Connection Security and Privacy
Cone of Silence


There are two "directions":

There are several ways to protect outbound traffic:
I'm unclear on whether the "onion" alternatives force use of HTTPS (I think they don't), and at what point they understand onion URLs (where is DNS done ?).

Onion network does multiple hops, hiding originating IP address from final exit relay, and hiding destination IP address from entrance relay. VPN does everything in one company's network, so that company can see both originating and destination IP addresses.

This section is talking about the outbound VPN case.

More "choices":
I recommend using your OS's standard client, a commercial VPN service's server, and the commercial VPN service's DNS.


How your traffic looks:

Encryption IP address on outside
Browser Src Dest
None  v request v    ^ response ^ WebSite
 v request v    ^ response ^
PC LAN WebSite
VPN client
 v request v    ^ response ^
PC's Wi-Fi adapter
 v request v    ^ response ^
 v request v    ^ response ^
Router's Wi-Fi adapter
 v request v    ^ response ^
 v request v    ^ response ^
Router public VPN Srv
 v request v    ^ response ^
Router public VPN Srv
 v request v    ^ response ^
Router public VPN Srv
 v request v    ^ response ^
Router public VPN Srv
VPN server
 v request v    ^ response ^
VPN Srv WebSite
 v request v    ^ response ^
VPN Srv WebSite
 v request v    ^ response ^
VPN Srv WebSite
 v request v    ^ response ^
VPN Srv WebSite
Site server
 v request v    ^ response ^
VPN Srv WebSite
Server OS TCP/IP
None  v request v    ^ response ^ VPN Srv
Web server

The "LAN" and first ISP could be your home LAN and ISP, or ones used by your school or library or restaurant where you use Wi-Fi.

If instead of a browser, you use a secure-messaging application such as Wire or Signal, that adds its own additional, innermost layer of encryption.

Advantages of using a VPN:

Some drawbacks of using a VPN:
[To avoid the last four issues, you may be able to add VPN exceptions or a proxy so that some sites don't go through the VPN, or set one browser or browser profile to use the VPN and another to not use it.]

Search Encrypt Blog's "The Case Against VPNs"

Paraphrased from The Complete Privacy & Security Podcast episode 183:

When creating a new account, or doing a major purchase, you may not be able to use a VPN. The account may be locked or the transaction denied.

So, instead, go to a network that is not associated with you (Wi-Fi at Apple Store or a library or a cafe), turn off VPN, and do your business.

If creating a new account, maybe log in and out several times over the next few days from the same network or nearby networks. You are "training" the security algorithms to see that your IP address can vary, and your location is reasonable, and you're not using a VPN. After that, you should be able to use a VPN, picking a server that is somewhat near that location (same country at least, same city better).

How can a site tell that you're using a VPN ? The most likely way is by using a list of known VPN server IP addresses. Or maybe your time-zone setting or language doesn't match the location of your IP address. But sometimes they can tell by analyzing your packets: WITCH?

Some latest VPN stacks:


  OpenVPN strongSwan WireGuard
User application: Browser or SSH or SFTP
or any other app or service;
may have its own use of SSL/TLS
VPN client application: OpenVPN Connect, Tunnelblick, many others strongSwan or Libreswan or Openswan Standard utilities such as ifconfig, ip-link, ip-address,
and a new utility "wg",
applied to new virtual network devices "wg0", "wg1", etc
Authentication: OpenSSL, HMAC ?
Pre-shared keys (PSKs) ?
IKE Cryptokey Routing
Pre-shared keys (PSKs)
Associates public keys with IP addresses,
and associates network device with private key and peer.
Session key-exchange: TLS
Sometimes ECDH
IKE Curve25519, Noise IK (plus optional PSK)
Transport-level Encryption: SSL/TLS
(usually AES or Blowfish)
Uses HTTPS port, so hard to block
none none
IP-level Encryption: none IPsec
(usually AES)
ChaCha20 and Poly1305
Transport protocol: UDP or TCP ESP or AH or UDP UDP
Link and physical layers: Ethernet, Wi-Fi, etc.

There are more stacks: PPTP/IPsec (old), L2TP/IPsec (slower), SoftEther, SSTP/SSL (a bit Windows-oriented).
Jason A. Donenfeld's "WireGuard: Fast, Modern, Secure VPN Tunnel"
Rob Mardisalu article
Douglas Crawford article



From Windscribe Support about WireGuard, in 2020:

We are adding it to our service at some point, it's on the roadmap.

But there's nothing special about WireGuard. It's very barebones which requires us to basically build our own framework for it.

It's also NOT made for consumer VPNs like Windscribe, it's made for the actual definition of VPNs which is to connect a group of people on the internet to a virtual private network.

Then as a VPN provider like us, we have to completely remove that functionality because we're not trying to connect multiple people together, we just want them connecting to the server. There's tons of firewalling involved to ensure that even though a bunch of people are on the same virtual network, nobody sees anyone else. You don't want to connect to a VPN server and a bunch of people can now reach your computer as if they were on the same network as you. That's not private at all and only puts you at way more risk than not using a VPN to begin with.

From what I know, there's no special care given to the WireGuard protocol to make it more in line with the privacy and anonymity-based consumer definition of a VPN, it's still just a different way of connecting a group of people together on the same network. But since everyone keeps asking for it and other companies are now starting to implement it, we'll have to do the same in order to keep up with the most current tech. We've got a lot on our plate right now though so it'll still take some time to get it implemented into our service.

From someone on reddit:

There is no client and server in WireGuard terms. WireGuard only knows peers. Each device you have has one [Interface] block where you set the private key, tunnel address, DNS etc and then you can have multiple [Peer] entries. Each peer is its own tunnel.

From someone on reddit:

If your machine is "laptop1":
Create a private key:
wg genkey >laptop1.key
chmod 600 laptop1.key
Create a public key:
wg pubkey <laptop1.key >

One can also generate a unique pre-shared key for each peer-pair.
If your machine is "laptop1" and the VPN server is "vpnsrv1":
wg genpsk >laptop1-vpnsrv1.psk

pcWRT's "Performance comparisons of three VPN protocols on a budget router"

VPN client software:

To use a VPN, you have to have some client-side software installed at some level. Could be:

The client software could be:
OpenVPN is:
WireGuard is:
strongSwan is:
If the client piece is proprietary software from the VPN vendor, you're trusting it to a great degree: it can see all of your unencrypted traffic and encrypted traffic. Also it could install something else: Ctrl blog's "Installing VPN root certificates leaves you more vulnerable to snooping"

From someone on reddit's /r/VPN:
> On Android, should I install VPN provider's app directly, or
> should I set up OpenVPN per instructions on provider's website?

Often the custom VPN client supplied by a VPN service has nice features that make it preferable to use. The stock Android OpenVPN client is spartan. 'OpenVPN for Android' by Arne Schwabe is better. You choose based on features/convenience.

I tried OpenVPN client on Windows 10 with Windscribe VPN 4/2018:

Michael Horowitz's "An introduction to six types of VPN software"
corrad1nho / qomui (Qt OpenVPN Management UI; Linux GUI client)

Who can monitor/log your activity ?
The choice is:

Definitely, use your VPN's DNS server:
The VPN company already knows every domain you're accessing, to no harm in using their DNS.

The major benefit of using their DNS is that the connection to DNS goes through the same encrypted tunnel to the VPN server.

Their DNS server may include ad-blocking.

Ask if their DNS server uses DNSSEC to talk to other DNS servers; it should.


From /u/wilsonhlacerda on reddit:
> Which is the cheapest vpn app out there? That won't sell my info?

You never know if they will sell or not. If they will give it away or not. If they will spy on you or not. Or if they will give info when justice, government, cops, or similar demand them or not. If not the company itself, then an employee, will get your info or not.

Yegor S's "Free VPN Myths Debunked"
William Chalk's "Who's Really Behind the World's Most Popular Free VPNs?"
Jan Youngren's "Hidden VPN owners unveiled: 97 VPN products run by just 23 companies"
Osama Tahir's "What VPN services aren't telling you about data logging"

Don't use a VPN provided by your email service or browser company or social media company. Use a VPN that is separate from all your other services, to reduce the knowledge that any one company has about your activities.

Excerpted from an FT article, on reddit 11/2018:
More than half of the world's 30 most popular smartphone apps for browsing the internet privately are owned by Chinese companies, according to a new study that raises significant privacy concerns.

Seventeen of the apps, which offer to connect users to the internet through a secure tunnel known as a "virtual private network" (VPN), were owned either by Chinese companies or companies appearing to have links to China.


But the companies operating them often had very limited privacy policies, said Simon Migliano, the head of research at, which reviews VPN services.

"We found a few apps that explicitly stated that users' internet activity was logged, which we have never seen anywhere else with VPNs. [VPN] policies usually state that they never ever log data," he said.

"We even found that in some cases they stated they would share your data with third parties in mainland China, which is clearly anti-privacy."


"It's pretty crazy that 60 per cent of apps we looked at didn't have a company website. Over half hosted their privacy policies on free wordpress blogs, that had ads on the page, full of typos and when you looked at them together, they had copied and pasted from each other in a sloppy way. This is far from what you'd expect from an internet company trying to protect your privacy."

Three of the apps - TurboVPN, ProxyMaster and SnapVPN - were found to have linked ownership. In their privacy policy, they noted: "Our business may require us to transfer your Personal Data to countries outside of the European Economic Area ("EEA"), including to countries such as the People's Republic of China or Singapore."

From someone on reddit:

VPN Kill Switch For Linux Using Easy Firewall Rules

If you're connected to a VPN, you need a killswitch. No, it's not as metal as it sounds. It's just a mechanism that stops your Internet connection when you're disconnected from the VPN. It protects you from inadvertently leaking sensitive information onto the Internet when the VPN connection drops.

Some VPN services provide clients with a built-in killswitch, but none are as reliable as using iptables. Since iptables is independent of your VPN service, and it's integrated into the kernel itself, it won't fail when your VPN does. Iptables is also a well-proven security technology that can and will keep your computer safe.

The Tin Hat's "The Best VPN Kill Switch For Linux Using Easy Firewall Rules"

Testing to see if all traffic actually goes through the VPN:

Testing performance:


Down and Up speeds are in Mbps. Latency in msec.
Each test run twice and rounded and averaged.
Not all tests from same VPN locations and to same test locations.
Firefox browser. Vodafone ISP with fiber 100/100 service.

My tests with Windscribe on Ubuntu GNOME 20.04 6/2020:
Site Ethernet
Down / Up / Lat
Down / Up / Lat
Down / Up / Lat
SpeedOf.Me 100 / 85 / 55 95 / 75 / 45 45 / 60 / 40 90 / 75 / 45 80 / 55 / 80 90 / 75 / 70 90 / 90 / 60 90 / 70 / 70 85 / 85 / 75

Alan Henry's "Why You Should Be Using a VPN (and How to Choose One)"
Thorin Klosowski's "The Biggest Misconceptions About VPNs"
Viktor Vecsei's "Why you don't need a VPN"
joepie91's "Don't use VPN services"
Dennis Schubert's "VPN - a Very Precarious Narrative"
Max Eddy's "The Best VPN Services for 2020"
TheBestVPN's "Best VPN Services"
Amul Kalia's "Here's How to Protect Your Privacy From Your Internet Service Provider"
ProtonVPN's "VPN Threat Model" (what a VPN can and can't protect you from)
Troy Wolverton's "No perfect way to protect privacy"
Jonas DeMuro's "7 good reasons why a VPN isn't enough"
VPN Scam's "How to Avoid VPN Scams in 2017-2018"
reddit's /r/VPN
Wikipedia's "OpenVPN"

Private Internet Access (PIA) VPN

Some "VPNs" are just data-collecting operations:
Dell Cameron's "Do Not, I Repeat, Do Not Download Onavo, Facebook's Vampiric VPN Service"
Justin Cauchon about Verizon Safe Wi-Fi VPN

General complaint, from /u/wombtemperature on reddit 5/2017:

This VPN industry needs a wake-up call, ELSE a better way at helping the average joe at Starbucks. Guys. Like. Me.

I read. As such, I know the importance of a VPN. In fact, I have spent hours/days reading up on them. I have made excel spreadsheets to compare them (and looked at the ones on "that site"). I even WANT to give you my money to insure I have a good one. As such, I have tried 4 paid popular ones I won't mention as I don't want to call them out, and spent a ton of time testing them on my PC and mobile.

They all are frustratingly SLOW. Or interfere with connections.

No matter what, all I want is a FAST secure connection I don't have to think about. Yet, I can't find a VPN that doesn't bring my public and often home networks connections to a crawl. The expected "30% drop" is BS. And none automatically find me the best servers, and in fact often I can get faster servers 5000 miles away, but I have to manually select them.

I understand its complicated. But I have stuff to do. Seriously. Which is why I want to pay someone else to think about these things and give me a good product.

You all sales-pitch me the "fastest speeds" but then I watch as my connection up and down speeds drop to pathetic - and I have the spreadsheets to prove it.

To anyone listening I speak for the masses ... take my money and give me a decent, secure VPN connection.

And if I am just not "reading enough" to know how to get what I am looking for, then it highlights my point that there is a problem out there for the non-technical guys like me who just want security without massive compromise and hours of research.
From /u/Youknowimtheman on reddit:

When we talk about speed drops, you're going to lose ~9% just because of how the encapsulation and encryption works. You're also going to lose about 10ms on pings because the actual encrypting and decrypting takes time.

It is also important to manage expectations when we talk about privacy networks that are based on shared connections. We have had a rash of users on our service that are unhappy with our "slow" performance because their gigabit connection slows down to 190Mbit. They don't understand the nature of VPNs and that in order to keep their information private, their traffic has to be mixed with other users on a server, and these servers are running the same 1Gbit connection that they have. Yes, it is 20% of your line speed, but at the same time it is extremely fast for the market generally, and pretty much the limits of what you'll see on a server with proper user densities to protect your information.

If you're talking about a 30% drop on 10 Mbit that is significant. If you're getting a 30% drop on 200Mbit that's absolutely normal.

There's also other factors that play into VPN performance like distance from the server, which protocol they are using, etc.

In other words, you're always going to have some loss. If all factors are good, you can minimize that loss up to a limit in speed. More than 200 Mbit just isn't going to happen on a safe and private connection generally.

IPv6, from someone on reddit 6/2017:

> why do many VPN setup guides advise you to disable IPv6 ?

A lot of VPNs only handle IPv4, so on those any IPv6 traffic bypasses the VPN.

Easiest fix is to disable IPv6. Better long-term solution would be to get a VPN that properly handles IPv6.


... the main reasons are:

That's why, if you really care about security, your first concern is finding a strong VPN provider. Something like supporting IPv6 is not on most people's priority list, including not your VPN provider, except the best-in-class ones that at least prevent leaks at the client no matter which IP protocol they use.


Most budget/end user VPNs only cover IPv4 traffic, and anything sent over IPv6 is ignored.


I have seen anecdotally IPv6 messing up network applications. On more than one occasion.

Apparently there are a number of ways of setting your IPv6 address, and this has been increased since IPv6 first came out. Addresses can be permanent/unvarying (for servers), but outbound client traffic by default uses a temporary address (IPv6 "privacy extensions") so you can't be tracked. Generally your address is the same on LAN and WAN ?

Campbell Simpson's "CSIRO: Most Mobile VPNs Aren't Secure"
Sven Taylor's "VPNs are Using Fake Server Locations"
Violet Blue's "Is your VPN lying to you?"
Sunday Yokubaitis on companies behind various VPN brands

If you want to host your own outbound-to-internet VPN, you shouldn't do it on your home network, because you'll still be using your home ISP. Instead, you need to have a different ISP for your VPN server. Which probably means hosting the VPN server in a cloud service.
Jim Salter's "How to build your own VPN if you're (rightfully) wary of commercial options"
Romain Dillet's "How I made my own VPN server in 15 minutes"

One reason to build your own outbound-to-internet VPN (maybe hosted on a cloud service): some public networks (in hotels or schools or fast-food places) may block access to the IP addresses of well-known commercial VPNs, but the IP address of your personal VPN won't be in their block-list.

I tried ProtonVPN free, starting 9/2017:
Torrenting not allowed when using free version.

I don't see any slow-down, but I am in Spain and mostly using USA web sites, so my speeds probably already were slightly low.

If I'm using a VPN server in another country, and do a Google search, Google changes country to France or Latvia or wherever the VPN server is. So I get results in French or Latvian or whatever.

Each time I change to a VPN server in a new country: In Windows 10, if you run the VPN and then click on the Network icon in the system tray and connect to Wi-Fi, it's possible to get connected to both the VPN and the normal Wi-Fi simultaneously. To fix this, I think you have to disconnect from both, then connect to Wi-Fi, then run the VPN.

I started using Windscribe 2/2018.

If you're doing illegal things, don't expect a VPN or proxy company and their ISP to shield you if they're served with a court order. They may be forced to log your activity and trace you and give the data to law enforcement.

If you're abusing the VPN itself, such as sending out millions of spam emails through the VPN, don't expect a VPN or proxy company and their ISP to shield you. They may report you to law enforcement, or happily cooperate with law enforcement.

Sven Taylor's "OpenVPN vs IPsec, WireGuard, L2TP, & IKEv2 (VPN Protocols 2019)"
Sven Taylor's "WireGuard VPN: What You Need to Know" (status as of 6/2019)

Sven Taylor's "Multi-Hop VPNs for Maximum Privacy & Security (How-To Guide)"

Control which applications use the VPN: split tunneling:
Easiest way: if you're using a proprietary VPN client app that supports split tunneling, use that. But many don't support it, or support it only for certain operating systems.

Wiki "strongSwan VPN Client for Android 4+" does support split tunneling, both on basis of application and on basis of destination IP address. Define a VPN connection, highlight it, click Edit, scroll down to Split Tunneling.

Complication: Linux networking has been changing (Network Manager, systemd) over the years, so old instructions may not work any more.

One way: make a second user, run all with-VPN apps under one user and all no-VPN apps under the other user, then have different iptables rules for the two users ?
article (a bit confusing)

Another way: set default system route to no-VPN, then set some apps (those which allow custom network specifications) to use a proxy that will route to the VPN.
article1 (a bit confusing)
article2 (similar using OpenVPN)

Split tunneling on the basis of destination IP address, not application:
In Linux Network Manager's OpenVPN profile for a VPN connection, in the IPv4 and IPv6 tabs you can set "Routes" and/or enable "Use this connection only for resources on its network" ? Not sure how to set it, and if it works.

Make iptable rules to route based on destination IP address. Maybe in PREROUTING or mangle table ?

When using strongSwan/IKEv2 or Wireguard, maybe set IPsec rules to do split tunneling ?

Windscribe VPN

I started using Windscribe 2/2018, still using it 7/2020.

Free license. I installed only the Windows (VPN) part, not the Firefox (ad-blocker) part.

Limited to 10 GB per month in free version, less if you don't give an email address when you sign up. And 10 GB goes faster than you'd expect. Torrenting works.

Has a "kill switch": if the VPN connection goes down, your internet connection gets severed, instead of silently becoming non-VPN. Misleadingly, Windscribe calls this "firewall".

I'm sure some privacy-guys will say don't use Windscribe because they're a Canadian company, and 2/3 of their servers are in USA or Canada.

Seems to work well, good reviews online, turns out there are discount codes you can use to get a great deal. So I paid $41 for a Lifetime Pro subscription, unlimited devices, unlimited usage.

Installed it on my Android 6 phone, works okay. Apparently you're supposed to mark your home network as "untrusted", so that Windscribe automatically reconnects if connection drops and comes back ? I guess the theory is that you don't need VPN on a "trusted" network ?

But later, Windscribe kept failing to re-connect after Wi-Fi went down and back up. Changed to use strongSwan app and IKEv2 protocol, instead of Windscribe's app.
Windscribe's "IKEv2 Profile Generator"
Saved credentials in my password manager.
Someone else said you can do same with "OpenVPN for Android" app. strongSwan with IKEv2 is better at reconnecting than Windscribe client was, but maybe not 100%. Go to (System) Settings / More / VPN / strongSwan VPN Client, or "...", but no way to select "always-on" or any kill-switch, probably because I'm using Android 6.
Open strongSwan app and highlight the VPN connection and click on Edit, see lots of settings, enable two settings "Block IPv* traffic not destined for the VPN".
Wiki "strongSwan VPN Client for Android 4+"

I've done some occasional speed tests using my cheapo Dell laptop, Windows 10, Firefox, Vodafone fiber internet in Spain, VPN server in Spain or France. I'd say I see a performance penalty of 0 to 20% when using the VPN.

A few sites behave badly if I use Windscribe:
Have to use a USA Windscribe server to use PayPal USA.
If I'm using Windscribe, Ryanair won't let me log in.
If I'm using a non-USA Windscribe server, TaxAct Online won't let me log in.

I was able to connect from my location in Spain, to a Windscribe server in USA, and then to a streaming web site, and stream a football (soccer) game in Spain, although the window was only 640x480, I think.

There are several ways to install Windscribe client on Windows:

There is a special setup procedure for uTorrent application: Windscribe's "uTorrent Setup Guide". But you're still protected if you don't do that.

Windscribe client can be installed in a router: see "Windscribe for Your Router" section of Windscribe's "Setup Guides". Only one Windscribe server can be listed, so if that one goes away, no internet. Windscribe firewall runs in the client OS, not the router. If connection to server drops, what happens depends on your router firmware, nothing to do with Windscribe.

If you run Windscribe in the router and nothing at all in the clients, all traffic does go over the VPN.

People online say that in IOS (Apple), the "firewall" doesn't work, because of the architecture of IOS. What functionality is lost ?

I changed my laptop to Linux Mint 19, and installed Windscribe client Beta on it. If I try to turn on Linux firewall, the two firewalls fight each other, apparently. Windscribe Support says use one or the other. Support also says:
"There is currently no way to add rules to the Windscribe Firewall unfortunately. It either blocks everything that isn't coming from the VPN IP or it allows any connections to your direct IP. On and off. The only rule that we have built-in as an option is to allow LAN traffic so you can have the Firewall on and still connect to devices on your location network."
And then they said:
"The Windscribe Firewall is the Linux Firewall. The Windscribe CLI is using IPtables. Windscribe makes a rule to block everything that isn't in the VPN tunnel. The LAN traffic rule is just there if you do need it. The Firewall will block LAN traffic as well unless you don't want it to. And yes, there are instances where you'd want the Firewall to have exceptions for certain apps or services but since the Windscribe CLI is still in beta, we don't have those whitelisting options yet."

Client log file: /var/log/windscribe/windscribe.log
Also OpenVPN log file: /var/log/windscribe/ovpn_log.txt

10/2018 Windscribe announced their servers block IPs of known sources of malware, and soon their DNS's will be doing ad-blocking. The level of filtering will be adjustable.

12/2018 Found out that Windscribe VPN is blocking a domain I need; when it blocks something, it does it by mapping to localhost. A user can't whitelist a domain; user either turns all blocking down to a lower level, or file a Support ticket asking for that one domain to be whitelisted (for everyone).

3/2019: They confirmed that their DNS's use DNSSEC to talk to other DNS's. Later someone on reddit said "DNSSEC is not required when IKEv2 is secured by SSL certificates (Let's Encrypt). It's only required when you are distributing the certificates via DNS itself."

7/2019: Found that their filter/firewall "Robert" supports redirecting (spoofing) domains. This is dangerous, if someone gets into your account.

3/2020: stopped working through Windscribe, because of some changes Windscribe made. Work-around: in Windscribe account, set "Unblock Streaming" to "off".

About using Windscribe client instead of OpenVPN client, on Linux, from someone on reddit: "The advantages for the Windscribe client are the firewall, you don't need to set up the openvpn certs (you can just pick any location), you can connect to the best location with windscribe connect best, and you can change the port/protocols easier."

Configuring Windscribe with Network Manager on Linux (guide)

1/2020: Changed my Linux Mint 19 system to stop using proprietary Windscribe client, and use strongSwan / IKEv2 / IPsec client instead.

Alternative architectures:
I think you have your choice of these stacks (from oldest to newest):

Windscribe's "IKEv2 Profile Generator"
Saved credentials in my password manager.

"The IKE protocol uses UDP packets and UDP port 500."
Open-source implementations of IKEv2 include: OpenIKEv2, Openswan, and strongSwan.
It's less feasible for a network admin to block OpenVPN (which uses HTTPS port 443), than to block IKEv2 (which uses UDP port 500).

I tried things a bit out of order, got things mixed together, hope I've sorted out things properly in the following sections:

IPsec config method:

Mostly following first half of /u/nosmokingbandit's "Using IKEv2 on Linux":
sudo windscribe stop
sudo systemctl stop openvpn
sudo systemctl disable openvpn

apt install strongswan-starter libstrongswan-extra-plugins libcharon-extra-plugins

sudo xed /etc/ipsec.conf
# and add:
conn windscribe-es      # name I picked
  dpdaction=restart     # restart if connection drops
  dpddelay=300s          # how often to send packet to do Dead Peer Detection
  keyingtries=%forever      # keep trying to connect, forever
  eap_identity=MYUSERNAME   # username from
  right=   # address from ping
  auto=start            # start at system boot; if not, set to "add"
# man ipsec.conf

sudo xed /etc/strongswan.d/charon/kernel-netlink.conf
# and after line "# mtu = 0" add:
mtu = 1300
# use "tracepath" to see how hops in a route might be changing MTU

sudo xed /etc/ipsec.secrets
# and add (with the spaces exactly in the places shown):

# check that this directory is empty:
ls /etc/ipsec.d/cacerts

# then make IPsec just use the OS certificates:
rmdir /etc/ipsec.d/cacerts
ln -s /etc/ssl/certs /etc/ipsec.d/cacerts

# Edit /etc/resolvconf/resolv.conf.d/tail to contain (first line is a comment):
# following is from /etc/resolvconf/resolv.conf.d/tail
nameserver       # OpenDNS
# If you wanted to remove other lines, maybe
# edit /etc/NetworkManager/NetworkManager.conf and add "dns=none" in [main] section

sudo ipsec restart
sudo ipsec up windscribe-es     # or whatever connection name you picked
# see message "connection 'windscribe-es' established successfully"

# to switch from one connection to another, take old one down before putting new one up:
sudo ipsec down windscribe-es     # or whatever connection name you picked
sudo ipsec up windscribe-usa     # or whatever connection name you picked

cd /tmp && rm -f ip && wget -q && cat ip && rm -f ip
# or
curl --get && echo
# and you should see an address in same subnet as the "right=" address you used
# probably 89.238.178.n
# see if it's similar

# run leak tests such as and
# tests passed, for me

# Tried unplugging from Ethernet, waiting a minute or two, plugging back in.
# Checked IP address and saw ISP's address not VPN address.
# Waited 10-15 seconds (dpddelay), checked IP address and ran leak tests again,
# all is well, system is connected to VPN again.

# But: there is a time-window where the VPN is not being used, and traffic
# still can go out.  Not sure if same would happen if you're using VPN
# and Windscribe server crashes for some reason.  How to stop this ?
# Need a "kill switch".
# Need to create another connection with "type=drop" ???
# ipsec _updown script ?
# need to install swanctl (see section below)

# from Windscribe Support: to make a "kill switch", create iptables
# rule to DROP all packets that are not UDP on 500+4500 (ports IPsec uses)
# so I created a file with (simplified) these commands:
iptables -P INPUT DROP
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --match multiport --dports 500,4500 -j ACCEPT
iptables -A INPUT -s -j ACCEPT
iptables -A INPUT -d -j ACCEPT
iptables -A INPUT -d -j ACCEPT
iptables -A INPUT -s -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -P OUTPUT ACCEPT   # want to change to DROP, but keep getting DNS traffic
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s -j ACCEPT
iptables -A OUTPUT -d -j ACCEPT
iptables -A OUTPUT -p udp --match multiport --dports 500,4500 -j ACCEPT
iptables -A OUTPUT -d -j ACCEPT
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP

sudo ipsec statusall
sudo journalctl | grep Windscribe
sudo journalctl | grep charon

# There is a HUGE amount of logging in the journal by Charon and IPsec
man strongswan.conf   # see LOGGER CONFIGURATION section
sudo xed /etc/strongswan.d/charon-logging.conf
# in syslog section, add line:
    default = 0
# rebooted
# but that doesn't seem to have done much, removed it and tried:
man ipsec.conf    # parameter "charondebug"
sudo xed /etc/ipsec.conf
# and in section "config setup" add:
charondebug = dmn 1, mgr 1, ike -1, chd 0, job 0, cfg 0, knl 0, net -1, asn 0, enc -1, lib 0, esp 0, tls 0, tnc 0, imc 0, imv 0, pts 0

# COULD do this, I haven't done it:  in ipsec.conf connection section:
leftfirewall=yes  # disables use of iptables once VPN is connected ?

# Wanted to make a connection to disable the VPN so I can use some site that
# won't tolerate a VPN.  Couldn't get the new conenction to work.
# But (with DNS addition in /etc/resolvconf/resolv.conf.d/tail), just
# taking down the Windscribe connection (and resetting iptables) is enough;
# don't need this connection definition (which doesn't work anyway).
sudo xed /etc/ipsec.conf
# and add:
conn no-vpn      # name I picked
    rightsubnet=        # also tried %any
#    auto=route
sud xed /etc/swanctl/swanctl.conf
# and add:
connections {
    no-vpn {
        remote_addrs =
        children {
            passthrough-1 {
                local_ts = %any
                remote_ts = %any
                mode = pass


strongSwan config method:

apt install strongswan-swanctl

# charon daemon probably is running already, but check:
sudo ps -ax | grep charon
# if not:
sudo /usr/libexec/ipsec/charon

sudo systemctl enable strongswan.service
systemctl status strongswan

# list connections
sudo swanctl -L

man swanctl
man swanctl.conf      # /etc/swanctl/swanctl.conf
man strongswan.conf   # /etc/strongswan.conf and /etc/strongswan.d/*

Main config file is /etc/strongswan.conf, but make any changes in /etc/strongswan.d/*
After any configuration change, do "systemctl restart strongswan" and "sudo ipsec restart".

"strongSwan is basically a keying daemon, which uses the Internet Key Exchange protocols (IKEv1 and IKEv2) to establish security associations (SA) between two peers." Charon is a keying daemon that implements the IKEv2 protocol for strongSwan.
"The actual IPsec traffic is not handled by strongSwan but instead by the network and IPsec stack of the operating system kernel."
Introduction to strongSwan

strongSwan through Network Manager method:

Tried installing from Mint's Software Manager ("strongSwan IPsec VPN solution metapackage" and "strongSwan-nm"), didn't work. Tried other things, no luck.

"sudo apt-get install network-manager-openvpn-gnome"
"apt install strongswan" and "apt install network-manager-strongswan" and "apt install strongswan-charon" and "apt install libcharon-extra-plugins". Click network icon in system tray, Network Settings, Network Proxy, "+", get "Add VPN" dialog, choose "strongSwan", get another "Add VPN" dialog where you specify details. If you have a username and password, set "Authentication" to "EAP". Specify username, but there's no way to specify password ? Click "Add" button. Dialog closes and back to "Network" window. Select the VPN you just created and click "On". But fails to connect, every time.

4/2020: installed Linux Ubuntu 20:

Went to Settings / Network / Wired.
Clicked "+" next to VPN.
Types offered are OpenVPN and PPTP and "Add from file".

sudo apt install strongswan network-manager-strongswan libcharon-extra-plugins
Now have another choice "IPsec/IKEv2 (strongSwan)" in there.

Tip: In Network Manager, keep connection profile names descriptive and short, so they appear well in the desktop menu. E.g. "Winds-Open-NYC" instead of "Windscribe-OpenVPN-NewYorkCity".

Create an IKEv2 connection:

Gateway address from ping
Authentication = EAP.
Username from Windscribe.
Enable "Request an inner IP address".
Enable "Enforce UDP encapsulation".
Click "Add" button.
Copy password into clipboard.
Move slider to enable VPN.
Paste password into dialog.

Password is NOT remembered once the IKEv2 connection profile is set; you have to type it in each time you connect.

Connection is unreliable for some sites.
sudo gedit /etc/strongswan.d/charon/kernel-netlink.conf
# and after line "# mtu = 0" add:
mtu = 1300
# then reboot
# that helped a bit, but still not 100%


Logged into Windscribe account and got (contains ca.crt and ta.key files) and Windscribe-*.ovpn files and username and password.
Move the ca.crt and ta.key files to somewhere permanent; Network Manager seems not to keep its own copies of them.

sudo apt-get install network-manager-vpnc   # doubt this is needed

Go to Settings / Network / Wired.
Click "+" next to VPN.
Click "Add from file".
Select the Windscribe-*.ovpn file.
See dialog; Gateway field should be populated, Authentication type = Password.
Type in username and password.
CA certificate field should be a .pem file.
Click Advanced.
Under General tab: enable "Randomize remote hosts".
Click TLS Authentication tab.
Under "Additional TLS authentication ..." should be Mode = TLS-Auth, Key-file = ta.key, Key Direction = 1, Extra certificates = ca.crt.
Click Okay.
Click Add.

Move slider to enable VPN.
In upper-right of desktop, see white rectangle "VPN" appear !
Do browser leak-tests.

After reboot, OS does not reconnect to VPN automatically.
Do "sudo nm-connection-editor" to set that.
Now after reboot, OS does not reconnect to wired ethernet automatically (!), but when you manually turn on wired ethernet, it WILL reconnect to VPN automatically.
Behavior is different for Wi-Fi ? Will connect to Wi-Fi automatically, but won't reconnect to VPN automatically ? Not sure.

Later, Windscribe sent me some configuration files, one per VPN server. They're .txt files that each have a complete Network Manager (or is it OpenVPN ?) VPN definition in them. [They're OpenVPN "unified connection profile" files, sometimes named with .ovpn extension; see OpenVPN's "Connection Profile creation".]
Do Settings / Network / VPN + / Import from file, give it one of these files, type in your username and password, done.
[nm-connection-editor will export a VPN connection to a file, but only for OpenVPN connections.]

Password is remembered once the OpenVPN connection profile is set; don't have to type it in each time.

To see connections: "nmcli". Also "nmcli general status".
To get GUI version for bug-reporting: "NetworkManager --version".
"ls /etc/NetworkManager/system-connections"

Note: Network Manager is a component: NetworkManager / issues

Same issue with all types of VPN: when boot system, wired ethernet will be off. Have to turn it on before VPN's "connect automatically" setting works.

WireGuard with Linux Ubuntu 20.04:

[Caution: later heard from someone on reddit who installed WireGuard into Mint 19 (probably 19.3) and something destroyed all his network interfaces, he had to re-install the system.]

I don't have a VPN service that supports WireGuard yet. Just curious.

sudo apt install wireguard
sudo modprobe wireguard
lsmod | grep wireguard
sudo ls /etc/wireguard

# 5/2020: I think no Network Manager GUI support yet;
# can't click "+" to create a WireGuard connection profile

nmcli connection add type wireguard ifname wg0 con-name Winds-WireG-Spain
# profile doesn't appear in Network Manager GUI
nmcli --overview connection show Winds-WireG-Spain

Thomas Haller's "WireGuard in NetworkManager"
psyhomb / wireguard-tools

Windscribe's "Introducing WireGuard"


A proxy just redirects your traffic, making it come out from a different computer with a different IP address. It doesn't add any encryption.

Proxies have most of the same drawbacks as VPNs (added point of failure, some sites may not allow, have to trust provider, etc), but the performance penalty for a proxy should be much less than that for a VPN.'s "What proxy servers are and how they differ from VPNs"
Jason Fitzpatrick's "What's the Difference Between a VPN and a Proxy?"

Hide My Ass! (free proxy server)
search for Firefox proxy add-ons

Router And Modem

Parts of a router/modem:
These parts may be packaged into two devices (modem and router) or one device (router/modem).

How routing works:

Basically, two key layers, with their associated address forms:
[Simplified, and assume a simple flat LAN, and client has single network interface:]
  1. In your computer, your browser forms an HTTP request and gives it to TCP layer, saying: "send to IP address N.N.N.N".
    [Ignore how (DNS) a web-address is looked up to find IP address.]

  2. TCP layer forms a TCP packet: TCP header followed by data (the HTTP request). The TCP header contains port numbers and flags and other info.

  3. TCP layer gives TCP packet to IP layer, saying "send to IP address N.N.N.N".

  4. IP layer forms an IP packet: IP header followed by data (the TCP packet). The IP header contains the IP addresses and other info.

  5. The IP layer does a check of destination IP address N.N.N.N:

    • If special address such as localhost (127.0.0.n), the traffic is handled internally by software.

    • If source and destination IP addresses are on the same subnet (destination is in the LAN), the IP address should be found in the ARP table, and it gives MAC address DD:DD:DD:DD:DD:DD for the destination.

    • Otherwise, the IP layer picks destination MAC address RR:RR:RR:RR:RR:RR (the router).
      [This mapping was established earlier by ARP mapping "gateway" IP address to MAC address.]

  6. IP layer gives IP packet to link layer, saying "send to MAC address" (DD:DD:DD:DD:DD:DD or RR:RR:RR:RR:RR:RR).

  7. Link layer adds its own header. Then packet goes across the LAN (Ethernet or Wi-Fi) from MAC address CC:CC:CC:CC:CC:CC (your computer) to destination MAC address. At other end, link layer strips off the link header.

  8. If the destination was the router:

    • The IP layer in the router does a lookup of IP address N.N.N.N in rules for IP address ranges. In simplest case, only rule is "send everything out to WAN". But there could be firewall rules, segmented LAN, etc. And DHCP table here serves as backstop for source machine's ARP table ?

    • If the destination IP address is outside your LAN (on public internet), the lookup finds that packets to IP addresses in that range should be sent to the device at MAC address II:II:II:II:II:II (the ISP's router).

    • Packet goes out (through a link layer again) through the modem to MAC address II:II:II:II:II:II.

General functional block diagram:

  WAN connection
(fiber, cable, phone line)
(many LAN devices share
one public IP address)
(filter traffic to
prevent attacks)
(DHCP to assign LAN addresses;
map IP addresses to external/Ethernet/Wi-Fi)
LAN Ethernet ports   Wireless Access Point
connected via Ethernet
connected via Wi-Fi

Typical configurations:
Implications: From someone on reddit 7/2019:
You should have only one device functioning as a router. It's fine to have other routers in the network, so long as they are configured to operate purely as Wi-Fi Access Points (AP). If you have multiple functioning routers, then you'll have double or even triple NAT. While it's possible to get port forwarding to work through multiple routers, it's messy and unnecessary. UPnP won't work at all through multiple routers.

If you have separate modem and router, plugging your PC directly into the modem for troubleshooting or something is a bad idea. You expose your PC directly to the internet and lose any protections implemented in the router.

Router operating systems:
OPNSense is derived from pfSense. OPNSense is more community-oriented; pfSense is more enterprise-oriented and more stability-oriented. Instructions/answers/support for pfSense mostly apply to OPNSense too.

Nick Congleton's "DD-WRT vs. Tomato vs. OpenWrt: Which Router Firmware Is the Best?"

Desirable router features:

Features that seem unimportant to me: parental controls, dual-band, built-in anti-malware, MU-MIMO, smartphone app to control router, Quality of Service (QoS) or Wi-Fi Multimedia traffic controls, mesh networking, USB port to make a NAS. Your priorities may be different.

Heard this, not sure if it's standard terminology/functionality: a device on a VLAN can talk to any other device on same VLAN, and to internet; a device on a guest network can only talk to internet.

Turris MOX (open-source router)

Ethan Robish's "Home Network Design - Part 1"

Michael Horowitz's "Router Security"
Michael Horowitz's "Using VLANs for Network Isolation"

Sean Gallagher's "InvizBox 2 redefines what 'privacy' routers can do"

Router features you probably want to turn off:

Fixed IP address assignment on home LAN, from discussion on reddit:


A firewall lets you control what kinds of traffic flow in and out of your network.

Some types:

Wikipedia's "Firewall (computing)"
Palo Alto Network's "What Is a Firewall?"
Cisco's "What Is a Firewall?"
Chris Hoffman's "Do I Need a Firewall if I Have a Router?"

A firewall could be:

Torrent Seedbox

A Seedbox is a torrent client on a cloud/server computer. All torrents go to that server, then you FTP from that server to your computer. So if your ISP doesn't allow torrenting, or you're downloading copyrighted material, this evades those problems.

Seedbox Guide's "What is a seedbox?"

DNS (Domain Name Service)

DNS is how domain names such as "" are resolved into IP addresses such as "".

Most likely, your computer is using either Google's Public DNS ( or, or a DNS run by the ISP or VPN you are using, or is set to find a DNS automatically (which probably means: DNS run by the ISP or VPN).

To find out what DNS you are using:

A few other settings are shown by Cloudflare's "Browsing Experience Security Check".

Test both with VPN on and with VPN off. There WILL be times you need to turn the VPN off to access some site.

The DNS can see what sites (domains) you are connecting to, but not which pages or URLs or searches you are doing on those sites.

What to use:

How to set DNS for the case when VPN is off:

I'm surprised that I couldn't get ANY of this to work !!!

  1. Turn off VPN.

  2. Run to see what DNS server is being used.

  3. In router:
    1. Login to router's admin page.
    2. You may have to set "expert mode".
    3. Look for any DNS settings.
    4. My Vodafone router only has a "Secure DNS" setting. The text for this implies that it overrides DNS settings in individual devices, but I'm not sure. Turning it off did not let me specify a DNS server address. Turning it off did not make Linux use its own DNS settings. Power-cycling router didn't help.
    Tim Fisher's "How to Change DNS Servers on Most Popular Routers"

  4. Run to see what DNS server is being used.

  5. In Linux Ubuntu/Mint:
    1. Click on network icon in system tray and choose "Network Settings".
    2. Click on the network interface (Wi-Fi or Wired).
    3. Click on "gear" icon in lower-right.
    4. Click on "IPv4".
    5. In the "DNS - Server" field, put the value you want, such as "".
    6. Set the "DNS - Automatic" switch to "off".
    7. Click on "Apply".
    8. Close "Network Settings" app.
    9. Click on network icon in system tray and turn the network interface (Wi-Fi or Wired) off and then back on.
    10. Reboot.
    11. Didn't work, still using ISP's DNS.
    12. Later set DNS on other network interface, and got different results ? Have to do both same way ?
    Another try:
    1. Edit "/etc/network/interfaces" as root, add line "dns-nameservers".
    2. Run "cat /etc/resolv.conf"
    3. Reboot.
    4. Run "cat /etc/resolv.conf", now new line appears in it.
    5. Didn't work, still using ISP's DNS.
    Ended up worse than before: now, with VPN on, I'm getting a DNS leak to Removed the line from /etc/network/interfaces and rebooted, that fixed it.

    Maybe should remove "nameserver 127..." line from /etc/resolv.conf somehow ?

  6. In Windows:
    1. ???
    Mauro Huculak's "How to configure Cloudflare's DNS service on Windows 10 or your router"

  7. In Android:
    1. Turn off VPN.
    2. XSLab's "How to Change DNS Settings on Android" or Xtremerain's "How to Change DNS Settings on Android Devices (WiFi and Cellular)"
    3. Followed the "long-press on Wi-Fi network" instructions, everything fine except you really have to specific static addresses for phone (maybe and router/gateway (maybe

  8. Run to see what DNS server is being used.

  9. In Firefox:
    1. Click on hamburger icon / Preferences.
    2. Click on General.
    3. Scroll to bottom, click on Network Settings.
    4. In "Configure Proxy Access to the Internet", click on "No Proxy".
    5. Scroll to bottom, click on "Enable DNS over HTTPS", set "Use Provider" to desired value.
    6. Didn't work, now getting DNS requests from both the provider I chose AND from my ISP's DNS. One request from provider, plus N from ISP's DNS. Could be that first is for the main page and then others are for images/scripts on the page ?

  10. In Chrome / Chromium:
    1. ???

  11. Run to see what DNS server is being used.

  12. Turn VPN back on.

  13. Run to see what DNS server is being used.

If you're using a VPN or proxy or Tor to hide your normal traffic from your ISP or someone spying on your network, yet your DNS traffic is NOT going through the VPN etc, this is called a "DNS leak". A web page may be able to use JavaScript to find out your real IP address, even though you're using a VPN etc.
Wikipedia's "DNS leak"
DNS leak test
Anonymster's "VPN Free DNS Leak Test & DNS Leak Protection"
Bill Hess's "What Is a DNS Leak And How To Fix It"

Nykolas Z's "DNS Security and Privacy - Choosing the right provider"
Mike Williams' "Best free and public DNS servers in 2020"

Some good reasons to use Google's Public DNS:
Joseph Caudle's "Why and How to Use Google's Public DNS"
Vijay Prabhu's "How to Change Your Default DNS to Google DNS for Fast Internet Speeds"

Choosing a DNS by speed:
Remah's "How to Find the Best DNS Server"
Chris Titus's "How to choose DNS Server by benchmarking them"
Chris Frost's "Clearing the DNS Cache on Computers and Web Browsers"

My computer (running Windows 10) was set to "find DNS automatically", which meant it was using the DNS run by my ISP. I ran namebench several times, and results varied, but generally the DNS run by my ISP was fastest or among the fastest. So I left my computer set to "find DNS automatically".

From someone on reddit:
"some routers ignore individual device settings, so if that's the case you have to change the DNS settings on your router to whatever server you want to use"

There are various flavors of encrypted connection to DNS, it's confusing:

Test with: and Cloudflare's "Browsing Experience Security Check".

Sean Gallagher's "How to keep your ISP's nose out of your browser history with encrypted DNS"
DNSCrypt Proxy
Domain Name System Security Extensions (DNSSEC)

OpenDNS (includes blacklist of bad sites, at the DNS server)

To check what software a DNS server is running:
"sudo apt install fpdns" and then "fpdns -D YOURDOMAIN"
"dig @NAMESERVERNAME version.bind chaos txt"
"nslookup -type=txt -class=chaos version.bind NAMESERVERNAME"

MAC Address

This is an address unique to the network access card/hardware in your device.

Your MAC address doesn't get out to the Internet. Only people/devices on the same LAN as you can see your MAC address. (That sometimes includes people sharing Wi-Fi with you.) But if you're using public or store or hotel Wi-Fi, now the operator of that network knows your MAC address, and can sell that info. It can be used to track your activity across networks and sites.

In TCP/IP, your MAC address doesn't go beyond your local network (if using a router) or your ISP (if using only a modem). It would be possible for an app on your computer/phone to grab the MAC address and send it out in some custom way.

Change your MAC address:
Mac Makeup
Technitium MAC Address Changer (Windows only)
Linux Geekster's "3 Ways to change the MAC address in Linux and Unix"
OSTechNix's "How to change MAC address in Linux"

Certificates in the browser

What are the security and privacy implications of these ?

Some questionable certs may appear under "Authorities": a couple from China, DigiNotar. Various CA's have been hacked from time to time. Firefox is in process of removing trust for Symantec-issued certs.

Certs that appear under "Servers" reveal a little bit about your browsing history: they may show what domains you've visited.

As far as I know, there is no downside to removing Server certificates, and removing a few Authorities is okay too (as long as you don't remove them all).

Ctrl blog's "Installing VPN root certificates leaves you more vulnerable to snooping"
Pieter Arntz's "When you shouldn't trust a trusted root certificate"
Hanno Bock's "Check for bad certs from Komodia / Superfish"

Will any of the browsers report "hey, a new certificate was installed since last time the browser was running" ? I think they should.

Will any of the browsers report "hey, one of your personal certificate is about to expire" ? I think they should. I can't find any Firefox or Chrome extension that does this.

As far as I can tell, Firefox and Chrome give no API for an extension to access installed certificates.

Can browser use certs installed into central OS store ?
Apparently Chrome and Edge can, and Firefox on Windows and MacOS can be configured to do so.
Mozilla's "Expanding Client Certificates in Firefox 75"

Where are certs stored ?
ls /etc/ipsec.d/cacerts
ls /usr/share/ca-certificates
ls /usr/share/ca-certificates/mozilla
ls /etc/pki
ls -l /usr/local/share/ca-certificates
ls -l ~/.mozilla/firefox/*.default-release/cert*
locate .pem   # finds files everywhere
sudo ls -l /etc/ssl/private   # key files

# Symlinks to cert files in other dirs.
# Updated by running "update-ca-certificates".
ls /etc/ssl/certs

# To get the "subject" of every CA certificate in /etc/ssl/certs/ca-certificates.crt:
awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' </etc/ssl/certs/ca-certificates.crt

# List all certs in system and display issuer and expiration date:
locate .pem | grep "\.pem$" | xargs -I{} openssl x509 -issuer -enddate -noout -in {}

# man openssl-x509
# check for certs expired or due to expire in next month (30*24*60*60 == 2592000 seconds)
for f in `ls /etc/ssl/certs/*.pem`
	openssl x509 -checkend 2592000 -noout -in "$f" >/dev/null
  if [ $? -ne 0 ]
	  openssl x509 -issuer -enddate -noout -in "$f"

# Snap version of sqlitebrowser fails, don't use it.
sudo apt install sqlitebrowser
sqlitebrowser --help

sqlitebrowser --read-only --table nssPublic ~/.mozilla/firefox/*.default-release/cert9.db
# Personal certs are listed among the others.
# The interesting data is in a blob in column a11, I think.
# But I think this is a cache; not all certs are listed.

# man openssl-pkcs12
locate .p12 .pfx
openssl pkcs12 -in CERTNAME.p12 -out TMP.pem -nodes -clcerts
openssl x509 -issuer -enddate -checkend 2592000 -noout -in TMP.pem
rm TMP.pem

# A .pfx file has both public and private PKCS12 keys, can contain multiple certs, can be password-protected.
# A .p12 file has both public and private PKCS12 keys, can contain multiple certs, can be password-protected.
# .pfx is predecessor of .p12
# A .key file has both public and private PKCS8 keys, in either DER binary or PEM ASCII format.
# A .cer file has only public key, in either DER binary or PEM ASCII format.
# A .crt file has only public key, in either DER binary or PEM ASCII format.
# A .der file has only public key, in DER binary format.
# A .pem file has only public key, in Base-64 and with a header and footer added.
# A .ca-bundle file has only public key, what format ?
# A .pvk file has only private key.

Location Leaks

Probably we're all familiar with IP leaking, when some outside person/app gets your real IP address and usually can determine your approximate location, and if they get help from your ISP can determine your identity.

But is there "location leaking" inside the software in our computers ? Apps can query our Wi-Fi or router or ISP to get our GPS location or at least postcode ? I assume apps all can get our real IP address, even if we're using a VPN.

And yesterday, my Linux Mint 19 system installed an update which included "freedesktop" which runs a "GeoClue" location service for applications. I don't know quite what this does and how much it knows and how to turn it off (eventually I was able to uninstall it).

Any software inside our system that gets our real location or IP address potentially could leak it, accidentally or routinely or maliciously. The information might be included in crash dumps or traces in bug reports.

How do we stop this ? What other sources of location data are there inside our systems ? How do we set them all to report "none" or some fixed value of our choosing ?

Inside Android, an app can use Google Location Services API or Network Location Provider.

Inside Linux, while running a VPN and through a router, there are four kinds of IPv4 address: I haven't found a way yet that an app on my computer can get the Router's WAN address, either with VPN on or VPN off. But with VPN off, an app could talk to a server outside and ask it "what IP address am I coming from ?".

Browser is a key point for storing/providing location data. Set preferences in each browser you use. And maybe use an add-on such as Location Guard

Inbound Traffic

From discussion on reddit 7/2019:

Normally, a router's firewall blocks all incoming traffic unless it's related to outgoing traffic. The firewall will temporarily open ports used by the outgoing traffic.

Port forwarding allows unsolicited incoming traffic to a port or range of ports through the firewall to a specific IP address in your LAN.

By opening a inbound port, you are exposing a device to unsolicited traffic from the Internet. Unless you can restrict the incoming traffic to a trusted remote address, the device may be at risk of being compromised. Open ports only when there is no option, such as gaming. Only open the necessary ports, and close them when finished. For other use cases, [carefully evaluate how much you can restrict access and what kind of authentication is being used.]


Tunneling home over an inbound VPN will give the outside client machine access to everything in your network, and apps like Hamachi work great for playing games that are only designed to work over LAN. However, inbound VPN is not suitable for services that need to be accessible by clients you don't control or clients that you don't want to have access to your whole internal network. You would not use an inbound VPN just make a web server accessible, nor would you use an inbound VPN for most services designed to work over the Internet.


Low-security file sharing protocols like SMBv1 are only safe to use over a secure LAN and should never be exposed to the internet.


UPnP is a multi-purpose protocol. One of its functions is to enable a device to dynamically set up port forwarding on a UPnP-enabled router. This can be convenient when multiple devices (such as multiple gaming consoles) need port forwarding. The application/game must work on multiple, different ports. If it doesn't, then it's impossible for multiple consoles to work in the same network. While UPnP can be convenient, there are documented instances of security vulnerabilities associated with it.

Most people will want to set up port forwarding manually on the router or use UPnP. In most cases, it makes sense to pick one method. ... Using a combination of both will give the static rules precedence. Some people disable UPnP port forwarding entirely for security reasons, but using both doesn't create any issue. The only reason to say "I'm only using UPnP" is to avoid confusion between the static and dynamic port forwarding rules. You can use both. While it's true that UPnP is insecure by design, the convenience it offers home users is usually well worth the concerns in small networks where you manage all the devices. ... For any given application/game, you only need to use one. It's certainly possible to use static port forwarding for one application and UPnP for another.


In a home network, it's strongly recommended to have only one device functioning as a router. It's fine to have other routers in the network, so long as they are configured to operate purely as Wi-Fi Access Points (AP). If you have multiple functioning routers, then you'll have double or even triple NAT. While it's possible to get port forwarding to work through multiple routers, it's messy and unnecessary. UPnP won't work at all through multiple routers.


Usually, you need only concern yourself with opening ports for incoming traffic. All consumer-grade routers open all ports in the outgoing direction by default, so you can generally ignore any application- or game-specific requirements to open outbound ports. You may come across some applications and games where it's not specified which direction (inbound/outbound) needs to be opened. This is really unfortunate, as you end up having to open more ports than necessary. Do be sure you open the correct protocol (UDP or TCP). If in doubt, open both.


Before you test port forwarding through your router [to a server on your LAN], make sure the application/game is running on your server. Then try connecting to it locally from another local device. ... Once you have confirmed that a local connection works, you can proceed to test port forwarding [inbound from the internet]. ...


If you run the actual application/game executable (not through a browser), maybe run it on a device that is not connected to your home network (LAN). If you have a smartphone, for example, switch from Wi-Fi to cellular Internet.

Tor Browser

Onion is a network, where the Tor browser talks to an entrance node, which talks to a middle node, which maybe talks to another middle node, which then talks to either an exit node (for normal internet traffic) or an onion web site.

It is possible to use Tor browser and onion and still not have privacy or anonymity. If you're the only person on your network using Tor, perhaps your activity can be correlated with the traffic coming out of the exit node. If you log in to a web site using your real info, that site will know who you are. If you use HTTP, the exit node and its ISP can see your traffic.
Aditya Tiwari's "Tor Anonymity: Things Not To Do While Using Tor"

Tor browser is based on Firefox ESR plus security fixes, and seems to track normal FF security fixes pretty closely.

If you're using Tor browser instead of a VPN, only the Tor browser's traffic is going through the onion network; traffic from other applications and background services does not.

People get confused because there are several configurations using onion for outbound traffic:

I say: have a VPN running 24/365, even when you're using Tor browser.

[I am talking about "Tor over VPN in a normal OS", not Tails or "VPN over Tor": connect your system to internet through a VPN, then run Tor Browser. So onion traffic comes out of Tor Browser, goes through VPN, comes out of VPN server, then goes into onion network and does multiple hops until coming out of an exit relay or getting to an onion web site.]

How your traffic looks:

Not sure this is right:
Encryption IP address on outside
Tor Browser Src Dest
None  v request v    ^ response ^ Onion entry
 v request v    ^ response ^
PC LAN Onion entry
VPN client
 v request v    ^ response ^
PC's Wi-Fi adapter
 v request v    ^ response ^
 v request v    ^ response ^
Router's Wi-Fi adapter
 v request v    ^ response ^
 v request v    ^ response ^
Router public VPN Srv
 v request v    ^ response ^
Router public VPN Srv
 v request v    ^ response ^
Router public VPN Srv
 v request v    ^ response ^
Router public VPN Srv
VPN server
 v request v    ^ response ^
VPN Srv Onion entry
 v request v    ^ response ^
VPN Srv Onion entry
 v request v    ^ response ^
VPN Srv Onion entry
 v request v    ^ response ^
VPN Srv Onion entry
Onion entry server
 v request v    ^ response ^
VPN Srv Onion entry
Server OS TCP/IP
None  v request v    ^ response ^ VPN Srv Onion web site
Onion relay code
None  v request v    ^ response ^ Onion entry Onion relay 1
HTTPS ... Onion relay 1 Onion relay 2
HTTPS Onion relay 2
HTTPS ... Onion relay 2 Onion relay 3
HTTPS Onion relay 3
HTTPS  v request v    ^ response ^ Onion relay 3 Onion web site
Onion web site

Use the VPN all the time, 24/365, don't turn it on and off. Some traffic, such as Tor/onion traffic, does not need the protection of the VPN, but is not hurt by use of the VPN. But even when you're using Tor, background services and apps may be doing network traffic, and you want all that traffic to be protected and not revealing your real IP address. [I'm talking about Tor Browser in a normal OS, not Tails.] And if you get in the habit of turning the VPN off and back on, at some point you will forget to turn it back on when you need it.

Some people argue that Tor IS hurt by using it through a VPN. I think their reasoning is that the VPN service is another point of risk where someone could be monitoring your traffic. It's an increase in attack surface. And a VPN company may not be bound by privacy laws as strictly as an ISP is bound (varies by country).

But is having a malicious VPN monitor your traffic any worse than having your ISP monitor it ? All a malicious VPN could see is that you're using Tor/onion. I'd rather have a VPN company know that, and my ISP not know it, than have the ISP know it. The ISP knows my real name and physical address, and the VPN doesn't. I'd rather trust my VPN than my ISP. And in either case, all I'm trusting them with is "I'm using Tor/onion". They can't see the details of the traffic. [Caveat: if you have to use VPN's proprietary client, the calculation changes.]

Some people say "a VPN can keep logs". Sure, and so could an onion entry or exit point, or my ISP. And in the VPN or ISP cases, all the logs would show is "he did Tor/onion traffic".

A more serious issue occurs if you're using a custom VPN client on your machine. That client software sees all of your traffic, and you have to trust that it's not malicious. But if you're using HTTPS from a normal browser, or using Tor Browser, the information the VPN client can see is limited. Even a totally malicious VPN client would just see what domains you're accessing (in the case of HTTPS) or that you're using Tor (in the case of Tor Browser). And you could use an open-source standard VPN client (OpenVPN).

Some people say: instead of using a VPN, just run ALL system traffic through Tor/onion. But I don't think that is encouraged by the onion network people, especially if you're doing downloads or torrenting or VoIP. And I don't think there's an official proxy, just some unofficial projects that implement that.

As far as I can tell, the Tor Project does not say using Tor with a VPN necessarily is bad. Tor Project FAQ's "Is Tor like a VPN?" says "Do not use a VPN as an anonymity solution.".

Tor Wiki
Tor Wiki's "TorPlusVPN"
Matt Traudt's "VPN + Tor: Not Necessarily a Net Gain"

So I think the bottom line is: Using a VPN adds slightly to the attack surface, doesn't add security to Tor, but gives the huge benefit of continuing to protect your non-Tor traffic while you're using Tor, and avoids forgetting to turn the VPN back on after you're finished using Tor.

I think you leak-test the Tor browser by using the same sites you use to test a clearnet browser. See "Testing your privacy and security" section of my "Computer Security and Privacy" page.

How can a site tell that you're using Tor Browser or onion ? The most likely way is by using a list of known onion server IP addresses. But sometimes they can tell because Tor Browser usually uses standard settings for user-agent, display-size, JavaScript, etc.

Tails (on Wikipedia) is a Linux system where all internet traffic goes through the onion network. Another is Kodachi (article). I think both are designed to be run from a USB stick, without persistence, so any changes to OS and apps etc get wiped when you shut down.

Whonix is a Linux system, usually run as virtual machines, where all internet traffic goes through the onion network.

Subgraph OS is a Linux system where all internet traffic goes through the onion network.

From someone on reddit:

When using Tails, applications have to specifically be configured to go out through Tor. Which all of the standard applications that come on the image do. I wouldn't recommend installing other programs on Tails, unless you really really know what you are doing it is possible to leak your IP address. Meaning, you can open Unsecured browser, and see your real IP address. Even using Tails you still have to watch what you are doing, because JavaScript, or some video you download and watch etc, could leak your real IP address.

Tails is more designed for not having any physical evidence. If someone raided your house, and you were using Tails, they just have a Tails flash drive, which is the same as all the other flash drives in the world. You can have persistent storage in Tails, but that is more or less for storing files not applications.

That is the main benefit of Tails.

A Whonix instance is two different virtual machines running. The one machine you use, and the other one acts as the router and is connected to tor. Given this architecture, it is almost impossible for your real IP address to leak using Whonix. The machine you use, only talks to the Whonix gateway, which can only talk to Tor. So if you want to install other programs, they will go through Tor by default, since there is no other option. However, unlike Tails, you have physical evidence since your Whonix instance will retain data. Meaning if you installed some software on Whonix, it will be there when you reboot.

That being said though, you can just create a fresh Whonix instance whenever and delete the old one.

Whonix's "Anonymity Operating System Comparison"
Shanika W.'s "VPN with Tails - The Basics You Need to Know"

I tried Tails 4.1 on a USB stick 9/2020:

Says it requires a 16 GB USB stick.

Supports persistent or non-persistent operation. If you turn on persistence, it will use remainder after image, up to 8 GB boundary, as a persisent filesystem. There are two versions of Tor Browser installed, one persistent and other not.

Couldn't figure out how to mount my LVM/LUKS hard disk partitions under Tails, not that doing so is a good idea. Clicking on the partitions in the file manager opened an "authentication" dialog, but neither of my passwords worked.
Maybe (from article1, article2 ):
apt list | grep lvm2/ | grep installed
# if not:
sudo apt install lvm2

lsmod | grep dm_crypt
# if not:
sudo modprobe dm-mod

# encrypted LUKS volume contains an encrypted LVM

# do LUKS
cryptsetup luksOpen /dev/sda6 ROOT
# give passphrase
stat /dev/mapper/ROOT
sudo mkdir -p /mnt/ROOT

mount /dev/mapper/ROOT /mnt/ROOT/
# should get "mount: unknown filesystem type 'LVM2_member'""

# do LVM
sudo vgscan               # find info about LVM devices
sudo vgchange -a VGNAME   # activate an LVM group
sudo lvdisplay
sudo lvs
ls -l /dev/VGPATH/        # suppose it has devices home, root, swap

sudo mkdir -vp /mnt/GROUPNAME/{root,home} # create mount points
sudo mount /dev/VGPATH/home /mnt/GROUPNAME/home
sudo mount /dev/VGPATH/root /mnt/GROUPNAME/root
df -T | grep -i GROUPNAME

You could use onion network to handle all traffic of your normal-OS system:

GouveaHeitor / nipe (on Linux)
Edu4rdSHL / tor-router (on Linux)
Anonsurf (on Linux)
githacktools / TorghostNG (on Linux)
SusmithKrishnan / TorGhost (on Linux)
Orbot (on Android)
Proxifier (on Windows)
Fiddler (on Windows)
Proxychains (on Windows)

BUT: onion network only handles TCP traffic, not UDP and other layer-4 protocols (SCTP, DCCP, RTP, QUIC, PPTP ?); see Tor FAQ item and Accessing the Tor Network in ProtonVPN

TorProject's "TransparentProxy"
TorProject's "TransparentProxyLeaks"
TorProject's "Isolating Proxy Concept"
TorProject's "TorifyHOWTO"

But does this mean that your Tor traffic and your other system traffic (which may reveal identity) are going through the same Tor circuit ? Would not be a good thing. Need to set up "stream isolation" to avoid problems.
Whonix Stream Isolation

If you don't want your ISP to see that you're using Tor Browser and onion network, you can use a "pluggable transport" in your Tor Browser to make the traffic look "normal": Tor: Pluggable Transports

Tor Browser's "Everything you wanted to know about Tor but were afraid to ask"
Andy Greenberg's "The Grand Tor: How to Go Anonymous Online"
Tor Project's "Check your Tor browser"
Matt Traudt's "VPN + Tor: Not Necessarily a Net Gain"
Matt Traudt's "About to use Tor. Any security tips?"

Onion search engines:
Torch (on clearnet)
Torch (on onion)
Tor66 (on onion)
not Evil (on onion)
Ahmia (on clearnet)
Ahmia (on onion)

Onion directories:
The Hidden Wiki (on onion) (on clearnet) (on onion)
Onion List (on clearnet)
Onion List (on onion)
Fresh Onion (lists newly-appeared onion sites)

Juan Sanchez and Garth Griffin's "Who's Afraid of the Dark? Hype Versus Reality on the Dark Web" Is a darknet site online? (but really "was valid link at some time" ?)


From discussion on reddit 8/2020:

You will hear loads of stories about how easy it is to "stumble upon" child porn [on the darknet], but the fact is that those sites usually have names like "Preteen cuties" so you know exactly what they are, and in order to access them you have to register. So you have to make a very deliberate choice to log into them. ...

As for drugs, weapons etc, there is nothing illegal about surfing them and looking around.


You don't get arrested for accidentally viewing an illegal picture on the internet. There's no reasonably easy technical way to know that you did without having access to your computer, your ISP's logs, or [and] the server hosting that picture. And to get access to any [all] of those, LE would need a warrant ... they usually focus on the big fish that actively shared or even produced illegal material. ...

It's all one internet:

Everything is using the same wires/cables/satellite/radio links, the same operating systems, the same basic protocols, the same kinds of computers/servers/phones etc.

Parts of the internet:
There is some confusion and overlap between "deep" and "dark". Some people say "dark" is a subset of "deep", but darknet has search engines and many sites with no login protection, so ... I think "special software" is a better definition for "dark".

Types of items/activities on the Darknet:

Things that do/don't work through Tor Browser 9.0.4 (1/2020):

Clearnet sites:
Some of these that worked did set off lots of captchas, and/or confirmation email to backup account, and/or emails saying login of unexpected device from unexpected country.

Onion sites:

Doing potentially illegal stuff:

DNM Buyer Bible
DNM's Buyer Bible (As of 3/22/18) (PDF)
DNM's Buyer Bible (As of 3/22/18) (PDF)

Tor / Onion is not invulnerable:

nusenu's "How Malicious Tor Relays are Exploiting Users in 2020"

Always specify HTTPS in the URL in Tor Browser.

Tor / Onion Server

On the onion network, it's especially important to have backups and be prepared to change site hosting. Onion hosting services are more likely than clearnet services to take your site down or go out of business or just give bad service.

Can you have one web site which is accessible through both clearnet and also onion (Tor) ?

If you are renting a VPS and hosting the site yourself, make sure your provider allows this. If your site is on a shared hosting service, the service would have to offer onion as a feature (and I'm unaware of any mainstream service that does so).

Ablative Hosting makes same site appear on clearnet and onion:

A "Tor2Web proxy" lets people using a normal browser access an onion server. But:
Matt Traudt article

Onion domain names are limited to 16 chars (v3 increases it to 56 chars) and are assigned essentially at random; you can't specify a domain name you want.

Your onion domain name is generated automatically when you set up your onion web site. No need to buy a domain name or register it with any registrar.

NordVPN's "How to make a .onion site"
DeepWebSitesLinks' "Deep Web Hosting ..."
/r/onions' "Hosting a Hidden Service"
Riseup's "Best Practices for Hosting Onion Services"
Bashir Barrage's "How To Build a DarkWeb Server" (PDF)
Daniel Aleksandersen's "Promote your Onion site with the Onion-Location HTTP header" (link from clearnet site)

Scan your onion site for problems:
tokyoneon's "Detect Misconfigurations in 'Anonymous' Dark Web Sites with OnionScan"

From someone on reddit 4/2019:

> How do I go about hosting a Tor site. I know how to make a clear web site using node JS ...

Unless this is just a toy project and nothing really bad will happen if you get traced, do not take the advice to run Tor on a machine, run a Web server on that same machine, and have Tor forward .onion address to that Web server.

With the naive configuration, you will be pwned if anybody puts in any real effort, so don't use that configuration if being owned is a problem and you think anybody might put in any effort.

The biggest problem with hidden services is that there are roughly 87 billion bugs, misconfigurations, and bad defaults that can show up anywhere in your Web server, framework, language, database, libraries, or whatever, and leak the server's real IP address to remote clients. Or even give remote clients the ability to run arbitrary code on the Web server, which means that you lose if it can even send any clearnet traffic at all.

You have to close all the holes you can, and then you have to assume that you'll still have missed some. That means that you can't let the server know its own real IP address. That means that you can't have the Tor process running in the same network address space as the Web server process. You shouldn't have them share a kernel, and really shouldn't even have them on the same physical hardware.

Have a look at the Whonix physical isolation configuration. I think that's unsupported and requires some skill to set up, but it's still safer than rolling your own for most people in most circumstances.

The bottom line is that this is a "full stack" endeavor. You have to think about everything from the hardware up through the application. Otherwise you will lose. If there's any part of your system that you do not completely understand, you have to deprive it of any sensitive information, and then surround it with a wall of stuff that you do understand. Otherwise you will lose.

Keep everything as simple as possible. Use as little software as possible, and choose software that's as bulletproof as possible. Don't put in any nonessential features.

Remember that many of your clients will be running with JavaScript disabled.

If it's a really hot service, assume it will be compromised anyway, so put another layer between you and it. Buy your hosting in a way that can't be traced to you, and manage it over Tor or I2P.

"Sign all your posts with PGP, so if your site gets taken down you can move to a new host, and then your readers can verify that you are who you say you are."

Hosting services:
OneHost Cloud (about $4/month)
Impreza ($25 one-time setup fee, about $8/month, includes domain)
Kowloon (on onion) (about $20/month, includes domain, must pay in BTC, must use onion mail to sign up)

Have content hosted, without having your own domain:
Deep Web Pastebin

micahflee / onionshare (file-sharing via hidden onion addresses)


Monitor the traffic in/out of your LAN. Best ways probably are custom software in your router, and a Pi-hole doing DNS filtering. From Security in Five Podcast - Episode 746, investigation of traffic volume exceeding data cap found that iCloud was uploading/downloading the entire collection any time one thing was added, and after that was fixed almost 50% of all traffic was due to blockable scripts (ads, trackers).

From someone on reddit:
> Best way to connect two external USB-powered HD's to network?

The HDDs need power from the USB ports they connect to. This limits your options.

The quick and dirty way is using a PC and sharing the drives through SMB, as the PC has enough power to power the usb ports. But this means keeping the PC on at all times.

You can use a Raspberry Pi 4 to do it instead, but the RPi cannot supply power through its USB ports. Some people have used the USB on a Pi to power devices, but it's not stable enough and generally not recommended. And trying to power 2 HDDs simultaneously through the Pi is almost certainly going to fail, as it is a very low-powered device.

Instead you can get a separate, powered USB hub that comes with its own power supply, and then attach that hub to the RPi in order to share it on the network.

If your router has a USB port, you can also try that, but it too will have problems supplying the necessary power. You can use the powered USB hub there too, but expect this type of connection to have very modest performance. Reading from a HDD using the router's USB port is generally fine, but writing to it is slow, in the range of 40-120 Mbps or so, even if it's a USB 3.0 port.


EFF's "What Should I Know About Encryption?"
Latacora's "The PGP Problem"

I'm not sure how valid or useful this test is: Is BGP safe yet?
But see AAL article.
And Is Cloudflare safe yet?
These guys I respect Open Source Security Podcast - Episode 195 say Cloudflare is right to push for better BGP security.

From someone on reddit:
Hub: sends all traffic to all connected cables.

Switch: uses MAC addresses and ARP to figure out within a local network who to send data to, it he can't find a destination, he sends to all.

Router: sends traffic based on IP address and network mask, it can route between different networks.

Why IPv6 still is a LONG way from "taking over" (from 2.5 Admins episode 05 6/2020):
IPv6 assumes all devices in LAN are directly public, which is a very new paradigm.

Needs separate real firewall with zones etc.

IPv4 and IPv6 firewall/security will be completely separate, have do it right twice.

NAT with IPv4 works okay.

IPv6 won't replace IPv4, so IPv6 will be an addition, and thus has to be justified on its own.

Professional-level network emulation software (FOSS): GNS3

This page updated: September 2020

Search my site