having to open more ports than necessary. Do be sure you open the correct protocol (UDP or TCP). If in doubt, open both.


Before you test port forwarding through your router [to a server on your LAN], make sure the application/game is running on your server. Then try connecting to it locally from another local device. ... Once you have confirmed that a local connection works, you can proceed to test port forwarding [inbound from the internet]. ...


If you run the actual application/game executable (not through a browser), maybe run it on a device that is not connected to your home network (LAN). If you have a smartphone, for example, switch from Wi-Fi to cellular Internet.

Tor Browser

Onion is a network, where the Tor browser talks to an entrance node, which talks to a middle node, which maybe talks to another middle node, which then talks to either an exit node (for normal internet traffic) or an onion web site.

It is possible to use Tor browser and onion and still not have privacy or anonymity. If you're the only person on your network using Tor, perhaps your activity can be correlated with the traffic coming out of the exit node. If you log in to a web site using your real info, that site will know who you are. If you use HTTP, the exit node and its ISP can see your traffic.
Aditya Tiwari's "TOR Anonymity: Things Not To Do While Using TOR"

Tor browser is based on Firefox ESR plus security fixes, and seems to track normal FF security fixes pretty closely.

If you're using Tor browser instead of a VPN, only the Tor browser's traffic is going through the Tor network; traffic from other applications and background services does not.

I say: have a VPN running 24/365, even when you're using Tor browser.

[I am talking about "Tor over VPN" or "VPN-to-Tor": connect your system to internet through a VPN, then run Tor Browser. So onion traffic goes through VPN, comes out of VPN server, then goes into onion network and does multiple hops until coming out of an exit relay or getting to an onion web site.]

How your traffic looks:

Not sure this is right:
Encryption IP address on outside
Tor Browser Src Dest
None  v request v    ^ response ^ Onion entry
 v request v    ^ response ^
PC LAN Onion entry
VPN client
 v request v    ^ response ^
PC's Wi-Fi adapter
 v request v    ^ response ^
 v request v    ^ response ^
Router's Wi-Fi adapter
 v request v    ^ response ^
 v request v    ^ response ^
Router public VPN Srv
 v request v    ^ response ^
Router public VPN Srv
 v request v    ^ response ^
Router public VPN Srv
 v request v    ^ response ^
Router public VPN Srv
VPN server
 v request v    ^ response ^
VPN Srv Onion entry
 v request v    ^ response ^
VPN Srv Onion entry
 v request v    ^ response ^
VPN Srv Onion entry
 v request v    ^ response ^
VPN Srv Onion entry
Onion entry server
 v request v    ^ response ^
VPN Srv Onion entry
Server OS TCP/IP
None  v request v    ^ response ^ VPN Srv Onion web site
Onion relay code
None  v request v    ^ response ^ Onion entry Onion relay 1
HTTPS ... Onion relay 1 Onion relay 2
HTTPS Onion relay 2
HTTPS ... Onion relay 2 Onion relay 3
HTTPS Onion relay 3
HTTPS  v request v    ^ response ^ Onion relay 3 Onion web site
Onion web site

Use the VPN all the time, 24/365, don't turn it on and off. Some traffic, such as Tor/onion traffic, does not need the protection of the VPN, but is not hurt by use of the VPN. But even when you're using Tor, background services and apps may be doing network traffic, and you want all that traffic to be protected and not revealing your real IP address. And if you get in the habit of turning the VPN off and back on, at some point you will forget to turn it back on when you need it.

Some people argue that Tor IS hurt by using it through a VPN. I think their reasoning is that the VPN service is another point of risk where someone could be monitoring your traffic. It's an increase in attack surface. And a VPN company may not be bound by privacy laws as strictly as an ISP is bound (varies by country).

But is having a malicious VPN monitor your traffic any worse than having your ISP monitor it ? All a malicious VPN could see is that you're using Tor/onion. I'd rather have a VPN company know that, and my ISP not know it, than have the ISP know it. The ISP knows my real name and physical address, and the VPN doesn't. I'd rather trust my VPN than my ISP. And in either case, all I'm trusting them with is "I'm using Tor/onion". They can't see the details of the traffic. [Caveat: if you have to use VPN's proprietary client, the calculation changes.]

Some people say "a VPN can keep logs". Sure, and so could an onion entry or exit point, or my ISP. And in the VPN or ISP cases, all the logs would show is "he did Tor/onion traffic".

A more serious issue occurs if you're using a custom VPN client on your machine. That client software sees all of your traffic, and you have to trust that it's not malicious. But if you're using HTTPS from a normal browser, or using Tor Browser, the information the VPN client can see is limited. Even a totally malicious VPN client would just see what domains you're accessing (in the case of HTTPS) or that you're using Tor (in the case of Tor Browser). And you could use an open-source standard VPN client (OpenVPN).

Some people say: instead of using a VPN, just run ALL system traffic through Tor/onion. But I don't think that is encouraged by the onion network people, especially if you're doing downloads or torrenting or VoIP. And I don't think there's an official proxy, just some unofficial projects that implement that.

As far as I can tell, the Tor Project does not say using Tor with a VPN necessarily is bad. Tor Project FAQ's "Is Tor like a VPN?" says "Do not use a VPN as an anonymity solution.".

Tor Wiki's "TorPlusVPN"
Matt Traudt's "VPN + Tor: Not Necessarily a Net Gain"

So I think the bottom line is: Using a VPN adds slightly to the attack surface, doesn't add security to Tor, but gives the huge benefit of continuing to protect your non-Tor traffic while you're using Tor, and avoids forgetting to turn the VPN back on after you're finished using Tor.

I think you leak-test the Tor browser by using the same sites you use to test a clearnet browser. See "Testing your privacy and security" section of my "Computer Security and Privacy" page.

Tails is a Linux system where all internet traffic goes through the Tor network. Another is Kodachi (article). I think both are designed to be run from a USB stick, without persistence, so any changes to OS and apps etc get wiped when you shut down.

Whonix is a Linux system where all internet traffic goes through the Tor network. This is a normal boot-from-hard-disk-with-persistence system.

You could use the Tor network as a VPN:

GouveaHeitor / nipe
Edu4rdSHL / tor-router
githacktools / TorghostNG

BUT: Tor network only handles TCP traffic, not UDP; see Tor FAQ item

TorProject's "TransparentProxy"
TorProject's "TransparentProxyLeaks"
TorProject's "Isolating Proxy Concept"
TorProject's "TorifyHOWTO"

But does this mean that your Tor traffic and your other system traffic (which may reveal identity) are going through the same Tor circuit ? Would not be a good thing. Need to set up "stream isolation" to avoid problems.
Whonix Stream Isolation

Tor Browser's "Everything you wanted to know about Tor but were afraid to ask"
Andy Greenberg's "The Grand Tor: How to Go Anonymous Online"
Tor Project's "Check your Tor browser"
Matt Traudt's "VPN + Tor: Not Necessarily a Net Gain"
Matt Traudt's "About to use Tor. Any security tips?"

Onion search engines: Torch, NotEvil,
Onion directories: http://zqktlwiuavvvqqt4ybvgvi7tyo4hjl5xgfuvpdf6otjiycgwqbym2qad.onion/wiki/index.php/Main_Page

Juan Sanchez and Garth Griffin's "Who's Afraid of the Dark? Hype Versus Reality on the Dark Web" Is a darknet site online? (but really "was valid link at some time" ?)


It's all one internet:

Everything is using the same wires/cables/satellite/radio links, the same operating systems, the same basic protocols, the same kinds of computers/servers/phones etc.

Parts of the internet:

Types of items/activities on the Darknet:

Things that do/don't work through Tor Browser 9.0.4 (1/2020):

Clearnet sites:
Some of these that worked did set off lots of captchas, and/or confirmation email to backup account, and/or emails saying login of unexpected device from unexpected country.

Onion sites:

Doing potentially illegal stuff:

DNM Buyer Bible
DNM's Buyer Bible (As of 3/22/18) (PDF)

Tor Server

On the onion network, it's especially important to have separate companies for domain registration and site hosting. Onion hosting services are more likely than clearnet services to take your site down or go out of business or just give bad service. Have backups of everything, be fully prepared to relocate.

Can you have one web site which is accessible through both clearnet and also onion (Tor) ?

If you are renting a VM and hosting the site yourself, make sure your provider allows this. If your site is on a shared hosting service, the service would have to offer onion as a feature (and I'm unaware of any mainstream service that does so).

Ablative Hosting makes same site appear on clearnet and onion:

A "Tor2Web proxy" lets people using a normal browser access an onion server. But:
Matt Traudt article

Onion domain names are limited to 16 chars (v3 increases it to 56 chars) and are assigned essentially at random; you can't specify a domain name you want.

NordVPN's "How to make a .onion site"
DeepWebSitesLinks' "Deep Web Hosting ..."
/r/onions' "Hosting a Hidden Service"
Riseup's "Best Practices for Hosting Onion Services"
Bashir Barrage's "How To Build a DarkWeb Server" (PDF)

Scan your onion site for problems:
tokyoneon's "Detect Misconfigurations in 'Anonymous' Dark Web Sites with OnionScan"

From someone on reddit 4/2019:

> How do I go about hosting a Tor site. I know how to make a clear web site using node JS ...

Unless this is just a toy project and nothing really bad will happen if you get traced, do not take the advice to run Tor on a machine, run a Web server on that same machine, and have Tor forward .onion address to that Web server.

With the naive configuration, you will be pwned if anybody puts in any real effort, so don't use that configuration if being owned is a problem and you think anybody might put in any effort.

The biggest problem with hidden services is that there are roughly 87 billion bugs, misconfigurations, and bad defaults that can show up anywhere in your Web server, framework, language, database, libraries, or whatever, and leak the server's real IP address to remote clients. Or even give remote clients the ability to run arbitrary code on the Web server, which means that you lose if it can even send any clearnet traffic at all.

You have to close all the holes you can, and then you have to assume that you'll still have missed some. That means that you can't let the server know its own real IP address. That means that you can't have the Tor process running in the same network address space as the Web server process. You shouldn't have them share a kernel, and really shouldn't even have them on the same physical hardware.

Have a look at the Whonix physical isolation configuration. I think that's unsupported and requires some skill to set up, but it's still safer than rolling your own for most people in most circumstances.

The bottom line is that this is a "full stack" endeavor. You have to think about everything from the hardware up through the application. Otherwise you will lose. If there's any part of your system that you do not completely understand, you have to deprive it of any sensitive information, and then surround it with a wall of stuff that you do understand. Otherwise you will lose.

Keep everything as simple as possible. Use as little software as possible, and choose software that's as bulletproof as possible. Don't put in any nonessential features.

Remember that many of your clients will be running with JavaScript disabled.

If it's a really hot service, assume it will be compromised anyway, so put another layer between you and it. Buy your hosting in a way that can't be traced to you, and manage it over Tor or I2P.

"Sign all your posts with PGP, so if your site gets taken down you can move to a new host, and then your readers can verify that you are who you say you are."

Hosting services:
OneHost Cloud (about $4/month)
Impreza ($25 one-time setup fee, about $8/month, includes domain)
Kowloon (about $20/month, includes domain, must pay in BTC, must use onion mail to sign up)

micahflee / onionshare (file-sharing via hidden onion addresses)


EFF's "What Should I Know About Encryption?"
Latacora's "The PGP Problem"

Monitor the traffic in/out of your LAN. Best ways probably are custom software in your router, and a Pi-hole doing DNS filtering. From Security in Five Podcast - Episode 746, investigation of traffic volume exceeding data cap found that iCloud was uploading/downloading the entire collection any time one thing was added, and after that was fixed almost 50% of all traffic was due to blockable scripts (ads, trackers).

I'm not sure how valid or useful this test is: Is BGP safe yet?
But see AAL article.
And Is Cloudflare safe yet?
These guys I respect Open Source Security Podcast - Episode 195 say Cloudflare is right to push for better BGP security.

From someone on reddit:
Hub: sends all traffic to all connected cables.

Switch: uses MAC addresses and ARP to figure out within a local network who to send data to, it he can't find a destination, he sends to all.

Router: sends traffic based on IP address and network mask, it can route between different networks.

Why IPv6 still is a LONG way from "taking over" (from 2.5 Admins episode 05 6/2020):
IPv6 assumes all devices in LAN are directly public, which is a very new paradigm.

Needs separate real firewall with zones etc.

IPv4 and IPv6 firewall/security will be completely separate, have do it right twice.

NAT with IPv4 works okay.

IPv6 won't replace IPv4, so IPv6 will be an addition, and thus has to be justified on its own.

Professional-level network emulation software (FOSS): GNS3

This page updated: June 2020

Search my site