There are two "directions" with "targets"

  • Outbound from your PC to public internet. Maybe called a "consumer" or "anonymizer" VPN service, or a "VPN tunnel to a proxy". Some examples are Windscribe, ProtonVPN, PIA.

  • Inbound from your PC to a LAN. Maybe called a "remote access" VPN. Your client PC may be on your home LAN, or (while you're traveling) on some other LAN across the public internet. The target LAN might be your home LAN, or work or school network.

A third type would be a corporate situation where a VPN is "bridging" two office LANs together, to let all devices access each other. Maybe called a "site to site" VPN.

Do I need a VPN?

There are several ways to protect outbound traffic

  • Systemwide VPN: encrypts all traffic and changes the IP address it comes from.

  • Systemwide forward proxy: only changes the IP address all traffic comes from.

  • Systemwide onion proxy: sends all traffic from your system out through the onion network, changing IP address. (anonsurf, nipe, TorGhost, Tallow, etc)

  • Dedicated OS with onion proxy: sends all traffic from your system out through the onion network, changing IP address. (Tails, Kodachi, Subgraph OS, Whonix)

  • Single-client VPN: (a browser extension and maybe proxy setting in the browser) encrypts browser's traffic and changes the IP address it comes from.

  • Single-client forward proxy: (a proxy setting in the app) only changes the IP address on traffic from one app.

  • Single-client onion proxy: sends one app's traffic out through the onion network. (torsocks, Torify)

  • Dedicated onion client: only that app's traffic goes out through the onion network, changing IP address. (Tor Browser)

I'm unclear on whether the "onion" alternatives force use of HTTPS (I think they don't), and at what point they understand onion URLs (where is DNS done ?).

Onion network does multiple hops, hiding originating IP address from final exit relay, and hiding destination IP address from entrance relay. VPN does everything in one company's network, so that company can see both originating and destination IP addresses.

This section is talking about the outbound VPN case.

More "choices" for outbound VPN

  • VPN client could be:

    • custom/proprietary from a commercial VPN service (such as Windscribe, ProtonVPN, PIA), or

    • green check-mark  standard/open-source built into your operating system.

  • VPN server could be:

    • green check-mark  owned by a commercial VPN service (such as Windscribe, ProtonVPN, PIA), or

    • your own VPN server in a cloud-hosted VPS. But that VPS probably will require real ID to register, may be limited to one geographical area, may use a unique IP address (your traffic not mixed with that of other users), the service could log your traffic, and the service may kill your account if they receive any DMCA complaint. IP address much less likely to be blocked than commercial VPNs. VPS could be free (e.g. T2 micro instance in AWS free tier).

  • VPN protocol settings could be:

  • DNS service could be:

    • green check-mark  provided by the commercial VPN service (such as Windscribe, ProtonVPN, PIA), or

    • your ISP's DNS, or DNS from Google or Cloudflare or somewhere else.

For critical software, I want to go: open-source, standard part of stock OS, widely used, lots of devs, simpler. So I recommend using your OS's standard client (OpenVPN, or WireGuard, or strongSwan).

And a commercial VPN service's server, and the commercial VPN service's DNS.


  • Use an outbound VPN. Leave it running 24/365. Turn it off only briefly when using some site that won't tolerate a VPN.

  • A VPN will not keep you 100% secure or private or anonymous. But it will help in certain small ways.

  • Give as little identity info as possible to your VPN provider.

  • Use HTTPS to hide traffic details from your VPN provider.

  • You never can 100% trust your VPN provider. But trusting the VPN with part of your data is better than trusting your ISP with all of it.

  • Don't use VPN's proprietary client or extension, and don't install a root certificate from VPN.

  • I like Windscribe and ProtonVPN. I'm sure others are good too.

How your traffic looks

Encryption IP address on outside
Browser Src Dest
None  v request v    ^ response ^ WebSite
 v request v    ^ response ^
PC LAN WebSite
VPN client
 v request v    ^ response ^
PC's Wi-Fi adapter
 v request v    ^ response ^
 v request v    ^ response ^
Router's Wi-Fi adapter
 v request v    ^ response ^
 v request v    ^ response ^
Router public VPN Srv
 v request v    ^ response ^
Router public VPN Srv
 v request v    ^ response ^
Router public VPN Srv
 v request v    ^ response ^
Router public VPN Srv
VPN server
 v request v    ^ response ^
VPN Srv WebSite
 v request v    ^ response ^
VPN Srv WebSite
 v request v    ^ response ^
VPN Srv WebSite
 v request v    ^ response ^
VPN Srv WebSite
Site server
 v request v    ^ response ^
VPN Srv WebSite
Server OS TCP/IP
None  v request v    ^ response ^ VPN Srv
Web server

The "LAN" and first ISP could be your home LAN and ISP, or ones used by your school or library or restaurant where you use Wi-Fi.

If instead of a browser, you use a secure-messaging application such as Wire or Signal, that adds its own additional, innermost layer of encryption.

Advantages of using an outbound VPN

  • Hide your traffic from your ISP, which will see only encrypted traffic to/from the VPN. So your ISP can't sell your data, inject ads, or throttle based on traffic type or traffic source.

  • Add an extra layer of encryption to your traffic; protects against threats on the LAN or Wi-Fi. If any of your apps or services are doing plain HTTP, this added layer of encryption is the only encryption protecting the content from your ISP and devices on the LAN.

  • By using the VPN's DNS, you get a secure tunnel to the DNS, and your ISP can't see your DNS traffic.

  • Web sites and eavesdroppers will see the IP address of the VPN server, not your home IP address.

  • Mix your traffic with hundreds or thousands of other users using the same VPN server.

  • Defeat geo-blocking, where a download or site won't work unless your IP address is in a certain country.

  • Defeat location-tracking, where a site wants to relate your IP address back to physical location.

  • Flexibility: you can turn the VPN on and off, or change VPN server, as you wish.

  • Add multiple jurisdictions/countries, if someone wants to sue or DMCA you.

  • If a site or remote ISP bans your IP address because of something you do, you can just switch to a different VPN server or a different VPN service.

  • If someone tries to DDOS you, the traffic goes to the VPN server, not your home IP address.

  • Some VPNs have additional features, such as ad-blocking and malware-site-blocking and parental controls. Putting this inside the VPN can be great in some situations, such as phones where you can designate only a VPN or an ad-blocker, but not both.

Some drawbacks of using a VPN

  • You will pay a performance penalty, the only question is how much.

  • Some VPNs may sell your data. If you use HTTPS, the data they can see is limited.

  • You may pay money for the VPN.

  • Some sites may not work or may impose a CAPTCHA if they see your traffic is coming out of a VPN. Some (e.g. PayPal) may not let you log in through a VPN unless you have two-factor authentication enabled on the account.

    How can they tell you're using a VPN ? By looking up on list of known VPN IP addresses, checking for DNS leak, maybe using WebRTC, maybe looking at MTU value, maybe seeing if port 1194 is open, maybe looking up who owns your IP address.

    See if your VPN is detected: proxycheck.io, Scamalytics

  • Some sites (such as govt or credit-reporting companies) may not work if they see your traffic coming from a foreign country.

  • Some sites (such as open game servers) may automatically ban your account if they see you using a VPN ? They just assume you must be cheating.

  • If someone else has abused a site using the same VPN server you use, the site may ban your account when they see you using same IP address as the abuser.

  • If someone else is using same site as you are, using the same VPN server you are, the site may rate-limit you when they see you using same IP address. Reddit does this.

  • If someone else is using same site as you are, using the same VPN server you are, the site may ban you when they see one IP address using two accounts.

  • Some sites (such as bank or PayPal) may trigger a security flag if they see your traffic coming from a VPN or from an unusual country.

    My bank said this:
    We do not prohibit the use of a VPN per se, but VPN use often triggers our automated high-risk login protocols which lead to temporary account restrictions.

    We strongly suggest if you choose to use a VPN that you also enable two-factor authentication on your account. An account with active two-factor authentication should be exempt from automated restrictions.
    [Someone on reddit said same is true of Capital One; if you use VPN, have to use 2FA.]
    But your VPN may always have its traffic coming from a certain country, and you may be able to specify a static IP address. So you could reduce or avoid this problem.

[To avoid the last seven issues, you may be able to add VPN exceptions or a proxy so that some sites don't go through the VPN, or set one browser or browser profile to use the VPN and another to not use it.]

  • Some networks (such as a school or library or public network) may ban/block VPN use.
    You may be able to defeat this by using OpenVPN with TCP + port 443 instead of the more common UDP + port 1194.

  • You're adding another layer, another point of failure, to your system. If the VPN or its ISP is down, you're down (until you turn off use of the VPN).

  • If you're installing the VPN's custom app on your system, you're trusting the app not to be malicious.

  • Your ISP has to obey the laws of your country; the VPN may be located in some foreign country under a different legal system. The VPN company may be less regulated than your ISP.

  • If the VPN shares IP addresses among many customers, you may suffer from the bad behavior of other users. For example, suppose user X uses address N (VPN server N) to do port-scanning, an ISP tags that address as malicious, then you connect to the VPN and start using same address N (VPN server N) ?

  • Some VPN clients could crash/fail silently. So you could browse for a while thinking you're using the VPN, when you're not. The feature where the VPN client software disables all internet access if the VPN disconnects is called a "kill switch" (sometimes "firewall", or "always on").

  • VPN might interfere with operations between devices on your LAN, such as file-transfer or remote-contol or peer-to-peer apps.

  • A quirk: when you first turn on the VPN, probably any existing connections are not disconnected. So you may assume that the connection from app X is going through the VPN, but it is not. Solution: quit all apps, turn on VPN, launch all apps again.

  • VPN might give you a false sense of security. Many of the companies providing VPNs exaggerate the benefits. You can't use a VPN and just assume you're fully protected against all threats.

Search Encrypt Blog's "The Case Against VPNs"
Dennis Schubert's "VPN - a Very Precarious Narrative"

Paraphrased from The Complete Privacy & Security Podcast episode 183:
When creating a new account, or doing a major purchase, you may not be able to use a VPN. The account may be locked or the transaction denied.

So, instead, go to a network that is not associated with you (Wi-Fi at Apple Store or a library or a cafe), turn off VPN, and do your business.

If creating a new account, maybe log in and out several times over the next few days from the same network or nearby networks. You are "training" the security algorithms to see that your IP address can vary, and your location is reasonable, and you're not using a VPN. After that, you should be able to use a VPN, picking a server that is somewhat near that location (same country at least, same city better).

How can a site tell that you're using a VPN ? The most likely way is by using a list of known VPN server IP addresses. Or maybe your time-zone setting or language doesn't match the location of your IP address. But sometimes they can tell by analyzing your packets: W I T C H ?

Suppose your VPN is super-malicious ? What's the worst they could do ?

Suppose you have registered with the VPN anonymously (not hard to do).
VPN sees your home IP address each time you connect (unavoidable).
Suppose you use the OS's standard VPN client (best practice; avoid client-side attacks).
Suppose you use the VPN's DNS (good practice).
Suppose you use HTTPS for all traffic (best practice).
Do NOT install a special "root" certificate supplied by the VPN company.

A Man in the Middle (MitM) attack usually has two steps: somehow getting into the middle, then somehow doing something with/to the traffic. But in this case the first step is done; the VPN server already is the MitM. What attacks could it do on the traffic ?
  • Decrypting traffic: They would need the web server's private key, or have a way to break public-key cryptography. Or is it possible to grab the session key by listening to the handshake at the start of the session ? That should have been encrypted by public-key cryptography as it went across the wires, I think.

  • DNS spoofing (AKA "DNS poisoning"): They could DNS-redirect you to malicious sites. You ask for "facebook.com", which would be IP address, but VPN sends you to IP address You'd have to notice the wrong domain in the address bar, or in the certificate info.

  • HTTPS spoofing / Homograph Attack: They could DNS-redirect you to malicious sites. You ask for "facebook.com", VPN sends you to "faceb00k.com" (which does have a valid certificate). No warning from browser; user has to detect this in the address bar, or in the certificate info.

  • SSL bumping: They produce a fake TLS certificate (not easy to make one that has a valid chain of trust) to make it look like you're talking to the destination site, but you're actually talking to the MitM. Browser should flag this unless you've been tricked into installing a bad root CA into your browser/system. article

  • SSL stripping: You request HTTPS to site W, but MitM says "sorry, only HTTP available", then listens as you talk HTTP to site W. Browser would show open-padlock icon or similar in address bar; user has to notice this icon.

  • SSL / TLS downgrading: You request HTTPS with TLS 1.3 to site W, but MitM says "sorry, only TLS 1.0 available", then is able to crack TLS 1.0. Browsers have started refusing old known-vulnerable versions of TLS.

IoT devices are an interesting case: there is no browser and no user. You may think a device is using HTTPS and thus secure, but if it ignores bad certificates or broken chain of trust, it could be MitM'd.

Wikipedia's "Man-in-the-middle attack"
Secret Double Octopus's "Man in the Middle Attacks"
Tomasz Andrzej Nidecki's "All about Man-in-the-Middle Attacks"

From someone on reddit:
> Couldn't an SSL decryptor be used for malicious purposes?

First let's categorize the decryptor into 1 of 2 categories:
  • Decrypting traffic coming from anywhere addressed to a specific web server.

    The decryptor needs access to a legitimate (trusted) certificate with the website's name in the "subject name" or "subject alternative name" fields. To obtain such a certificate you either steal / compromise it or prove you own the domain name in question by having access to either the website's data, the domain DNS zone or specific email addresses like admin@domain.whatever.

    Without such a certificate, the decryptor can operate with any certificate, even a self-signed one. But this will throw an error in browsers visiting the website, stating that there is a problem with the certificate. Users may have the option to continue to the website after the error or not, based on factors such as if the site is using HSTS.

  • Decrypting traffic from specific user(s) addressed to any web site.

    In this case the decryptor employs an internal CA that generates a certificate with the name of each visited site on the fly. This step doesn't need any interaction, BUT if this CA is not trusted by the client's application (typically a web browser), we will return to the error / warning mentioned above.

In both cases the decryptor must be placed in the "route" of the data. Also the number of requests must be considered as the decryptor will decrypt then re-encrypt every request / response, which requires some amount of processing power for each request, not to mention storage requirements if the intercepted data will be stored.

If a malicious actor can have the required certificate for the first case, or can make the clients trust his decryptor's internal CA for the second case, and can intercept the traffic (in both cases) to route it or make it go through his decryptor, it's done, he can decrypt the traffic and have access to the plain text.


The decryptor must intercept every request/reply, playing as a man in the middle, decrypting the traffic then re-encrypting it. Intercepting just the initial handshake does not give it the ability to decrypt all subsequent traffic, because of perfect forward secrecy (PFS) which is typically used in SSL traffic.

Any sites that deliberately do various types of MitM so you can test your browser ?

Any apps to see if you are being MitM'd right now ?
NoSnoop (Windows only)
chorn / mitm-detector (Linux only)

Testing the whole system

I suspect there is a vulnerability if your computer connects to internet automatically at startup, and your VPN client is running in the computer (not in the router). When the OS boots, various services and apps on the computer may access the internet directly before the VPN client starts up, revealing your true IP address to some sites.

How can a user be assured that not a single access using their real (ISP) public IP address is getting out of the system, to any destination except the VPN server ? At boot time, at shutdown time, if there's a bug or a crash, from any source including drivers and DNS resolvers, etc. Probably the only way is to have a second line of defense/testing in an external device (router or Pi-hole or something).

Android has flaws:
Mullvad's "Android leaks connectivity-check traffic"
Bill Toulas's "Android leaks some traffic even when 'Always-on VPN' is enabled"
PrivSec's "Android VPN Leakage with Secondary User Profiles"
I heard that GrapheneOS has a switch to expose and prevent this issue.

On iOS, some Apple apps bypass the VPN at will:
Andrew Orr's "Most Apple apps on iOS 16 bypass VPN connections"

Mathy Vanhoef's "TunnelCrack"

Some latest VPN stacks


  OpenVPN strongSwan WireGuard
User application: Browser or SSH or SFTP
or any other app or service;
may have its own use of SSL/TLS
VPN client application: OpenVPN Connect, Tunnelblick, many others strongSwan or Libreswan or Openswan Standard utilities such as ifconfig, ip-link, ip-address,
and a new utility "wg",
applied to new virtual network devices "wg0", "wg1", etc
Authentication: OpenSSL, HMAC ?
Pre-shared keys (PSKs) ?
IKE Cryptokey Routing
Pre-shared keys (PSKs)
Associates public keys with IP addresses,
and associates network device with private key and peer.
Session key-exchange: TLS
Sometimes ECDH
IKE Curve25519, Noise IK (plus optional PSK)
Transport-level Encryption: SSL/TLS
(usually AES or Blowfish)
Uses HTTPS port, so hard to block
none none
IP-level Encryption: none IPsec
(usually AES)
ChaCha20 and Poly1305
Transport protocol: UDP or TCP ESP or AH or UDP UDP
Link and physical layers: Ethernet, Wi-Fi, etc.

There are more stacks/protocols: PPTP/IPsec (old), L2TP/IPsec (slower), SoftEther, SSTP/SSL (a bit Windows-oriented).
Jason A. Donenfeld's "WireGuard: Fast, Modern, Secure VPN Tunnel"
Rob Mardisalu article
Douglas Crawford article
Teknikal's_Domain's "VPN Protocols Explained"
Douglas Crawford's "OpenVPN vs. WireGuard"
Ben Thornton's "OpenVPN vs Wireguard: Which Protocol is Better?"
Douglas Crawford's "What is IKEv2?"


From Windscribe Support about WireGuard, in 2020:
We are adding it to our service at some point, it's on the roadmap.

But there's nothing special about WireGuard. It's very barebones which requires us to basically build our own framework for it.

It's also NOT made for consumer VPNs like Windscribe, it's made for the actual definition of VPNs which is to connect a group of people on the internet to a virtual private network.

Then as a VPN provider like us, we have to completely remove that functionality because we're not trying to connect multiple people together, we just want them connecting to the server. There's tons of firewalling involved to ensure that even though a bunch of people are on the same virtual network, nobody sees anyone else. You don't want to connect to a VPN server and a bunch of people can now reach your computer as if they were on the same network as you. That's not private at all and only puts you at way more risk than not using a VPN to begin with.

From what I know, there's no special care given to the WireGuard protocol to make it more in line with the privacy and anonymity-based consumer definition of a VPN, it's still just a different way of connecting a group of people together on the same network. But since everyone keeps asking for it and other companies are now starting to implement it, we'll have to do the same in order to keep up with the most current tech. We've got a lot on our plate right now though so it'll still take some time to get it implemented into our service.

From someone on reddit:
There is no client and server in WireGuard terms. WireGuard only knows peers. Each device you have has one [Interface] block where you set the private key, tunnel address, DNS etc and then you can have multiple [Peer] entries. Each peer is its own tunnel.

From someone on reddit:
If your machine is "laptop1":
Create a private key:
wg genkey >laptop1.key
chmod 600 laptop1.key
Create a public key:
wg pubkey <laptop1.key >laptop1.pub

One can also generate a unique pre-shared key for each peer-pair.
If your machine is "laptop1" and the VPN server is "vpnsrv1":
wg genpsk >laptop1-vpnsrv1.psk

Paraphrased from Late Night Linux - Episode 99:
A "server" just has a list of peers that can connect into it; otherwise both ends are the same ?
The key-pair can be created on the machine on either end.
Create private key, from that create public key.
No choice of encryption mechanism; there is one fixed scheme.
Can choose to send all traffic out through VPN link, or just traffic for a subnet.
Server has a port open, but won't respond unless given the proper key/encryption, so harder for scanners to detect and try to pound on.

Apparently for consumer-to-internet VPN, Wireguard can only be used by one device at a time in your LAN to the same VPN server. It must be making an IP-address-to-IP-address connection ? Other protocols don't have the same limitation.

Vivek Gite's "How to import WireGuard profile using nmcli on Linux"
Jim Salter's "Importing WireGuard configs on mobile"
Chris Siebenmann's "I like WireGuard partly because it doesn't have 'sessions'"
Chris Siebenmann's "Setting up a WireGuard client with NetworkManager (using nmcli)"
Chris Siebenmann's "The WireGuard VPN challenge of provisioning clients"
Chris Siebenmann's "WireGuard is pleasantly easy to set up on smartphones (if you're experienced)"
Pro Custodibus' "WireGuard DNS Configuration for Systemd"
Pro Custodibus blog

pcWRT's "Performance comparisons of three VPN protocols on a budget router"

VPN client software

To use a VPN, you have to have some client-side software installed at some level. Could be:

  • Extension in browser (so works only for that application), or

  • A layer/device in OS networking stack on client computer (so each computer in the house has to install it), or

  • In router used by all client devices in the house.

    Some VPNs have client software that can be installed in your home router/modem. Only a few home routers support this, and maybe only pre-installed before you buy the router.

    Advantages: Nothing has to be installed on each client device, some client devices (such as game consoles, IoT) are locked down and you can't install VPN client software on them, some smartphone OS's (iOS at least) permit installing only a VPN client OR a firewall so this would allow you to have both, new devices automatically use the VPN, you administer the VPN client in only one place, you're guaranteed that even accesses by your client during boot and shutdown and install and update are handled by the VPN.

    Disadvantages: If that home router/modem is owned by your ISP, ISP may be able to see your traffic before it goes into the VPN. And if you need to disable the VPN to play a game or stream video or something, it may get disabled for all devices. Make sure you can put a list of domains into the VPN router client, so access to those sites does not use the VPN, because some sites will not tolerate a VPN. Expect complaints from other users in your house as sites break and you have to whitelist them. Sometimes one device or user may need to use a VPN server in country A while another device or user needs to appear to be in country B. You're not protected against other devices on your LAN attacking/monitoring your traffic. If you take your phone/laptop to another network, it no longer has (automatic) use of the VPN, you have to remember to switch to client software on the device. Requires a more-powerful router, and puts a load on it.

    From someone on reddit 6/2017:
    > I want to buy a used router/modem for $100
    > that would run a VPN client.

    On a $100 budget you won't be able to get a new modem and router and have a router that is decent for VPNs.

    Consumer-level routers are generally woefully underpowered for OpenVPN, so you need the best router CPU that you can get for the budget you have. An underpowered CPU in the router will severely limit your performance to all devices connected through the router while on the VPN.

    Also consider the OS of the router. Asus has done a lot of work to make the OpenVPN install process very easy on their routers, and many other vendors do not support OpenVPN out of the box and require flashing the router to DD-WRT or Tomato, which can be hit and miss with support for your router hardware and also be an older build that contains security vulnerabilities.

    DD-WRT does have the advantage of being open source, unlike AsusWRT, but it really is a sh*tshow for first-time VPN users.

    Based on your budget, i'd get a mid-range consumer-level router from your preferred brand, and connect to the VPN using a regular OpenVPN client on the devices that you want protected. This is because a typical PC (even an old one) has many times over faster CPUs for VPN usage.

    This setup would give you the protection of a VPN, with decent speeds (if your VPN provider is fast) and not break your budget.

    Router specifically built to run a VPN client: InvizBox

The client software could be:
  • Proprietary to the VPN vendor (could have more features), or
  • Built into the OS, or
  • Open-source standard (OpenVPN or WireGuard or strongSwan ?)

OpenVPN is:
  • A standard communications protocol, and
  • An open-source protocol layer (SSL/TLS, OpenSSL, usually using AES-CBC or AES-GCM) in the 7-layer stack, and
  • An application to start and manage the OpenVPN protocol layer.

WireGuard is:
  • A communications protocol, and
  • Existing network interface utilities, plus a new utility "wg".
  • Claims to be much simpler than OpenVPN/OpenSSL or *Swan/IPsec.

strongSwan is:
  • A client application.
  • Implements the IKEv1 and IKEv2 key-exchange protocols.
  • Uses IPsec.
  • Can use one of three crypto libraries (legacy [non-US] FreeS/WAN, OpenSSL, and gcrypt).

If the client piece is proprietary software from the VPN vendor, you're trusting it to a great degree: if a browser extension, it can see all of your unencrypted traffic; if an application, it can access your files. If on a smartphone, it can grab your phone number and IMEI, to uniquely identify you. Also it could install something else: Ctrl blog's "Installing VPN root certificates leaves you more vulnerable to snooping"

From someone on reddit's /r/VPN:
+/- > On Android, should I install VPN provider's app directly, or
> should I set up OpenVPN per instructions on provider's website?

Often the custom VPN client supplied by a VPN service has nice features that make it preferable to use. The stock Android OpenVPN client is spartan. 'OpenVPN for Android' by Arne Schwabe is better. You choose based on features/convenience.

I tried OpenVPN client on Windows 10 with Windscribe VPN 4/2018:
  • Downloaded OpenVPN client installer from OpenVPN's "Community Downloads".
  • Logged in to Windscribe web site and downloaded files from OpenVPN Config Generator.
  • Installed OpenVPN and copied Windscribe ".ovpn" config file into OpenVPN config folder.
  • Ran OpenVPN client and logged in with credentials from Windscribe.
  • DNS leak test showed a DNS leak until I added a "block-outside-dns" line to the config file Windscribe gave me. (But someone says that "only works for modern Windows versions, using the Windows Filtering Platform (WFP)", which is true.)
  • No way to select a particular VPN server, but directive such as "remote es.windscribe.com 443" in the OpenVPN client config file means you will get a Windscribe server in Spain ("es").
  • I didn't install certificates supplied by Windscribe, and saw no obvious ill effects.

In Linux, in Network Manager, in configuration of OpenVPN connection, on IPv4 and IPv6 tabs, you will see "Method" pull-downs. Apparently the values in there have these meanings: "Ignore" = don't use this VPN connection for that type of traffic, "Link-local" = get local IP address but not publicly routable IP address for this connection, "Manual" = set config in boxes in the tab. So if you set "Ignore", it doesn't stop that type of traffic completely, just lets other connections handle it.

Michael Horowitz's "An introduction to six types of VPN software"
corrad1nho / qomui (Qt OpenVPN Management UI; Linux GUI client)
Hayden James's "Improving OpenVPN performance and throughput"

Who can monitor/log your activity ?

The choice is:
  • Your home ISP, if you use no VPN.
  • The VPN service, if you use a commercial VPN.
  • The cloud service, if you use your own VPN server hosted on a cloud service.
  • Your home ISP, if you use your own VPN server hosted at home.

But there are massive monitoring systems that probably can see all the traffic and try to track your "netflow": Joseph Cox's "How Data Brokers Sell Access to the Backbone of the Internet" Unclear whether they can neutralize VPNs that have lots of users.

Definitely, use your VPN's DNS server

The VPN company already knows every domain you're accessing, to no harm in using their DNS.

The major benefit of using their DNS is that the connection to DNS goes through the same encrypted tunnel to the VPN server.

Their DNS server may include ad-blocking.

Ask if their DNS server uses DNSSEC to talk to other DNS servers; it should.


  • Definitely use HTTPS on every site that supports it.
  • Use the VPN all the time, 24/365, don't turn it on and off.
  • Use the VPN's DNS server.
  • Use a generic client, not the VPN service's custom client app or extension.
  • Don't install a root certificate from the VPN company.
  • Using a VPN hides traffic from your ISP, and others on your network.
  • Using a VPN has costs, in performance and functionality and maybe money.
  • Even if the VPN is logging and selling your data, that is better than your ISP doing the same.

From /u/wilsonhlacerda on reddit:
> Which is the cheapest VPN app out there? That won't sell my info?

You never know if they will sell or not. If they will give it away or not. If they will spy on you or not. Or if they will give info when justice, government, cops, or similar demand them or not. If not the company itself, then an employee, will get your info or not.

Yegor S's "Free VPN Myths Debunked"
William Chalk's "Who's Really Behind the World's Most Popular Free VPNs?"
Jan Youngren's "Hidden VPN owners unveiled: 97 VPN products run by just 23 companies"
Osama Tahir's "What VPN services aren't telling you about data logging"
Yegor Sak's "Consolidation of the VPN industry spells trouble for the consumer"

Don't use a VPN provided by your email service or browser company or social media company. Use a VPN that is separate from all your other services, to reduce the knowledge that any one company has about your activities.

Excerpted from an FT article, on reddit 11/2018:
More than half of the world's 30 most popular smartphone apps for browsing the internet privately are owned by Chinese companies, according to a new study that raises significant privacy concerns.

Seventeen of the apps, which offer to connect users to the internet through a secure tunnel known as a "virtual private network" (VPN), were owned either by Chinese companies or companies appearing to have links to China.


But the companies operating them often had very limited privacy policies, said Simon Migliano, the head of research at Top10VPN.com, which reviews VPN services.

"We found a few apps that explicitly stated that users' internet activity was logged, which we have never seen anywhere else with VPNs. [VPN] policies usually state that they never ever log data," he said.

"We even found that in some cases they stated they would share your data with third parties in mainland China, which is clearly anti-privacy."


"It's pretty crazy that 60 per cent of apps we looked at didn't have a company website. Over half hosted their privacy policies on free wordpress blogs, that had ads on the page, full of typos and when you looked at them together, they had copied and pasted from each other in a sloppy way. This is far from what you'd expect from an internet company trying to protect your privacy."

Three of the apps - TurboVPN, ProxyMaster and SnapVPN - were found to have linked ownership. In their privacy policy, they noted: "Our business may require us to transfer your Personal Data to countries outside of the European Economic Area ("EEA"), including to countries such as the People's Republic of China or Singapore."

From someone on reddit:
VPN Kill Switch For Linux Using Easy Firewall Rules

If you're connected to a VPN, you need a killswitch. No, it's not as metal as it sounds. It's just a mechanism that stops your Internet connection when you're disconnected from the VPN. It protects you from inadvertently leaking sensitive information onto the Internet when the VPN connection drops.

Some VPN services provide clients with a built-in killswitch, but none are as reliable as using iptables. Since iptables is independent of your VPN service, and it's integrated into the kernel itself, it won't fail when your VPN does. Iptables is also a well-proven security technology that can and will keep your computer safe.

The Tin Hat's "The Best VPN Kill Switch For Linux Using Easy Firewall Rules"

Giving computer addresses instead of postal address

Testing to see if all traffic actually goes through the VPN

  • Do browser and DNS leak testing, with sites such as Do I Leak ? and IPleak.com.

    Test your torrent client: TorGuard, or IPMagnet.

  • Check the system routing table; the VPN device (maybe "tun0") should be first and handling most of the traffic.

    On Linux, do "ip r".

    On Windows, maybe "netstat -rn" or "route print".

  • Run a traffic dump and see if any traffic is going to any address other than your VPN's address.

    On Linux, use tcpdump. Also maybe tcpflow or netpeek ?

    On Windows, use netsh and Microsoft Message Analyzer [tool has been discontinued by MSoft]:
    1. Make sure your VPN is running.
    2. Run CMD as administrator (Start menu, search for cmd, right-click on Command Prompt, choose "Run as administrator").
    3. Run "Netsh trace start scenario=NetConnection capture=yes report=yes persistent=no maxsize=1024 correlation=yes traceFile=C:\Logs\NetTrace.etl".
    4. Do some network activity.
    5. Run "netsh trace stop".
    6. Run Microsoft Message Analyzer.
    7. Open the trace file (".etl" file) saved by netsh.
    8. Your VPN's address probably starts with 10 or 172 or 192. Addresses starting with 127 are okay. (Wikipedia's "IPv4") Access to an IP address starting with some other number is suspicious. Try looking up suspicious addresses on LookIP.net or Whois History (has changed to paid).
    9. To do this efficiently, add filter "!(IPv4.Address in [,,,])".
    10. Apparently only values of TCP "local" addresses matter ? "Remote" will be the outside address the VPN server is talking to, but your computer is not talking directly to that address ?

  • On Linux, monitor for IP address changes:
    ip -t monitor   # gives messages when route changes, but not very clear
    # If you're using Network Manager to take VPN down/up deliberately, add a script
    # under /etc/NetworkManager/dispatcher.d
    # But I think this will only catch deliberate user operations through Network Manager
    # Add scripts under /etc/network/if-up.d and /etc/network/if-post-down.d ?
    # A script put in /etc/network/if-down.d never gets called, for some reason.
    # Hooks into DHCP or DBUS will catch only changes in local IP address, not public IP address ?
    Made a Python program (ipwatch) that polls for changes to public IP address, but polling is an ugly solution.



  • Mostly for curiosity, see who owns the IP address you're using:
    Get IP address, maybe from WhatIsMyIPAddress.
    On Linux:
    host IPADDRESS
    nslookup IPADDRESS
    dig -x IPADDRESS

Testing performance


Down and Up speeds are in Mbps. Latency in msec.
Each test run 2 or 3 times and rounded and averaged.
Not all tests from same VPN locations and to same test locations.
Firefox browser.

My tests with Vodafone ISP with fiber 100/100 service, slow laptop, Windscribe VPN, Ubuntu GNOME 20.04, 6/2020:
Site Ethernet
Down / Up / Lat
Down / Up / Lat
Down / Up / Lat
SpeedOf.Me 100 / 85 / 55 95 / 75 / 45 45 / 60 / 40
TestMy.net 90 / 75 / 45 80 / 55 / 80 90 / 75 / 70
Fast.com 90 / 90 / 60 90 / 70 / 70 85 / 85 / 75

My tests with MasMovil ISP with fiber 100 nominal (I think 600 actual) service, fast laptop, Windscribe VPN, Fedora 34 KDE, 8/2021:
Site Ethernet
Down / Up / Lat
Down / Up / Lat
Down / Up / Lat
SpeedOf.Me 390 / 150 / 40 80 / 90 / 50 290 / 125 / 1
Speedcheck.org 515 / 130 / 70 55 / 45 / 100 260 / 130 / 80

Conclusion: use WireGuard protocol.

Alan Henry's "Why You Should Be Using a VPN (and How to Choose One)"
ClearVPN's "How Does a VPN Work to Protect Your Privacy?"
Thorin Klosowski's "The Biggest Misconceptions About VPNs"
Viktor Vecsei's "Why you don't need a VPN"
joepie91's "Don't use VPN services"
Dennis Schubert's "VPN - a Very Precarious Narrative"
Max Eddy's "The Best VPN Services for 2020"
TheBestVPN's "Best VPN Services"
Amul Kalia's "Here's How to Protect Your Privacy From Your Internet Service Provider"
ProtonVPN's "VPN Threat Model" (what a VPN can and can't protect you from)
Troy Wolverton's "No perfect way to protect privacy"
Jonas DeMuro's "7 good reasons why a VPN isn't enough"
Michael Horowitz's "VPNs"
Whonix's "Tor vs. Proxies, Proxy Chains and VPNs"
gluetun Linux client
Aaron Drapkin's "VPN Scams and How to Avoid Them"
reddit's /r/VPN
Wikipedia's "OpenVPN"

Private Internet Access (PIA) VPN

Some "VPNs" are just data-collecting operations:
Dell Cameron's "Do Not, I Repeat, Do Not Download Onavo, Facebook's Vampiric VPN Service"
Justin Cauchon about Verizon Safe Wi-Fi VPN

General complaint

[From /u/wombtemperature on reddit 5/2017:]

This VPN industry needs a wake-up call, ELSE a better way at helping the average joe at Starbucks. Guys. Like. Me.

I read. As such, I know the importance of a VPN. In fact, I have spent hours/days reading up on them. I have made excel spreadsheets to compare them (and looked at the ones on "that site"). I even WANT to give you my money to insure I have a good one. As such, I have tried 4 paid popular ones I won't mention as I don't want to call them out, and spent a ton of time testing them on my PC and mobile.

They all are frustratingly SLOW. Or interfere with connections.

No matter what, all I want is a FAST secure connection I don't have to think about. Yet, I can't find a VPN that doesn't bring my public and often home networks connections to a crawl. The expected "30% drop" is BS. And none automatically find me the best servers, and in fact often I can get faster servers 5000 miles away, but I have to manually select them.

I understand its complicated. But I have stuff to do. Seriously. Which is why I want to pay someone else to think about these things and give me a good product.

You all sales-pitch me the "fastest speeds" but then I watch as my connection up and down speeds drop to pathetic - and I have the spreadsheets to prove it.

To anyone listening I speak for the masses ... take my money and give me a decent, secure VPN connection.

And if I am just not "reading enough" to know how to get what I am looking for, then it highlights my point that there is a problem out there for the non-technical guys like me who just want security without massive compromise and hours of research.
From /u/Youknowimtheman on reddit:
When we talk about speed drops, you're going to lose ~9% just because of how the encapsulation and encryption works. You're also going to lose about 10ms on pings because the actual encrypting and decrypting takes time.

It is also important to manage expectations when we talk about privacy networks that are based on shared connections. We have had a rash of users on our service that are unhappy with our "slow" performance because their gigabit connection slows down to 190Mbit. They don't understand the nature of VPNs and that in order to keep their information private, their traffic has to be mixed with other users on a server, and these servers are running the same 1Gbit connection that they have. Yes, it is 20% of your line speed, but at the same time it is extremely fast for the market generally, and pretty much the limits of what you'll see on a server with proper user densities to protect your information.

If you're talking about a 30% drop on 10 Mbit that is significant. If you're getting a 30% drop on 200Mbit that's absolutely normal.

There's also other factors that play into VPN performance like distance from the server, which protocol they are using, etc.

In other words, you're always going to have some loss. If all factors are good, you can minimize that loss up to a limit in speed. More than 200 Mbit just isn't going to happen on a safe and private connection generally.

Campbell Simpson's "CSIRO: Most Mobile VPNs Aren't Secure"
Sven Taylor's "VPNs are Using Fake Server Locations"
Violet Blue's "Is your VPN lying to you?"
Sunday Yokubaitis on companies behind various VPN brands
Alfred Ng's "How Private Is My VPN?"

Host your own outbound VPN

If you want to host your own outbound-to-internet VPN, you shouldn't do it on your home network, because you'll still be using your home ISP. Instead, you need to have a different ISP for your VPN server. Which probably means hosting the VPN server in a cloud service.
Jim Salter's "How to build your own VPN if you're (rightfully) wary of commercial options"
Romain Dillet's "How I made my own VPN server in 15 minutes"

One reason to build your own outbound-to-internet VPN (maybe hosted on a cloud service): some public networks (in hotels or schools or fast-food places) may block access to the IP addresses of well-known commercial VPNs, but the IP address of your personal VPN won't be in their block-list.

I tried ProtonVPN free, starting 9/2017

Torrenting not allowed when using free version.

I don't see any slow-down, but I am in Spain and mostly using USA web sites, so my speeds probably already were slightly low.

If I'm using a VPN server in another country, and do a Google search, Google changes country to France or Latvia or wherever the VPN server is. So I get results in French or Latvian or whatever.

Each time I change to a VPN server in a new country:
  • Yahoo Mail may warn about new time zone, sends email about login from new location.
  • FB says suspicious activity, answer questions, or sends email about login from new location.
In Windows 10, if you run the VPN and then click on the Network icon in the system tray and connect to Wi-Fi, it's possible to get connected to both the VPN and the normal Wi-Fi simultaneously. To fix this, I think you have to disconnect from both, then connect to Wi-Fi, then run the VPN.

in 2022 I read: On Linux, if VPN connection goes down and quits working completely:
"nmcli connection"
"nmcli connection delete pvpn-killswitch""
"nmcli connection delete pvpn-ipv6leak-protection"

I started using Windscribe 2/2018. I'm happy with it.

If you're doing illegal things, don't expect a VPN or proxy company and their ISP to shield you if they're served with a court order. They may be forced to log your activity and trace you and give the data to law enforcement.

If you're abusing the VPN itself, such as sending out millions of spam emails through the VPN, don't expect a VPN or proxy company and their ISP to shield you. They may report you to law enforcement, or happily cooperate with law enforcement.

Sven Taylor's "OpenVPN vs IPSec, WireGuard, L2TP, and IKEv2 (VPN Protocols)"
Sven Taylor's "WireGuard VPN: What You Need to Know" (status as of 6/2019)

Sven Taylor's "Multi-Hop VPN Services"

Control which applications use the VPN: split tunneling

Easiest way: if you're using a proprietary VPN client app that supports split tunneling, use that. But many don't support it, or support it only for certain operating systems.
All Things Secured's "What is Split Tunneling VPN?"

Wiki "strongSwan VPN Client for Android" does support split tunneling, both on basis of application and on basis of destination IP address. Define a VPN connection, highlight it, click Edit, scroll down to Split Tunneling.

Complication: Linux networking has been changing (Network Manager, systemd) over the years, so old instructions may not work any more.

One way: make a second user, run all with-VPN apps under one user and all no-VPN apps under the other user, then have different iptables rules for the two users ?
article (a bit confusing)

Another way: set default system route to no-VPN, then set some apps (those which allow custom network specifications) to use a proxy that will route to the VPN.
article1 (a bit confusing)
article2 (similar using OpenVPN)

Another way: "firejail --net=NETWORKDEVICENAME --ip=dhcp --profile=APPNAME APPNAME" and that app's traffic won't go through VPN.

Split tunneling on the basis of destination IP address, not application:
+/- In Linux Network Manager's OpenVPN profile for a VPN connection, in the IPv4 and IPv6 tabs you can set "Routes" and/or enable "Use this connection only for resources on its network" ? Not sure how to set it, and if it works.

Make iptable rules to route based on destination IP address. Maybe in PREROUTING or mangle table ?

When using strongSwan/IKEv2 or Wireguard, maybe set IPsec rules to do split tunneling ?

Avoid fraud protections that prevent you from opening an account on say Amazon:
From Michael Bazzell's podcast 2/2021:
  1. Take a generic Windows laptop or Chromebook to a public Wi-Fi such as McDonald's or Starbucks.

  2. Use Chrome browser with no privacy extensions. Don't use proxy, VPN, Tor, Firefox, Linux.

  3. For email address, don't use Proton Mail or FastMail or free service; maybe use your own custom domain. Use a generic human name but not an obvious fake such as John Doe. Use a local apartment address (valid building address, invalid apartment number), in the vicinity of the Wi-Fi you're using. Record all the details, in case they ask you to verify later.

  4. Add a very cheap digital item (song) to the shopping cart, then log out.

  5. Don't add money or payment details yet. Wait a couple of days.

  6. Go back to same Wi-Fi network, same way. See if you can log in.

  7. If you can log in, add a small-amount (maybe $10) gift card to the account. Purchase the cheap digital item you put in the shopping cart.

  8. Over the next week or two, log in a couple of times, maybe add an item to the cart. Leave a review for the item you bought.

  9. Maybe later, buy the item that's in the cart. Ship it to a local address, near the Wi-Fi and account address. Later, leave a review for the item you bought.

  10. Maybe later, after the account is "aged", you can add a Privacy.com account as payment method. Amazon gift cards are okay, Visa/Mastercard etc probably not.

New super-VPN sort of like Tor / onion network:
Safing's SPN (€10/month or €99/year)
Portmaster is the client.
Supports UDP, IPv6.

Windscribe VPN

I started using Windscribe 2/2018, still using it 5/2023.

Free license. I installed only the Windows (VPN) part, not the Firefox (ad-blocker) part.

Limited to 10 GB per month in free version, less if you don't give an email address when you sign up. And 10 GB goes faster than you'd expect. Torrenting works.

Has a "kill switch": if the VPN connection goes down, your internet connection gets severed, instead of silently becoming non-VPN. Misleadingly, Windscribe calls this "firewall".

I'm sure some privacy-guys will say don't use Windscribe because they're a Canadian company, and 2/3 of their servers are in USA or Canada.

Seems to work well, good reviews online, turns out there are discount codes you can use to get a great deal. So I paid $41 for a Lifetime Pro subscription, unlimited devices, unlimited usage.

Has a "Build Your Plan" option that lets you pay less ?

Installed it on my Android 6 phone, works okay. Apparently you're supposed to mark your home network as "untrusted", so that Windscribe automatically reconnects if connection drops and comes back ? I guess the theory is that you don't need VPN on a "trusted" network ?

But later, Windscribe kept failing to re-connect after Wi-Fi went down and back up. Changed to use strongSwan app and IKEv2 protocol, instead of Windscribe's app.
Windscribe's "IKEv2 Profile Generator"
Saved credentials in my password manager.
Someone else said you can do same with "OpenVPN for Android" app. strongSwan with IKEv2 is better at reconnecting than Windscribe client was, but maybe not 100%. Go to (System) Settings / More / VPN / strongSwan VPN Client, or "...", but no way to select "always-on" or any kill-switch, probably because I'm using Android 6.
Open strongSwan app and highlight the VPN connection and click on Edit, see lots of settings, enable two settings "Block IPv* traffic not destined for the VPN".
Wiki "strongSwan VPN Client for Android"

I've done some occasional speed tests using my cheapo Dell laptop, Windows 10, Firefox, Vodafone fiber internet in Spain, VPN server in Spain or France. I'd say I see a performance penalty of 0 to 20% when using the VPN.

A few sites behave badly if I use Windscribe:
Have to use a USA Windscribe server to use PayPal USA.
If I'm using Windscribe, Ryanair won't let me log in.
If I'm using a non-USA Windscribe server, TaxAct Online won't let me log in.

I was able to connect from my location in Spain, to a Windscribe server in USA, and then to a streaming web site, and stream a football (soccer) game in Spain, although the window was only 640x480, I think.

There are several ways to install Windscribe client on Windows


There is a special setup procedure for uTorrent application: Windscribe's "uTorrent Setup Guide". But you're still protected if you don't do that. Test your torrent client: TorGuard.

Windscribe client can be installed in a router: see "Windscribe for Your Router" section of Windscribe's "Setup Guides". Only one Windscribe server can be listed, so if that one goes away, no internet. Windscribe firewall runs in the client OS, not the router. If connection to server drops, what happens depends on your router firmware, nothing to do with Windscribe.

If you run Windscribe in the router and nothing at all in the clients, all traffic does go over the VPN.

People online say that in IOS (Apple), the "firewall" doesn't work, because of the architecture of IOS. What functionality is lost ?

I changed my laptop to Linux Mint 19, and installed Windscribe client Beta on it. If I try to turn on Linux firewall, the two firewalls fight each other, apparently. Windscribe Support says use one or the other. Support also says:
"There is currently no way to add rules to the Windscribe Firewall unfortunately. It either blocks everything that isn't coming from the VPN IP or it allows any connections to your direct IP. On and off. The only rule that we have built-in as an option is to allow LAN traffic so you can have the Firewall on and still connect to devices on your location network."
And then they said:
"The Windscribe Firewall is the Linux Firewall. The Windscribe CLI is using IPtables. Windscribe makes a rule to block everything that isn't in the VPN tunnel. The LAN traffic rule is just there if you do need it. The Firewall will block LAN traffic as well unless you don't want it to. And yes, there are instances where you'd want the Firewall to have exceptions for certain apps or services but since the Windscribe CLI is still in beta, we don't have those whitelisting options yet."

Client log file: /var/log/windscribe/windscribe.log
Also OpenVPN log file: /var/log/windscribe/ovpn_log.txt

10/2018 Windscribe announced their servers block IPs of known sources of malware, and soon their DNS's will be doing ad-blocking. The level of filtering will be adjustable.

12/2018 Found out that Windscribe VPN is blocking a domain I need; when it blocks something, it does it by mapping to localhost. A user can't whitelist a domain; user either turns all blocking down to a lower level, or file a Support ticket asking for that one domain to be whitelisted (for everyone).

3/2019: They confirmed that their DNS's use DNSSEC to talk to other DNS's. Later someone on reddit said "DNSSEC is not required when IKEv2 is secured by SSL certificates (Let's Encrypt). It's only required when you are distributing the certificates via DNS itself."

7/2019: Found that their filter/firewall "Robert" supports redirecting (spoofing) domains. This is dangerous, if someone gets into your account.

3/2020: Mega.nz stopped working through Windscribe, because of some changes Windscribe made. Work-around: in Windscribe account, set "Unblock Streaming" to "off".

About using Windscribe client instead of OpenVPN client, on Linux, from someone on reddit:
"The advantages for the Windscribe client are the firewall, you don't need to set up the openvpn certs (you can just pick any location), you can connect to the best location with windscribe connect best, and you can change the port/protocols easier."
It also has ad-blocking, tracker-blocking, more:
Unni Menon's "Web Trackers: A Field Guide"

Configuring Windscribe with Network Manager on Linux (guide)

Changed my Linux system to use strongSwan / IKEv2 / IPsec client

1/2020: Changed my Linux Mint 19 system to stop using proprietary Windscribe client, and use strongSwan / IKEv2 / IPsec client instead.

Alternative architectures:
+/- I think you have your choice of these stacks (from oldest to newest):
  • IPsec config:
    • UI (CLI): ipsec
    • Config files: /etc/ipsec.conf /etc/ipsec.secrets /etc/ipsec.d/cacerts
    • Daemons:

  • strongSwan config:
    • UI (CLI): swanctl
    • Config files: /etc/ipsec.conf /etc/ipsec.secrets /etc/ipsec.d/cacerts /etc/strongswan.conf /etc/strongswan.d/* /etc/swanctl/swanctl.conf
    • Daemons: /lib/systemd/system/strongswan.service /usr/lib/ipsec/charon

  • strongSwan through Network Manager:
    • UI: Network Settings in system tray
    • Config files: same as previous section
    • Daemons: same as previous section

Windscribe's "IKEv2 Profile Generator"
Saved credentials in my password manager.

"The IKE protocol uses UDP packets and UDP port 500."
Open-source implementations of IKEv2 include: OpenIKEv2, Openswan, and strongSwan.
It's less feasible for a network admin to block OpenVPN (which uses HTTPS port 443), than to block IKEv2 (which uses UDP port 500).

I tried things a bit out of order, got things mixed together, hope I've sorted out things properly in the following sections. [Later someone sent me this guide.]

IPsec config method:
Mostly following first half of /u/nosmokingbandit's "Using IKEv2 on Linux":

sudo windscribe stop
sudo systemctl stop openvpn
sudo systemctl disable openvpn

apt install strongswan-starter libstrongswan-extra-plugins libcharon-extra-plugins

sudo xed /etc/ipsec.conf
# and add:
conn windscribe-es      # name I picked
  dpdaction=restart     # restart if connection drops
  dpddelay=300s          # how often to send packet to do Dead Peer Detection
  keyingtries=%forever      # keep trying to connect, forever
  eap_identity=MYUSERNAME   # username from https://windscribe.com/getconfig/ikev2
  right=   # address from ping es.windscribe.com
  auto=start            # start at system boot; if not, set to "add"
# man ipsec.conf
# https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection

sudo xed /etc/strongswan.d/charon/kernel-netlink.conf
# and after line "# mtu = 0" add:
mtu = 1300
# use "tracepath" to see how hops in a route might be changing MTU

sudo xed /etc/ipsec.secrets
# and add (with the spaces exactly in the places shown):

# check that this directory is empty:
ls /etc/ipsec.d/cacerts

# then make IPsec just use the OS certificates:
rmdir /etc/ipsec.d/cacerts
ln -s /etc/ssl/certs /etc/ipsec.d/cacerts

# Edit /etc/resolvconf/resolv.conf.d/tail to contain (first line is a comment):
# following is from /etc/resolvconf/resolv.conf.d/tail
nameserver       # OpenDNS
# If you wanted to remove other lines, maybe
# edit /etc/NetworkManager/NetworkManager.conf and add "dns=none" in [main] section

sudo ipsec restart
sudo ipsec up windscribe-es     # or whatever connection name you picked
# see message "connection 'windscribe-es' established successfully"

# to switch from one connection to another, take old one down before putting new one up:
sudo ipsec down windscribe-es     # or whatever connection name you picked
sudo ipsec up windscribe-usa     # or whatever connection name you picked

cd /tmp && rm -f ip && wget -q https://ipinfo.io/ip && cat ip && rm -f ip
# or
curl --get ifconfig.me && echo
# and you should see an address in same subnet as the "right=" address you used
# probably 89.238.178.n
ping es.windscribe.com
# see if it's similar

# run leak tests such as https://www.top10vpn.com/do-i-leak/ and https://ipleak.com/
# tests passed, for me

# Tried unplugging from Ethernet, waiting a minute or two, plugging back in.
# Checked IP address and saw ISP's address not VPN address.
# Waited 10-15 seconds (dpddelay), checked IP address and ran leak tests again,
# all is well, system is connected to VPN again.

# But: there is a time-window where the VPN is not being used, and traffic
# still can go out.  Not sure if same would happen if you're using VPN
# and Windscribe server crashes for some reason.  How to stop this ?
# Need a "kill switch".
# Need to create another connection with "type=drop" ???
# ipsec _updown script ?
# https://www.mail-archive.com/users@lists.strongswan.org/msg15467.html
# need to install swanctl (see section below)

# from Windscribe Support: to make a "kill switch", create iptables
# rule to DROP all packets that are not UDP on 500+4500 (ports IPsec uses)
# so I created a file with (simplified) these commands:
iptables -P INPUT DROP
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --match multiport --dports 500,4500 -j ACCEPT
iptables -A INPUT -s -j ACCEPT
iptables -A INPUT -d -j ACCEPT
iptables -A INPUT -d -j ACCEPT
iptables -A INPUT -s -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -P OUTPUT ACCEPT   # want to change to DROP, but keep getting DNS traffic
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s -j ACCEPT
iptables -A OUTPUT -d -j ACCEPT
iptables -A OUTPUT -p udp --match multiport --dports 500,4500 -j ACCEPT
iptables -A OUTPUT -d -j ACCEPT
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP

sudo ipsec statusall
sudo journalctl | grep Windscribe
sudo journalctl | grep charon

# There is a HUGE amount of logging in the journal by Charon and IPsec
# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
man strongswan.conf   # see LOGGER CONFIGURATION section
sudo xed /etc/strongswan.d/charon-logging.conf
# in syslog section, add line:
    default = 0
# rebooted
# but that doesn't seem to have done much, removed it and tried:
man ipsec.conf    # parameter "charondebug"
sudo xed /etc/ipsec.conf
# and in section "config setup" add:
charondebug = dmn 1, mgr 1, ike -1, chd 0, job 0, cfg 0, knl 0, net -1, asn 0, enc -1, lib 0, esp 0, tls 0, tnc 0, imc 0, imv 0, pts 0

# COULD do this, I haven't done it:  in ipsec.conf connection section:
leftfirewall=yes  # disables use of iptables once VPN is connected ?

# Wanted to make a connection to disable the VPN so I can use some site that
# won't tolerate a VPN.  Couldn't get the new connection to work.
# But (with DNS addition in /etc/resolvconf/resolv.conf.d/tail), just
# taking down the Windscribe connection (and resetting iptables) is enough;
# don't need this connection definition (which doesn't work anyway).
sudo xed /etc/ipsec.conf
# and add:
# https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Passthrough-policy
conn no-vpn      # name I picked
    rightsubnet=        # also tried %any
#    auto=route
sud xed /etc/swanctl/swanctl.conf
# and add:
connections {
    no-vpn {
        remote_addrs =
        children {
            passthrough-1 {
                local_ts = %any
                remote_ts = %any
                mode = pass


strongSwan config method:

apt install strongswan-swanctl

# charon daemon probably is running already, but check:
sudo ps -ax | grep charon
# if not:
sudo /usr/libexec/ipsec/charon

sudo systemctl enable strongswan.service
sudo systemctl status strongswan --full --lines 1000

# list connections
sudo swanctl -L

man swanctl
man swanctl.conf      # /etc/swanctl/swanctl.conf
man strongswan.conf   # /etc/strongswan.conf and /etc/strongswan.d/*

Main config file is /etc/strongswan.conf, but make any changes in /etc/strongswan.d/*
After any configuration change, do "systemctl restart strongswan" and "sudo ipsec restart".

"strongSwan is basically a keying daemon, which uses the Internet Key Exchange protocols (IKEv1 and IKEv2) to establish security associations (SA) between two peers." Charon is a keying daemon that implements the IKEv2 protocol for strongSwan.
"The actual IPsec traffic is not handled by strongSwan but instead by the network and IPsec stack of the operating system kernel."
Introduction to strongSwan

strongSwan through Network Manager method:
Tried installing from Mint's Software Manager ("strongSwan IPsec VPN solution metapackage" and "strongSwan-nm"), didn't work. Tried other things, no luck.

"sudo apt install network-manager-openvpn-gnome"
"apt install strongswan" and "apt install network-manager-strongswan" and "apt install strongswan-charon" and "apt install libcharon-extra-plugins". Click network icon in system tray, Network Settings, Network Proxy, "+", get "Add VPN" dialog, choose "strongSwan", get another "Add VPN" dialog where you specify details. If you have a username and password, set "Authentication" to "EAP". Specify username, but there's no way to specify password ? Click "Add" button. Dialog closes and back to "Network" window. Select the VPN you just created and click "On". But fails to connect, every time.

Evgenii Frikin's "How to troubleshoot IPsec VPN misconfigurations"

4/2020: installed Linux Ubuntu 20

Went to Settings / Network / Wired.
Clicked "+" next to VPN.
Types offered are OpenVPN and PPTP and "Add from file".

sudo apt install strongswan network-manager-strongswan libcharon-extra-plugins
Now have another choice "IPsec/IKEv2 (strongSwan)" in there.

Tip: In Network Manager, keep connection profile names descriptive and short, so they appear well in the desktop menu. E.g. "Winds-Open-NYC" instead of "Windscribe-OpenVPN-NewYorkCity".

Create an IKEv2 connection:
Gateway address from ping es.windscribe.com
Authentication = EAP.
Username from Windscribe.
Enable "Request an inner IP address".
Enable "Enforce UDP encapsulation".
Click "Add" button.
Copy password into clipboard.
Move slider to enable VPN.
Paste password into dialog.

Password is NOT remembered once the IKEv2 connection profile is set; you have to type it in each time you connect.

Connection is unreliable for some sites.
sudo gedit /etc/strongswan.d/charon/kernel-netlink.conf
# and after line "# mtu = 0" add:
mtu = 1300
# then reboot
# that helped a bit, but still not 100%

Logged into Windscribe account and got openvpn_cert.zip (contains ca.crt and ta.key files) and Windscribe-*.ovpn files and username and password.
Move the ca.crt and ta.key files to somewhere permanent; Network Manager seems not to keep its own copies of them.

sudo apt install network-manager-vpnc   # doubt this is needed

Go to Settings / Network / Wired.
Click "+" next to VPN.
Click "Add from file".
Select the Windscribe-*.ovpn file.
See dialog; Gateway field should be populated, Authentication type = Password.
Type in username and password.
CA certificate field should be a .pem file.
Click Advanced.
Under General tab: enable "Randomize remote hosts".
Click TLS Authentication tab.
Under "Additional TLS authentication ..." should be Mode = TLS-Auth, Key-file = ta.key, Key Direction = 1, Extra certificates = ca.crt.
Click Okay.
Click Add.

Move slider to enable VPN.
In upper-right of desktop, see white rectangle "VPN" appear !
Do browser leak-tests.

After reboot, OS does not reconnect to VPN automatically.
Do "sudo nm-connection-editor" to set that.
Now after reboot, OS does not reconnect to wired ethernet automatically (!), but when you manually turn on wired ethernet, it WILL reconnect to VPN automatically.
Behavior is different for Wi-Fi ? Will connect to Wi-Fi automatically, but won't reconnect to VPN automatically ? Not sure.

Later, Windscribe sent me some configuration files, one per VPN server. They're .txt files that each have a complete Network Manager (or is it OpenVPN ?) VPN definition in them. [They're OpenVPN "unified connection profile" files, sometimes named with .ovpn extension; see OpenVPN's "Connection Profile creation" and Reference manual for OpenVPN 2.4.]
Do Settings / Network / VPN + / Import from file, give it one of these files, type in your username and password, done.
[nm-connection-editor will export a VPN connection to a file, but only for OpenVPN connections.]

Password is remembered once the OpenVPN connection profile is set; don't have to type it in each time.

To see connections: "nmcli". Also "nmcli general status".
To get GUI version for bug-reporting: "NetworkManager --version".
"ls /etc/NetworkManager/system-connections"

Note: Network Manager is a freedesktop.org component: NetworkManager / issues

Same issue with all types of VPN: when boot system, wired ethernet will be off. Have to turn it on before VPN's "connect automatically" setting works.

WireGuard with Linux Ubuntu GNOME 20.04

[Caution: later heard from someone on reddit who installed WireGuard into Mint 19 (probably 19.3) and something destroyed all his network interfaces, he had to re-install the system.]

I don't have a VPN service that supports WireGuard yet. Just curious.

sudo apt install wireguard
sudo modprobe wireguard
lsmod | grep wireguard
sudo ls /etc/wireguard

# 5/2020: I think no Network Manager GUI support yet;
# can't click "+" to create a WireGuard connection profile

nmcli connection add type wireguard ifname wg0 con-name Winds-WireG-Spain
# profile doesn't appear in Network Manager GUI
nmcli --overview connection show Winds-WireG-Spain

Thomas Haller's "WireGuard in NetworkManager"
psyhomb / wireguard-tools

Windscribe's "Introducing WireGuard"

WireGuard with Linux Ubuntu MATE 20.04 in 10/2020

WireGuard with Fedora 34 KDE in 8/2021

Windscribe's "WireGuard Config Generator"

WG configs from Windscribe work on my Android phone, connected either through Wi-Fi on my LAN, or through mobile data. So the configs are correct.

Couldn't get WireGuard to Windscribe to work through Network Manager in Fedora 34.

Installed Windscribe's CLI client, but it didn't work either. Then Windscribe Support said "Our CLI app [Windscribe CLI client v1.4] does not function correctly in Fedora beyond version 30 unfortunately. We are releasing a beta version soon that should rectify this situation." And also "I suggest trying one of the official Wireguard apps found here: https://www.wireguard.com/install/" And they pointed me to https://blog.windscribe.com/introducing-wireguard-76a1670700a6

"sudo dnf install wireguard-tools"
"sudo wg-quick up Winds-WG-NYC.conf"
Worked fine, and connection is very fast !
But DNS leak; https://browserleaks.com/dns shows both VPN's and ISP's DNS. Next day, leak has gone away ? But phone using same WG has a DNS leak. Restarted phone, leak went away.

Didn't use this: https://utcc.utoronto.ca/~cks/space/blog/linux/NetworkManagerWireGuardClient

WireGuard with UbuntuDDE 22.04 in 10/2022

Normal "edit connections" won't import the .conf files generated by Windscribe.
Wireguard doesn't appear as a choice in Network Manager / VPN.

sudo apt install wireguard
# rebooted, not sure if needed

nmcli connection import type wireguard file Winds-WG-Mad.conf
nmcli connection show Winds-WG-Mad | less
# works

From someone on reddit 1/2022:
There is a limitation: you can't have two client devices on same account both using Wireguard to the same Windscribe server (not same location; same server within a given location). This should be fixed soon.

GrapheneOS (Android derivative) has native support for IKEv2. Windscribe 9/2023 does support this: use same name for "IPSec identifier" and "Username".

Homo Ludditus' "Windscribe VPN: The Good, the Bad and the Ugly"


A proxy just redirects your traffic, making it come out from a different computer with a different IP address. It doesn't add any encryption.

Proxies have most of the same drawbacks as VPNs (added point of failure, some sites may not allow, have to trust provider, etc), but the performance penalty for a proxy should be much less than that for a VPN.

Privacy.net's "What proxy servers are and how they differ from VPNs"
Jason Fitzpatrick's "What's the Difference Between a VPN and a Proxy?"
Lucas Pardue and Christopher Wood's "A Primer on Proxies"
Calvin Wankhede's "Proxy vs VPN"

Hide My Ass! (free proxy server)
search for Firefox proxy add-ons

Apparently there are proxies with TLS connection (encrypted tunnel) to them. See for example Project V. Is this "encrypted connection to proxy" the same as a VPN-to-internet ? I think yes.

Router And Modem

Parts of a router/modem

  • WAN connector: connects to outside copper cable or fiber or phone line.
  • Modem: from WAN connector, converts outside signal to internal/Ethernet, sends to router.
    [Fiber modem may be called an ONT (Optical Network Terminal).]
  • Router: intelligence that converts between internal (LAN) and external (WAN) IP addresses, usually using NAT, often including a stateful firewall. Handles IP addresses, uses subnets, operates at L3 and L4 levels. Services to LAN clients: DHCP, uPNP.
  • LAN Switch: connects all the parts of the local network: LAN side of router, Ethernet ports, Wi-Fi AP. Handles MAC addresses, learns what MAC addresses are on each port, operates at L2 level, does ARP and RARP.
  • LAN Ethernet connector: wired connection to client device in home.
  • Telephone connector: wired connection to telephone in home.
  • TV connector: wired cable connection to TV in home.
  • USB connector: for a disk drive to be shared on the LAN.
  • Wi-Fi access point: wireless connection to Wi-Fi devices in home.
These parts may be packaged into two devices (modem and router) or one device (router/modem).

Weak Wi-Fi Solutions' "Why Your Wi-Fi is Slower Than Ethernet"

How routing works

Basically, two key layers, with their associated address forms:
  • IP layer (with IP addresses, which are assigned by software or by router or by authorities).

  • Link layer (with MAC addresses, which are permanent in hardware).

[Simplified, and assume a simple flat LAN, and client has single network interface:]
  1. In your computer, your browser forms an HTTP request and gives it to TCP layer, saying: "send to IP address N.N.N.N".
    [Ignore how (DNS) a web-address is looked up to find IP address.]

  2. TCP layer forms a TCP packet: TCP header followed by data (the HTTP request). The TCP header contains port numbers and flags and other info.

  3. TCP layer gives TCP packet to IP layer, saying "send to IP address N.N.N.N".

  4. IP layer forms an IP packet: IP header followed by data (the TCP packet). The IP header contains the IP addresses and other info.

  5. The IP layer does a check of destination IP address N.N.N.N:

    • If special address such as localhost (127.0.0.n), the traffic is handled internally by software.

    • If source and destination IP addresses are on the same subnet (destination is in the LAN), the IP address should be found in the ARP table, and it gives MAC address DD:DD:DD:DD:DD:DD for the destination.

    • Otherwise, the IP layer picks destination MAC address RR:RR:RR:RR:RR:RR (the router).
      [This mapping was established earlier by ARP mapping "gateway" IP address to MAC address.]

  6. IP layer gives IP packet to link layer, saying "send to MAC address" (DD:DD:DD:DD:DD:DD or RR:RR:RR:RR:RR:RR).

  7. Link layer adds its own header, forming a frame. Then frame goes across the LAN (Ethernet or Wi-Fi) from MAC address CC:CC:CC:CC:CC:CC (your computer) to destination MAC address. At other end, link layer strips off the link header.

  8. If the destination was the router:

    • The IP layer in the router does a lookup of IP address N.N.N.N in rules for IP address ranges. In simplest case, only rule is "send everything out to WAN". But there could be firewall rules, segmented LAN, etc. And DHCP table here serves as backstop for source machine's ARP table ?

    • If the destination IP address is outside your LAN (on public internet), the lookup finds that packets to IP addresses in that range should be sent to the device at MAC address II:II:II:II:II:II (the ISP's router).

    • Packet goes out (through a link layer again) through the modem to MAC address II:II:II:II:II:II.

General functional block diagram

  WAN connection
(fiber, cable, phone line)
(many LAN devices share
one public IP address)
(filter traffic to
prevent attacks)
(DHCP to assign LAN addresses;
map IP addresses to external/Ethernet/Wi-Fi)
LAN Ethernet ports   Wireless Access Point
connected via Ethernet
connected via Wi-Fi

Typical configurations

  • Modem (owned by ISP or by you) + router (owned by ISP or by you).
  • Combined modem/router (owned by ISP or by you).
  • Modem (owned by ISP) + router (owned by ISP) in "bridge" mode + router (owned by you).
  • Combined modem/router (owned by ISP) in "bridge" mode + router (owned by you).
  • You will be paying monthly rent for the pieces owned by the ISP.
  • The pieces owned by the ISP could be used by the ISP to spy on you.
  • The ISP may be slow to update firmware and software in their pieces to latest versions.
  • Likely you can't install new software on the pieces owned by the ISP.
  • Likely the ISP's standard software will not have features you could get through new software, such as VLANs, guest Wi-Fi networks, firewall, VPN, more.
From someone on reddit 7/2019:
You should have only one device functioning as a router. It's fine to have other routers in the network, so long as they are configured to operate purely as Wi-Fi Access Points (AP). If you have multiple functioning routers, then you'll have double or even triple NAT. While it's possible to get port forwarding to work through multiple routers, it's messy and unnecessary. UPnP won't work at all through multiple routers.

If you have separate modem and router, plugging your PC directly into the modem for troubleshooting or something is a bad idea. You expose your PC directly to the internet and lose any protections implemented in the router.

If modem is separate, a typical address to admin it might be
Router admin usually is at or

Router operating systems

+/- OPNSense is derived from pfSense. OPNSense is more community-oriented; pfSense is more enterprise-oriented and more stability-oriented. Instructions/answers/support for pfSense mostly apply to OPNSense too.

From Michael Bazzell's podcast 2/2021: pfSense is fragile in that if power fails, there is likely to be filesystem damage or something and you'll have to repair or tweak it to get it to boot again. Put it on a UPS.

Nick Congleton's "DD-WRT vs. Tomato vs. OpenWrt: Which Router Firmware Is the Best?"
Cheapskate's Guide's "A Brief Review of OPNSense Router Software"

Desirable router features

  • Gigabit Ethernet (1000 Base-T), not just "Fast Ethernet" (100 Base-T).

  • Number of Ethernet LAN connectors.

  • VLANs: ability to put devices on separate VLANs where traffic does not pass between VLANs. You want this enforced in the switch/router, not just by packet-tags applied in each client device.

  • Guest networks: multiple Wi-Fi network names and passwords (and once devices log in, they're on separate LANs where traffic does not pass between LANs).

  • WPA3. Starting to become available at end of 2018.

  • IPv6. But your ISP and VPN may not support this.

  • Compatibility with / support for running a VPN client in the router.

  • Compatibility with / enough processing power and RAM to run a custom OS (DD-WRT, Tomato, pfSense, etc).

  • Firewall: ability to control traffic by MAC address, IP address, TCP/IP port number, maybe import lists of rules from elsewhere.

  • Incoming port forwarding.

Features that seem unimportant to me: parental controls, dual-band, built-in anti-malware, MU-MIMO, smartphone app to control router, Quality of Service (QoS) or Wi-Fi Multimedia traffic controls, mesh networking, USB port to make a NAS. Your priorities may be different.

Heard this, not sure if it's standard terminology/functionality: a device on a VLAN can talk to any other device on same VLAN, and to internet; a device on a guest network can only talk to internet.

Be careful about speed ratings. Some routers will tout a high Wi-Fi speed, but then the ethernet ports (including the WAN port) have much lower limits. The WAN port will be your choke point, so a low limit there is very bad.

Turris MOX (open-source router)

Ethan Robish's "Home Network Design - Part 1"

Michael Horowitz's "Router Security"
Michael Horowitz's "Using VLANs for Network Isolation"
pubudeux's "VLANs for the Homelab"
From someone on reddit:
  • Port-based VLANs: all the devices on an unmanaged switch must be in the same VLAN.
  • 802.1q VLANs: the devices can be in different VLANs, provided the devices themselves tag their own traffic. This is not commonly done.
  • MAC-based VLAN. Here, devices are assigned to a VLAN based on their MAC addresses. This is not commonly used in a home networking environment.
"Separating L2 broadcast domains. That's the whole purpose."
From someone on reddit 12/2020:
It's the firewall rules that decide which traffic goes between VLANs.

> So, in a consumer router, if I click buttons to create two VLANs,
> do the firewall rules get created automatically ?

They do, but probably to simply allow all traffic between VLANs, this is the default behavior on most consumer routers, versus pfsense/opnsense the default is to deny.

There are more benefits to a VLAN:
  • Separate subnets:
    • This is how I can keep track of who is taking up all my bandwidth, my guest network is a very different subnet then my LAN and IoT.
    • IoT is a big enough different from my LAN subnet to give me plenty of hints too.
  • DHCP leases security:
    • All devices on my LAN and IoT require me to manually as a DHCP lease or they will simply be ignored, even if you did have the Wi-Fi password.
    • This is also a PIA with apple device updates with their private Wi-Fi option, have to disable this on your network or it will randomize the mac address each time.
  • Firewall rules:
    • I allow my LAN to access all network, and i allow guest and IoT to access each other not my lan, this makes it easier for guest users to cast to my various google devices around the house.
  • Wi-Fi security:
    • I always hated having to ask for a Wi-Fi password going to someone's house, so on my guest network I do not have one, just a captive portal and a 24 hour time limit. Meanwhile my other two networks are using wpa3.
    • This is not a perk of the VLAN but I also setup 5mb down 1mb up (per user) on my guest network so they would not use up all my bandwidth. My wife and I used to throw a really big halloween party before covid so I could at a single time have 100 users on my Wi-Fi. Even what I give is generous and my pfsense box will still traffic-shape.

Sometimes a VLAN gets in the way. For example, to connect Echo/Alexa to your phone, they can't be isolated on separate VLANs.

Sean Gallagher's "InvizBox 2 redefines what 'privacy' routers can do"

Router features you probably want to turn off

  • WPS.

  • Remote management.

  • PNP.

  • Any telemetry or "phone home" features.

Fixed IP address assignment on home LAN

[From discussion on reddit:]
  • If setting address from the router, it's called a DHCP reservation (or just "reservation"). "Static" only applies if done from the client side.

  • Do all assignments in one place, centrally: the router.

  • Good idea to have reservations for all server-type devices: NAS, printers, Pi-hole, etc. This may include game consoles and IoT devices, if anything is going to initiate traffic to them.

  • Don't do client-side static assignments for devices such as phones and laptops which could be moved to another network at any time.

  • Also IPv6.

Building your own router: want x86 processor, not ARM, for better performance.


A firewall lets you control what kinds of traffic flow in and out of your network.

Some types

  • Level 3 (packet filtering): filter by IP address, port number, and protocol type (TCP, UDP, ICMP) ?

  • Level 4 (stateful filtering): filter TCP and maybe UDP by connection and session state.

  • Level 7 (application level): understand application protocols such as FTP, SMTP, Telnet, HTTP, etc.

  • WAF: Web Application Firewall (understand HTTP and associated).

Wikipedia's "Firewall (computing)"
Palo Alto Network's "What Is a Firewall?"
Cisco's "What Is a Firewall?"
Chris Hoffman's "Do I Need a Firewall if I Have a Router?"

A firewall could be


Torrent Seedbox

A Seedbox is a torrent client on a cloud/server computer. All torrents go to that server, then you FTP from that server to your computer. So if your ISP doesn't allow torrenting, or you're downloading copyrighted material, this evades those problems.

Seedbox Guide's "What is a seedbox?"

DNS (Domain Name Service)

Network admin's haiku:

  It's not DNS.
  There's no way it's DNS.
  It was DNS.

DNS is how domain names such as "google.com" are resolved into IP addresses such as "". article

Most likely, your computer is using either Google's Public DNS ( or, or a DNS run by the ISP or VPN you are using, or is set to find a DNS automatically (which probably means: DNS run by the ISP or VPN).

To find out what DNS you are using

  • Best way: a leak-test site such as Do I Leak ? will tell you what DNS server actually is being used.

  • On Linux:
    systemd-resolve --status
    nmcli dev show | grep DNS
    resolvectl status
    resolvectl query SOMEDOMAIN
    nslookup SOMEDOMAIN
    resolvectl statistics   # see DNS cache statistics
    # cache is limited to 4096 entries
    # Firefox has its own very transient DNS cache in front of this one
    cat /etc/resolv.conf
    cat /etc/nsswitch.conf
    cat /etc/nsswitch.conf | grep hosts    # DNS order of checking
    cat /etc/sysconfig/network/config      # man netconfig
    nmcli dev show tun0       # and see GATEWAY
    systemd-resolve --status  # and see "Current DNS Server" for "tun0" device
    pidof dnsmasq
    dnsmasq --test
    # LAN mDNS/DNS-SD only ?
    # AKA "Zeroconf"; "Rendezvous" or "Bonjour" protocol.
    sudo systemctl status avahi-daemon --full --lines 1000
    avahi-browse --cache --all
    man systemd.dnssd
    # Used by Windows clients:
    man llmnrd
    llmnr-query google.com    # ???
    Baeldung's "Difference Between resolve.conf, systemd-resolve, and Avahi"
    Fabien Sanglard's "mDNS Primer"
    daenney's "Getting rid of Avahi"

  • Open a command prompt and run "nslookup google.com". First address shown is your DNS's address. But an IPv4 address that starts with "10.", "127.", "172." or "192." likely is an "internal" address, meaning that something in your computer or VPN client or router is grabbing that address and mapping it to something else. See Tim Fisher's "Private IP Address".

A few other settings are shown by Cloudflare's "Browsing Experience Security Check" (ESNI/ECH).

Test both with VPN on and with VPN off. There WILL be times you need to turn the VPN off to access some site.

The DNS can see what sites (domains) you are connecting to, but not which pages or URLs or searches you are doing on those sites.

What to use

  • If/when you're using a VPN, use the VPN's DNS. That way all DNS traffic is inside the VPN's encrypted tunnel, and your ISP or eavesdroppers can't see it.

    Important: you want your system to be accessing the DNS through the VPN, not directly. If the DNS address specified in your system is something like 10.x.x.x, it's going through the VPN tunnel (good).

  • When the VPN is off:

    • Probably might as well just use your ISP's DNS, since the ISP is going to see all the IP addresses you access anyway.

      But instead you could:

    • Avoid a DNS owned by a data-collector (e.g. Google and

    • Use a DNS owned by a service that is fast and supposedly doesn't log traffic (e.g. Cloudflare and, Quad9, OpenDNS

    • Use a DNS that will block malware and/or adult sites (e.g. Cloudflare and
      Cloudflare's "Introducing for Families"

    • Use an encrypted connection to DNS to prevent your ISP from redirecting you (if ISP is malicious), or to prevent someone on your LAN (which may be public Wi-Fi) from modifying your DNS results.

How to set DNS for the case when VPN is off:
I'm surprised that I couldn't get ANY of this to work !!! Should try again after reading the articles linked below.

  1. Turn off VPN.

  2. Run Do I Leak ? to see what DNS server is being used.

  3. In router:
    1. Login to router's admin page.
    2. You may have to set "expert mode".
    3. Look for any DNS settings.
    4. My Vodafone router only has a "Secure DNS" setting. The text for this implies that it overrides DNS settings in individual devices, but I'm not sure. Turning it off did not let me specify a DNS server address. Turning it off did not make Linux use its own DNS settings. Power-cycling router didn't help.
    Tim Fisher's "How to Change DNS Servers on Most Popular Routers"
    Haidar Ali's "Using a Specific DNS for a Specific Domain in Linux"

  4. Run Do I Leak ? to see what DNS server is being used.

  5. In Linux Ubuntu/Mint:
    1. Click on network icon in system tray and choose "Network Settings".
    2. Click on the network interface (Wi-Fi or Wired).
    3. Click on "gear" icon in lower-right.
    4. Click on "IPv4".
    5. In the "DNS - Server" field, put the value you want, such as "".
    6. Set the "DNS - Automatic" switch to "off".
    7. Click on "Apply".
    8. Close "Network Settings" app.
    9. Click on network icon in system tray and turn the network interface (Wi-Fi or Wired) off and then back on.
    10. Reboot.
    11. Didn't work, still using ISP's DNS.
    12. Later set DNS on other network interface, and got different results ? Have to do both same way ?
    Another try:
    1. Edit "/etc/network/interfaces" as root, add line "dns-nameservers".
    2. Run "cat /etc/resolv.conf"
    3. Reboot.
    4. Run "cat /etc/resolv.conf", now new line appears in it.
    5. Didn't work, still using ISP's DNS. [Maybe have to edit /etc/NetworkManager/NetworkManager.conf and add "dns=none" in [main] section ?]
    Ended up worse than before: now, with VPN on, I'm getting a DNS leak to Removed the line from /etc/network/interfaces and rebooted, that fixed it.

    Maybe should remove "nameserver 127..." line from /etc/resolv.conf somehow ?

    In Linux, some apps use /etc/resolv.conf file directly. Other apps use glibc's NSS functions, which talk to systemd-resolved. "systemd-resolved is a DNS stub. In other words, it's a local, caching, recursive-only DNS server. It brings features to GNU systems that the standard DNS resolver client doesn't have, such as DNSSEC support and rich lookup policies for multi-homed systems." "systemd-resolved will manage /etc/resolv.conf in its standard configuration".

    Baeldung's "Difference Between resolve.conf, systemd-resolve, and Avahi"
    Chris Siebenmann's "Things that systemd-resolved is not for (as of systemd 251)"
    Unix Sheikh's "How to split your DNS requests when using a VPN"

  6. In Windows:
    1. ???
    Mauro Huculak's "How to configure Cloudflare's DNS service on Windows 10 or your router"

  7. In Android:
    1. Turn off VPN.
    2. XSLab's "How to Change DNS Settings on Android"
    3. Followed the "long-press on Wi-Fi network" instructions, everything fine except you really have to specific static addresses for phone (maybe and router/gateway (maybe

  8. Run Do I Leak ? to see what DNS server is being used.

  9. In Firefox:
    1. Click on hamburger icon / Preferences.
    2. Click on General.
    3. Scroll to bottom, click on Network Settings.
    4. In "Configure Proxy Access to the Internet", click on "No Proxy".
    5. Scroll to bottom, click on "Enable DNS over HTTPS", set "Use Provider" to desired value.
    6. Didn't work, now getting DNS requests from both the provider I chose AND from my ISP's DNS. One request from provider, plus N from ISP's DNS. Could be that first is for the main page and then others are for images/scripts on the page ?

  10. In Chrome / Chromium:
    1. ???

  11. Run Do I Leak ? to see what DNS server is being used.

  12. Turn VPN back on.

  13. Run Do I Leak ? to see what DNS server is being used.

DNS Leak

If you're using a VPN or proxy or Tor to hide your normal traffic from your ISP or someone spying on your network, yet your DNS traffic is NOT going through the VPN etc, this is called a "DNS leak". The DNS server is seeing both your originating IP address and the destination domain / IP address you're planning to access, even though you're using a VPN etc. The company which owns that DNS server (your ISP, or Google, or Cloudflare, etc) could sell that info. And even if you're using some other service's DNS, if the DNS traffic is not encrypted, your ISP could be reading and selling that info too.

IMO, the best thing to do is to use your VPN's DNS server, and make sure it's being accessed through the VPN tunnel. Your VPN company already knows both your originating and destination IP addresses, so you're not revealing anything extra.

"nslookup billdietrich.me" to see what DNS is being used.
On Linux, finding DNS setting may not be easy. Try "cat /etc/resolv.conf", "resolvectl status".

Test: see IP address DNS leak ?
Wikipedia's "DNS leak"
Bill Hess's "What Is a DNS Leak And How To Fix It"

LabZilla's "Your Smart TV is probably ignoring your Pi-hole"

Choosing a DNS

Nykolas Z's "DNS Security and Privacy - Choosing the right provider"
Mike Williams' "Best free and public DNS servers in 2020"

Some good reasons to use Google's Public DNS:
Joseph Caudle's "Why and How to Use Google's Public DNS"
Vijay Prabhu's "How to Change Your Default DNS to Google DNS for Fast Internet Speeds"

Choosing a DNS by speed:
Chris Titus's "How to choose DNS Server by benchmarking them"
Chris Frost's "Clearing the DNS Cache on Computers and Web Browsers"

In Linux, compare DNS speeds by creating a file such as dig-input.txt and running:

dig -f dig-input.txt | grep -E 'Query|SERVER'
Run it again to see the effect of caching.

My computer (running Windows 10) was set to "find DNS automatically", which meant it was using the DNS run by my ISP. I ran namebench several times, and results varied, but generally the DNS run by my ISP was fastest or among the fastest. So I left my computer set to "find DNS automatically".

From someone on reddit:
"some routers ignore individual device settings, so if that's the case you have to change the DNS settings on your router to whatever server you want to use"

Various flavors of encrypted connection to DNS

  • Plain DNS: connection between Browser/OS and DNS is not encrypted.

  • DNSCrypt:
    Supported by DNSCrypt-Proxy and OpenDNS clients.

  • DNS-over-TLS: new.
    Supported by Quad9 and OpenDNS clients.

  • DNS-over-HTTPS (DoH): new.
    Homer Simpson saying DOH Being tested by Mozilla/Firefox, servers provided by Cloudflare and Google.
    Supported by DNSCrypt-Proxy client.
    Catalin Cimpanu's "How to enable DNS-over-HTTPS (DoH) in Firefox"
    Martin Brinkmann's "Configure DNS Over HTTPS in Firefox"

    From someone on reddit:
    "Doing DNS requests is the task of the OS not an application, I really dislike this behavior [DOH in Firefox]. An application will not respect any rules in my hosts file and this will prevent me from having local servers with (fake) domain or blocked domains." [Instead, use a DNS proxy.]

  • Oblivious DNS-over-HTTPS (ODoH): new.
    Have an encrypted (TLS) connection to a DNS server, but run it through a proxy that hides your IP address.
    This is better than DoH only if the companies running the proxy and the DNS are different and don't share info with each other.

  • Just use a VPN, and use their DNS: then the connection to DNS doesn't matter, it's all protected by the overall VPN encryption. But make sure you ARE using their DNS through their tunnel; it should have a non-public address such as one starting with 10 or 172 or 192. And ask if their DNS is using DNSSEC to talk to other DNS servers; it should be.

Test with:
Do I Leak ?
Cloudflare's "Browsing Experience Security Check" (ESNI/ECH)
DNSSEC Resolver Test

Sean Gallagher's "How to keep your ISP's nose out of your browser history with encrypted DNS"
DNSCrypt Proxy
Domain Name System Security Extensions (DNSSEC)

Test a DNS server for vulnerabilities:
Open recursive DNS resolver test
GRC's "DNS Nameserver Spoofability Test"

OpenDNS (includes blacklist of bad sites, at the DNS server)

To check what software a DNS server is running:
"sudo apt install fpdns" and then "fpdns -D YOURDOMAIN"
"dig @NAMESERVERNAME version.bind chaos txt"
"nslookup -type=txt -class=chaos version.bind NAMESERVERNAME"

DNS filtering (ad-blocking and script-blocking):
Some VPNs provide blocking/filtering features.

Some public DNS servers provide blocking/filtering features.

AdGuard Home

Pi-hole appliance:
Connect Pi-hole device via Ethernet cable to a LAN port on your router. Assign a static IP address to it in the router's admin. It will act as DNS for any device you tell to use it as DNS.


Dedoimedo article
Scott Hanselman article
Anand article in Smart Home Beginner
LabZilla's "Your Smart TV is probably ignoring your Pi-hole"

Decent hardware would be a Raspberry Pi 4 with 2 GB RAM and a fan. When buying, check the product description very carefully: sometimes what is being sold is just the case, or just the bare board with no case/adapter/cables. Expect to pay around $100.

You can buy the hardware with Raspbian and Pi-hole pre-installed, but that will add to the cost.

There are multiple configurations with VPN:
  • No VPN anywhere:

    Client devices use Pi-hole as DNS,
    Pi-hole accesses DNS on internet (ISP, Google, etc),
    client devices access internet directly.
    [Both Pi-hole and clients are exposing your home IP address.]

  • VPN client in client device:

    • Client device accesses DNS and internet through VPN tunnel.
      No use of Pi-hole (no ad-blocking and script-blocking).
      [Only VPN company sees your home IP address.]

    • Client device uses Pi-hole as DNS,
      Pi-hole accesses DNS on internet (ISP, Google, etc),
      client devices access internet through VPN tunnel.
      [Pi-hole is exposing your home IP address.]

  • VPN client in router:

    Client devices use Pi-hole as DNS,
    Pi-hole accesses DNS through VPN,
    client devices access internet through VPN.
    [Neither Pi-hole nor clients are exposing your home IP address.]

The usual tradeoff between running in client versus running centrally:
  • VPN client in client device, do everything through VPN's tunnel:

    If you take the device to a different LAN (public Wi-Fi, AirBNB, hotel, etc), you're still protected.

    If you want to change some setting, probably you have to change it on every client device.

    Some devices (game console, smart TV) may not support running a VPN client.

  • VPN client in router, DNS in Pi-hole:

    If you take the device to a different LAN (public Wi-Fi, AirBNB, hotel, school, friend's house, etc), that device loses all protection.

    If you want to change some setting, you can change it just in one place (router or Pi-hole).

What I use at the moment:
  • On my laptop and phone: VPN with blocking/filtering, and ad-blocker in browser.

  • On my family's laptops and phones: public DNS with blocking/filtering, and ad-blocker in browser.

  • No central blocking/filtering in Pi-hole or router.

Unsolicited opinion:
With cloud services, and someday 5G wireless and IPv6, and phones/tablets/laptops being carried around everywhere, and BYOD to work, and more work-from-home, the world is becoming more decentralized and peer-to-peer and mobile.

The notion of a "secure LAN" behind a router/firewall/filter is getting weaker and weaker. The business world is moving to a "zero-trust" model, where authentication is important and there's no "trust them just because they're on the LAN" any more. Every device, every session, has to have its own protection. Smart TVs can have their own anti-virus, for example.

So VPN client and ad-blocker in the client device, and filtering in the VPN server, make more sense than central LAN filters in router or Pi-hole or firewall.

You still can use central filters, and network segmentation, but expect them to be an additional layer of defense, not the sole defense.

Julia Evans' "A tool to spy on your DNS queries: dnspeep" (Linux and Mac)
Martin Brinkmann's "Log all DNS activity on your Windows PCs with DNSLookupView"

Christine Dodrill and David Anderson's "The Sisyphean Task Of DNS Client Config on Linux"
Venam's "What Does It Take To Resolve A Hostname"

zbyszek's "systemd-resolved: introduction to split DNS"
Michael Catanzaro's "Understanding systemd-resolved, Split DNS, and VPN Configuration"

Jan Schaumann's "(All) DNS Resource Records"
Get DNS records, using DNS at "delv @ DOMAINNAME TXT"

Julia Evans' "The multiple meanings of 'nameserver' and 'DNS resolver'"

"There are two hard problems in IT: cache invalidation, naming things, and off-by-one errors."

MAC Address

This is an address unique to the network access card/hardware in your device.

Your MAC address doesn't get out to the Internet. Only people/devices on the same LAN as you can see your MAC address. (That sometimes includes people sharing Wi-Fi with you.) But if you're using public or store or hotel Wi-Fi, now the operator of that network knows your MAC address, and can sell that info. It can be used to track your activity across networks and sites.

In TCP/IP, your MAC address doesn't go beyond your local network (if using a router) or your ISP (if using only a modem). It would be possible for an app on your computer/phone to grab the MAC address and send it out in some custom way.

Change your MAC address:
Mac Makeup
Technitium MAC Address Changer (Windows only)
Linux Geekster's "3 Ways to change the MAC address in Linux and Unix"
OSTechNix's "How to change MAC address in Linux"

Location Leaks

Probably we're all familiar with IP leaking, when some outside person/app gets your real IP address and usually can determine your approximate location, and if they get help from your ISP can determine your identity.

But is there "location leaking" inside the software in our computers ? Apps can query our Wi-Fi or router or ISP to get our GPS location or at least postcode ? I assume apps all can get our real IP address, even if we're using a VPN.

And yesterday, my Linux Mint 19 system installed an update which included "freedesktop" which runs a "GeoClue" location service for applications. I don't know quite what this does and how much it knows and how to turn it off (eventually I was able to uninstall it).

Any software inside our system that gets our real location or IP address potentially could leak it, accidentally or routinely or maliciously. The information might be included in crash dumps or traces in bug reports.

How do we stop this ? What other sources of location data are there inside our systems ? How do we set them all to report "none" or some fixed value of our choosing ?

Inside Android, an app can use Google Location Services API or Network Location Provider.

Inside Linux, while running a VPN and through a router, there are four kinds of IPv4 address: I haven't found a way yet that an app on my computer can get the Router's WAN address, either with VPN on or VPN off. But with VPN off, an app could talk to a server outside and ask it "what IP address am I coming from ?".

Browser is a key point for storing/providing location data. Set preferences in each browser you use. And maybe use an add-on such as Location Guard

Michael Horowitz's "A new aspect of Google's spying"

Inbound Traffic

From discussion on reddit 7/2019:
Normally, a router's firewall blocks all incoming traffic unless it's related to outgoing traffic. The firewall will temporarily open ports used by the outgoing traffic.

Port forwarding allows unsolicited incoming traffic to a port or range of ports through the firewall to a specific IP address in your LAN.

By opening a inbound port, you are exposing a device to unsolicited traffic from the Internet. Unless you can restrict the incoming traffic to a trusted remote address, the device may be at risk of being compromised. Open ports only when there is no option, such as gaming. Only open the necessary ports, and close them when finished. For other use cases, [carefully evaluate how much you can restrict access and what kind of authentication is being used.]


Tunneling home over an inbound VPN will give the outside client machine access to everything in your network, and apps like Hamachi work great for playing games that are only designed to work over LAN. However, inbound VPN is not suitable for services that need to be accessible by clients you don't control or clients that you don't want to have access to your whole internal network. You would not use an inbound VPN just make a web server accessible, nor would you use an inbound VPN for most services designed to work over the Internet.


Low-security file sharing protocols like SMBv1 are only safe to use over a secure LAN and should never be exposed to the internet.


UPnP is a multi-purpose protocol. One of its functions is to enable a device to dynamically set up port forwarding on a UPnP-enabled router. This can be convenient when multiple devices (such as multiple gaming consoles) need port forwarding. The application/game must work on multiple, different ports. If it doesn't, then it's impossible for multiple consoles to work in the same network. While UPnP can be convenient, there are documented instances of security vulnerabilities associated with it.

Most people will want to set up port forwarding manually on the router or use UPnP. In most cases, it makes sense to pick one method. ... Using a combination of both will give the static rules precedence. Some people disable UPnP port forwarding entirely for security reasons, but using both doesn't create any issue. The only reason to say "I'm only using UPnP" is to avoid confusion between the static and dynamic port forwarding rules. You can use both. While it's true that UPnP is insecure by design, the convenience it offers home users is usually well worth the concerns in small networks where you manage all the devices. ... For any given application/game, you only need to use one. It's certainly possible to use static port forwarding for one application and UPnP for another.


In a home network, it's strongly recommended to have only one device functioning as a router. It's fine to have other routers in the network, so long as they are configured to operate purely as Wi-Fi Access Points (AP). If you have multiple functioning routers, then you'll have double or even triple NAT. While it's possible to get port forwarding to work through multiple routers, it's messy and unnecessary. UPnP won't work at all through multiple routers.


Usually, you need only concern yourself with opening ports for incoming traffic. All consumer-grade routers open all ports in the outgoing direction by default, so you can generally ignore any application- or game-specific requirements to open outbound ports. You may come across some applications and games where it's not specified which direction (inbound/outbound) needs to be opened. This is really unfortunate, as you end up having to open more ports than necessary. Do be sure you open the correct protocol (UDP or TCP). If in doubt, open both.


Before you test port forwarding through your router [to a server on your LAN], make sure the application/game is running on your server. Then try connecting to it locally from another local device. ... Once you have confirmed that a local connection works, you can proceed to test port forwarding [inbound from the internet]. ...


If you run the actual application/game executable (not through a browser), maybe run it on a device that is not connected to your home network (LAN). If you have a smartphone, for example, switch from Wi-Fi to cellular Internet.

Tor Browser

Onion is a network, where the Tor browser (or other source) talks to an entrance node, which talks to a middle node, which then talks to either an exit node (for traffic to an ordinary internet destination) or through more nodes to an onion web site.

It is possible to use Tor browser and onion and still not have privacy or anonymity. If you're the only person on your LAN using Tor, perhaps your activity on the LAN can be correlated with the traffic coming out of the exit node. If you log in to a web site using your real info, that site will know who you are. If you use HTTP, the exit node and its ISP can see your traffic.
Aditya Tiwari's "Tor Anonymity: Things Not To Do While Using Tor"

Tor browser is based on Firefox ESR plus security fixes, and seems to track normal FF security fixes pretty closely.

Tor Project's "About Tor Browser"

If you're using Tor browser instead of a VPN, only the Tor browser's traffic is going through the onion network; traffic from other applications and background services does not.

How it works (typical cases)

  1. User runs Tor Browser.

  2. In the background, a Tor SOCKS5 proxy is launched, listening on localhost TCP port 9050 or 9051. If first time this is run, a set of guard nodes is chosen, and will be used for some months.

  3. Tor proxy establishes a circuit (picks a list of relays/nodes). Assume this consists of 3 onion relays (it can be more ?). The exit relay is chosen first, gated by settings in the torrc file, what port/protocol is needed, and how busy the relays are. Information about all nodes/relays (except bridge nodes) in the onion network is maintained by a set of 9 directory nodes.

  4. User types an address into Tor Browser.

  5. Tor Browser sends HTTP GET message to Tor SOCKS proxy.

  6. Tor SOCKS proxy sees that address is for a clearnet site:

    1. Tor proxy encrypts message with key of third relay in the circuit, then encrypts that result with key of second relay in the circuit, then encrypts that result with the key of the first relay in the circuit.

    2. Tor proxy sends triple-encrypted message to first relay in the circuit.

    3. If a Pluggable Transport and a Bridge node are being used, the PT transforms the message to look less Tor-like.

    4. First relay ("guard relay", may also be a Bridge node) decrypts outermost layer of encryption, finds address of second relay, sends contents to there.

    5. Second relay ("middle relay") decrypts outermost layer of encryption, finds address of third relay, sends contents to there.

    6. Third relay ("exit relay") decrypts outermost layer of encryption, finds address of clearnet web site, sends contents to there.

    7. Clearnet web site gets the message. Source IP address is the IP address of the exit relay.

  7. Else: Tor SOCKS proxy sees that address is for a onion site (Tor Hidden Service):

    1. When onion site was created, it chose one or more nodes as Introduction Points. Then all other nodes were told about this association: onion address to Introduction Points. Each of the onion site's circuits to the Introduction Points have guard node and middle node in them.

    2. Tor proxy chooses some node as a Rendezvous Point.

    3. Tor proxy makes a circuit (with guard node and middle node) to the Rendezvous Point, and asks it to contact the Introduction Point for Tor Hidden Service X.

    4. The Rendezvous Point asks one of the Introduction Points to contact the Tor Hidden Service X.

    5. The Tor Hidden Service creates a new 3-hop (guard, middle, exit) circuit back to the Rendezvous Point.

    6. Tor proxy encrypts message with six layers of encryption: for guard, middle, rendezvous, then exit, middle, guard to onion site.

    7. Tor proxy sends sextuple-encrypted message to first relay in the circuit.

    8. Each relay/node strips off a layer of encryption.

    9. Onion web site (Tor Hidden Service X) gets the message. Source IP address is the IP address of the guard relay chosen by the Tor Hidden Service.

Bee's "How Does Tor Really Work?"
Ross Ricky's "What is the Tor Network and How Does it Work?"
Tor Project's "How do Onion Services work?"
Computerphile's "How TOR Works" (video)

Several configurations using onion for outbound traffic

  • Tor Browser and normal OS: Only activity from Tor Browser goes through onion network; all other traffic goes out normally (and your home IP address is revealed to destination servers). ISP sees that you're using onion network, and sees the destination IP addresses on your other traffic.

    This is a bad configuration: For your non-onion traffic (from services, and apps other than Tor Browser), your ISP is seeing the destination IP addresses, and your home IP address is being revealed to the destination servers.

  • green check-mark   Tor Browser and normal OS and VPN (AKA "Tor over VPN"): All traffic (Tor and other) goes out through VPN; activity from Tor Browser then goes through onion network (after coming out of VPN server). ISP sees that you're using VPN, but can't tell anything else.

    This is a good configuration: All your traffic is protected from your ISP and the destination servers, one way or the other. And for your Tor Browser traffic, the VPN knows your ID but only sees that your destination is an onion entrance node, it doesn't know your final destination.

    VPN doesn't help or hurt the Tor traffic. VPN is there to protect the non-Tor traffic.

  • Normal OS and an onion connector (e.g. nipe or Orbot or TorGhost etc): All network traffic goes through onion network. ISP sees that you're using onion network.

    This is a somewhat-good configuration: All your traffic is protected from your ISP and the destination servers, but you're paying a performance cost by using the onion network for everything. Also you can't do UDP through onion network.

  • Custom OS and an onion connector (e.g. Tails, Kodachi, Subgraph OS, Whonix): All network traffic goes through onion network. ISP sees that you're using onion network.

    This is a somewhat-good configuration: All your traffic is protected and there may be other security and privacy features, but you're paying a performance cost and running an uncommon OS that may lack features or support. Also you can't do UDP through onion network.

  • Normal OS and a VPN and then an onion connector (AKA "VPN over Tor"): All network traffic goes through onion network, then to VPN server. ISP sees that you're using onion network.

    This is a bad configuration: You're losing any benefit from the onion routing, the VPN knows your ID and sees the final destination of your traffic.

Use a VPN 24/365, even when you're using Tor browser

[I am talking about "Tor over VPN in a normal OS", not Tails or "VPN over Tor": connect your system to internet through a VPN, then run Tor Browser. So onion traffic comes out of Tor Browser, goes through VPN, comes out of VPN server, then goes into onion network and does multiple hops until coming out of an exit relay or getting to an onion web site.]

How your traffic looks:
Not sure this is right:
Encryption IP address on outside
Tor Browser Src Dest
None  v request v    ^ response ^ Onion entry
 v request v    ^ response ^
PC LAN Onion entry
VPN client
 v request v    ^ response ^
PC's Wi-Fi adapter
 v request v    ^ response ^
 v request v    ^ response ^
Router's Wi-Fi adapter
 v request v    ^ response ^
 v request v    ^ response ^
Router public VPN Srv
 v request v    ^ response ^
Router public VPN Srv
 v request v    ^ response ^
Router public VPN Srv
 v request v    ^ response ^
Router public VPN Srv
VPN server
 v request v    ^ response ^
VPN Srv Onion entry
 v request v    ^ response ^
VPN Srv Onion entry
 v request v    ^ response ^
VPN Srv Onion entry
 v request v    ^ response ^
VPN Srv Onion entry
Onion entry server
 v request v    ^ response ^
VPN Srv Onion entry
Server OS TCP/IP
None  v request v    ^ response ^ VPN Srv Onion web site
Onion relay code
None  v request v    ^ response ^ Onion entry Onion relay 1
HTTPS ... Onion relay 1 Onion relay 2
HTTPS Onion relay 2
HTTPS ... Onion relay 2 Onion relay 3
HTTPS Onion relay 3
HTTPS  v request v    ^ response ^ Onion relay 3 Onion web site
Onion web site

Use the VPN all the time, 24/365, don't turn it on and off. Some traffic, such as Tor/onion traffic, does not need the protection of the VPN, but is not hurt by use of the VPN. But even when you're using Tor, background services and apps may be doing network traffic, and you want all that traffic to be protected and not revealing your real IP address. [I'm talking about Tor Browser in a normal OS, not Tails.] And if you get in the habit of turning the VPN off and back on, at some point you will forget to turn it back on when you need it.

Some people argue that Tor IS hurt by using it through a VPN. I think their reasoning is that the VPN service is another point of risk where someone could be monitoring your traffic. It's an increase in attack surface. And a VPN company may not be bound by privacy laws as strictly as an ISP is bound (varies by country).

But is having a malicious VPN monitor your traffic any worse than having your ISP monitor it ? All a malicious VPN could see is that you're using Tor/onion. I'd rather have a VPN company know that, and my ISP not know it, than have the ISP know it. The ISP knows my real name and physical address, and the VPN doesn't. I'd rather trust my VPN than my ISP. And in either case, all I'm trusting them with is "I'm using Tor/onion". They can't see the details of the traffic. [Caveat: if you have to use VPN's proprietary client, the calculation changes.]

Some people say "a VPN can keep logs". Sure, and so could an onion entry or exit point, or my ISP. And in the VPN or ISP cases, all the logs would show is "he did Tor/onion traffic".

A more serious issue occurs if you're using a custom VPN client on your machine. That client software sees all of your traffic, and you have to trust that it's not malicious. But if you're using HTTPS from a normal browser, or using Tor Browser, the information the VPN client can see is limited. Even a totally malicious VPN client would just see what domains you're accessing (in the case of HTTPS) or that you're using Tor (in the case of Tor Browser). And you could use an open-source standard VPN client (OpenVPN).

Some people say: instead of using a VPN, just run ALL system traffic through Tor/onion. But I don't think that is encouraged by the onion network people, especially if you're doing downloads or torrenting or VoIP. And I don't think there's an official proxy, just some unofficial projects that implement that.

As far as I can tell, the Tor Project does not say using Tor with a VPN necessarily is bad. Tor Project FAQ's "Is Tor like a VPN?" says "Do not use a VPN as an anonymity solution.".

Tor Wiki
Tor Wiki's "TorPlusVPN"
Matt Traudt's "VPN + Tor: Not Necessarily a Net Gain"

So I think the bottom line is: Using a VPN adds slightly to the attack surface, doesn't add security to Tor, but gives the huge benefit of continuing to protect your non-Tor traffic while you're using Tor, and avoids forgetting to turn the VPN back on after you're finished using Tor.

From someone on reddit 6/2022:
"WebRTC is disabled at compile time. Canvas is blocked from returning valid data unless the user has consented. Tor Browser has no list-based blocking, like uBlock Origin or any similar add-on, but on safest JS is disabled, so any JS-based tracker would be useless."

I think you leak-test the Tor browser by using the same sites you use to test a clearnet browser. See "Test browser and your computer's network configuration" section of my "Testing Your Security and Privacy" page.

How can a site tell that you're using Tor Browser or onion ? The most likely way is by using a list of known onion server IP addresses. But sometimes they can tell because Tor Browser usually uses standard settings for user-agent, display-size, JavaScript, etc.

Tails is a Linux distro where all internet traffic goes through the onion network. Another is Kodachi (article). I think both are designed to be run from a USB stick, without persistence, so any changes to OS and apps etc get wiped when you shut down.

Whonix is a Linux sub-system, run as two virtual machines, where all internet traffic from the first VM (the Workstation) goes through the second VM (the Gateway) and onto the onion network. Normal host OS traffic is not handled through the VMs or onion network.

Subgraph OS is a Linux distro where all internet traffic goes through the onion network.

From someone on reddit:
When using Tails, applications have to specifically be configured to go out through Tor. Which all of the standard applications that come on the image do. I wouldn't recommend installing other programs on Tails, unless you really really know what you are doing it is possible to leak your IP address. Meaning, you can open Unsecured browser, and see your real IP address. Even using Tails you still have to watch what you are doing, because JavaScript, or some video you download and watch etc, could leak your real IP address.

Tails is more designed for not having any physical evidence. If someone raided your house, and you were using Tails, they just have a Tails flash drive, which is the same as all the other flash drives in the world. You can have persistent storage in Tails, but that is more or less for storing files not applications.

That is the main benefit of Tails.

A Whonix instance is two different virtual machines running. The one machine you use, and the other one acts as the router and is connected to tor. Given this architecture, it is almost impossible for your real IP address to leak using Whonix. The machine you use, only talks to the Whonix gateway, which can only talk to Tor. So if you want to install other programs, they will go through Tor by default, since there is no other option. However, unlike Tails, you have physical evidence since your Whonix instance will retain data. Meaning if you installed some software on Whonix, it will be there when you reboot.

That being said though, you can just create a fresh Whonix instance whenever and delete the old one.

Whonix's "Anonymity Operating System Comparison"
Whonix's "Tor vs. Proxies, Proxy Chains and VPNs"
Shanika W.'s "VPN with Tails - The Basics You Need to Know"
Tails' "Using VeraCrypt encrypted volumes"
Tails' "Creating and using LUKS encrypted volumes"

I tried Tails 4.11 on a USB stick 9/2020

Requires a USB stick that is 8 GB or larger; will refuse to boot if it sees smaller.

Download .img file from Tails Download (for USB sticks). Run Disks utility. Attach USB stick. Select USB drive. Do "restore disk image" (not "restore partition image") of the image file onto the USB stick (device such as "/dev/sdc", not partition such as "/dev/sdc1"). Quit out of Disks. In terminal, do "sync" for good measure. USB drive should not be mounted, or visible in file manager. Unplug it from system. Power down system, plug USB stick in, power on, and boot from USB stick.

Supports persistent or non-persistent operation. If you turn on persistence, it will use remainder after image, up to 8 GB boundary, as a persisent filesystem. There are two versions of Tor Browser installed, one persistent and other not. The persistent filesystem is shown as partition type "crypt" in lsblk, so I think it's using LUKS (but not LVM).

From someone on reddit:
There is no default root password for Tails.

To use the root account, you must set the password when you boot Tails. It is not persistent.

Boot Tails.
Select "More options - Yes" or "Additional options (+)".
Enter desired administration password (twice) and hit Login or Add.
Or just use "sudo" ?

After setting an administration password, clicking on my hard disk's LVM/LUKS partitions in the file manager opened an "authentication" dialog and I was able to mount them.

Could use onion for all traffic of your normal-OS system

GouveaHeitor / nipe (on Linux)
Edu4rdSHL / tor-router (on Linux)
Anonsurf (on Linux)
TorghostNG (on Linux)
SusmithKrishnan / TorGhost (on Linux)
Orbot (on Android)
Tallow (on Windows)
Proxifier (on Windows)
Fiddler (on Windows)
Proxychains (on Windows)
Whonix Gateway

  • Some sites won't let you access through onion network.

  • Performance will be reduced.

  • You can't control what location (country) your IP address shows.

  • Onion network only handles TCP traffic, not UDP and other layer-4 protocols (SCTP, DCCP, RTP, QUIC, PPTP, DTLS ?); see Tor FAQ item and Accessing the Tor Network in ProtonVPN

TorProject's "TransparentProxy"
TorProject's "TransparentProxyLeaks"
TorProject's "Isolating Proxy Concept"
TorProject's "TorifyHOWTO"

But does this mean that your Tor traffic and your other system traffic (which may reveal identity) are going through the same Tor circuit ? Would not be a good thing. Need to set up "stream isolation" to avoid problems.
Whonix Stream Isolation

Specifying onion nodes

To control use of nodes, edit
~/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc (Linux)
\Tor Browser\Browser\TorBrowser\Data\Tor\torrc (Windows)
~/Library/Application Support/TorBrowser-Data/Tor (MacOS)

To control use of nodes, edit to do something like:

ExitNodes {es},{ie},{fr} StrictNodes 1
ExcludeNodes {us},{ca}
using the country-codes you want.

Check exit node: go to https://check.torproject.org/ and click on "Relay Search" link.

If you don't want your ISP to see that you're using Tor Browser and onion network, you can use a "pluggable transport" in your Tor Browser to make the traffic look "normal": But probably no one cares.

This guy uses Tor

Tor Browser

Privacy.net's "Everything you wanted to know about Tor but were afraid to ask"
Andy Greenberg's "The Grand Tor: How to Go Anonymous Online"
Tor Project's "Check your Tor browser"
Matt Traudt's "VPN + Tor: Not Necessarily a Net Gain"
Matt Traudt's "About to use Tor. Any security tips?"

Tor / onion network content

Onion search engines:
Torch (on clearnet)
Torch (on onion)
Tor66 (on onion)
not Evil (on onion)
Ahmia (on clearnet)
Ahmia (on onion)
Excavator (on onion)

Onion directories:
dark.fail (on clearnet)
dark.fail (on onion)
Onion List (on clearnet)
Onion List (on onion)
Fresh Onion (lists newly-appeared onion sites)
Real-World Onion Sites (on clearnet)
tor.taxi (on onion)
tor.taxi (on clearnet)
Daunt (on clearnet)

Juan Sanchez and Garth Griffin's "Who's Afraid of the Dark? Hype Versus Reality on the Dark Web"
Rebecca James's "When Using the Tor Browser Becomes Illegal?"

dark.fail: Is a darknet site online? (really "was valid link at some time" ?)
TorWhois: Is a darknet site online?


From discussion on reddit 8/2020:
You will hear loads of stories about how easy it is to "stumble upon" child porn [on the darknet], but the fact is that those sites usually have names like "Preteen cuties" so you know exactly what they are, and in order to access them you have to register. So you have to make a very deliberate choice to log into them. ...

As for drugs, weapons etc, there is nothing illegal about surfing them and looking around.


You don't get arrested for accidentally viewing an illegal picture on the internet. There's no reasonably easy technical way to know that you did without having access to your computer, your ISP's logs, or [and] the server hosting that picture. And to get access to any [all] of those, LE would need a warrant ... they usually focus on the big fish that actively shared or even produced illegal material. ...

It's all one internet

Everything is using the same wires/cables/satellite/radio links, the same operating systems, the same basic protocols, the same kinds of computers/servers/phones etc.

Parts of the internet:
  • Clearnet (AKA clearweb AKA surface web): open web sites and servers that anyone can use, and search engines can access.

  • Deepnet (AKA deep web): anything behind login/authentication protection: your bank accts, Facebook acct, internal corporate networks, P2P such as email servers talking to each other, etc.

  • Darknet: special protocols and servers, only accessible through special software. Onion network (AKA dark web, onionland, .onion), P2P networks ( I2P, Freenet, ZeroNet, more), distributed networks (anoNet, Freenet, ZeroNet, IPFS, more), secure communication servers, etc.
    Alessandro Segala's "Maybe we shouldn't want a fully decentralized web"
    Teknikal's_Domain's "What Exactly Is Federation Anyway ?"

There is some confusion and overlap between "deep" and "dark". Some people say "dark" is a subset of "deep", but darknet has search engines and many sites with no login protection, so ... I think "special software" is a better definition for "dark".

Types of items/activities on the Darknet:
  • Anonymous information sharing/transmission: sites providing unpopular or illegal info, sites for sending anonymous tips to news organizations, etc.

  • Prescription drugs: buying them in violation of prescription or shipping laws, buying from cheaper countries, etc.

  • Illegal quasi-libertarian things: illegal drugs, guns, money laundering or tax evasion, etc.

  • Illegal things that even most Darknet people condemn: child porn, human trafficking, hitman.

Things that do/don't work through Tor Browser 9.0.4 (1/2020)


Clearnet sites

  • PayPal.com, with Tor on "Standard", with VPN-USA, and software TOTP 2FA: login works.
  • PayPal.es, with Tor on "Standard", with VPN-ES, and software TOTP 2FA: login works.
  • ETrade, with Tor on "Standard", with VPN-ES, and hardware TOTP 2FA: login works.
  • Yahoo Mail, with Tor on "Standard", with VPN-ES: login works.
  • GMail, with Tor on "Standard", with VPN-ES, and software TOTP 2FA: login works.
  • Migadu, with Tor on "Standard", with VPN-ES, and software TOTP 2FA: login works.
  • reddit: apparently there is no onion site, and see Using reddit with Tor.
  • Transferwise, with Tor on "Standard", with VPN-ES: login works
  • Privacy.com, with Tor on "Standard", with VPN-ES, and software TOTP 2FA: login works.
  • Amazon.es, with Tor on "Standard", with VPN-ES, and software TOTP 2FA: login works.
  • EBay.com, with Tor on "Standard", with VPN-ES: login works.
Some of these that worked did set off lots of captchas, and/or confirmation email to backup account, and/or emails saying login of unexpected device from unexpected country.

Onion sites

  • Facebook (https://facebookcorewwwi.onion/), with Tor on "Standard", with VPN-ES, and software TOTP 2FA: login works.
  • Proton Mail (https://protonirockerxow.onion/), with Tor on "Standard", with VPN-ES, and software TOTP 2FA: login works:
    1. Tor Browser's Preferences / Security and Privacy / security level can be set to "Safer", but it will be slow, especially on login. Works better if set to "Standard". Someone said that's because "Safer" turns off JIT compiler.
    2. Navigate to https://protonirockerxow.onion/login
    3. Click on circle-I (site information) icon to left of URL.
    4. Click on right-arrow (show connection details).
    5. Click on "more information" at bottom.
    6. Click on "Permissions" tab.
    7. Set "Set Cookies" to "Allow" or "Allow for Session".
    8. Set "Store Data in Persistent Storage" to "Allow".
    9. Refresh https://protonirockerxow.onion/login and log in.

Doing potentially illegal stuff

New version out as of 10/2022 ?
DNM's Buyer Bible V2 (11/2020) (PDF)
DNM Buyer Bible (2018)
DNM's Buyer Bible (3/22/18) (PDF)
Master version ? DNM's Buyer Bible (on onion)

Christopher Boyd's "Looking over your shoulder: when small mistakes have big consequences"
Hakan Geijer's "Mobile Phone Security For Activists and Agitators"

Buying stuff: It's my understanding that securing your connection is pretty easy (Tor or Tails), doing payment anonymously takes some effort (Monero through Cake Wallet ?), there's no good way to tell if supplier or market are going to cheat you, and then taking delivery is where most people get caught. Send to your real name and address, and then if authorities show up you can claim someone else must have sent it to you to cause trouble for you. Probably you can get away with this only once.

From someone on reddit:
You send the vendor your public key, and you'll copy theirs from their market profile. After you copy and import theirs into your PGP program, you'll write a message and click encrypt. It varies on the program where the encrypt button is. Then once you've encrypted it, you'll have the message starting with ===== BEGIN PGP ENCRYPTED MESSAGE. Copy that entire message with the ='s and all. Send that to them. They can read it but won't be able to reply without your public key, which you can copy and paste after the encrypted message and also put it in your profile. NEVER SHARE YOUR PRIVATE KEY with anyone, market admins included.


You won't actually need to message them if you're using a market. You will first verify you're on the correct link and not a phishing link (get your market links from tor.taxi) and then once logged in and you know what you want, click the wallet page of the market. Here you'll send your XMR to the market's wallet.

Once you've sent your XMR it will take a bit to confirm but usually within 30 minutes. Once it shows on the market as available you'll go to the vendor's page, add the product to your cart that you want, and then depending on the market there will be a cart page, or it'll just take you to the Buy Now page. Somewhere there will be a box to enter order notes, and this is where you will put your PGP-encrypted (to the vendor) address. Don't check any box that says "encrypt this?" or whatever. You're doing your encryption off-site like a smart person.

Then submit it. After that the vendor will at some point mark it accepted and shipping and it'll be on the way. Darknet is not Amazon so while some vendors might ship it the next day, some will take 2-3 days. Stay domestic (vendors in your country) until you have a lot more experience.

DO NOT FINALIZE EARLY. This means clicking the 'Finalize' button. That button should ONLY be used once the product is in your hand, no sooner (and no later - don't be a dick to the vendor). Clicking Finalize means the escrow process has ended and you're releasing the funds from the market escrow to the vendor. Especially if a vendor messages you asking to finalize for whatever reason. That's a major red flag.

Most vendors don't send tracking numbers but you can sign up for USPS Informed Delivery which will let you see any mail and packages on the way addressed to you from USPS.com. Takes a couple days to setup and verify.

Always read reviews and vendor profile pages. Feel them out. If you don't feel right about a vendor, find someone else. Don't buy from someone with less than 50 or so sales. Don't buy from a vendor with a ton of simple feedback that looks like it's written by the same people.

Tor / Onion is not invulnerable

nusenu's "How Malicious Tor Relays are Exploiting Users in 2020"
CactusVPN's "Is Tor Safe for Online Browsing?"
Kim Zetter's "WikiLeaks Was Launched With Documents Intercepted From Tor"

Many of the threats/intercepts listed in the articles were enabled by using HTTP. Always use HTTPS, in normal browser or Tor Browser, without VPN or with VPN or with Tor/onion.

How to get caught despite using Tor / onion

  • Give identifying info: if you tell a site your name and address, then do something illegal, and the police have compromised the site, or later it gets breached, you're caught.

  • Caught outside Tor/onion: if the shipment of drugs is detected by Customs or post office, police may watch the delivery address to catch whoever picks it up. Or police seize your computer for some other reason, and do forensic analysis on it. Or your payment method reveals your identity.

  • Traffic correlation: if you use Tor on school LAN to send a bomb threat about the school, police may check to see who was using Tor on the school LAN at the time of the threat. You may be the only person who was doing so.

  • Download something malicious: if you download and run an EXE or script, it doesn't matter that you were using Tor when you downloaded it. That executable can send your info, maybe including home IP address, to any server. Even usually-harmless file types such as PDF or JPEG or MPEG or Office docs have been used in attacks. At the very least, scan them for malware, and take the docs to another machine (or a VM) that has no internet access before opening them.

  • Not using Tor every time: if you do some connections insecurely, you may be caught.

  • Not keeping Tor Browser updated: occasionally security holes are found, and fixed. But if you continue to run an old vulnerable version, you may be caught.

  • Keeping evidence: it's probably good OpSec to replace your devices, or at least wipe them, periodically or after some big transaction. Or boot a transient OS such as Tails, although you'll still be using (for example) the MAC address built into your system's hardware, maybe your home LAN and router, etc.

  • Unwilling to pay the price for good OpSec: for example maybe never do anything illegal from your home LAN. It's a pain to always go out to public Wi-Fi, but if you don't pay that price, you may get caught.

  • Trusting someone, or boasting to someone: if they get mad or get pressured, you may get caught.

  • Confessing as soon as you're questioned: just because the police question you, or even arrest you, does not mean they can convict you. If you confess, you're caught.

Tor / Onion Server

Tor Project's "How do onion services work?"

On the onion network, it's especially important to have backups and be prepared to change site hosting. Onion hosting services are more likely than clearnet services to take your site down or go out of business or just give bad service.

One web site accessible through both clearnet and onion (Tor) ?

If you are renting a VPS and hosting the site yourself, make sure your provider allows this. If your site is on a shared hosting service, the service would have to offer onion as a feature (and I'm unaware of any mainstream service that does so).

Ablative Hosting makes same site appear on clearnet and onion:
  • Pay in BitCoin only.
  • Cheapest available option seems to be £6/month for 25 GB of space (there might be a cheaper 1 GB option, but that's too small for me).
  • Ablative seems to be a subsidiary/project of Brass Horn Communications.
  • If you own a clearnet domain already, you can point it to their server.
  • Same with IPv6; set DNS AAAA record to server's IPv6 address.
  • They generate a unique .onion address for each customer, they don't normally utilize an existing customer-owned address, but they could do it if necessary.
  • Files are uploaded to one place, and appear under all three addresses.
  • TLS/SSL would only be enabled for the IPv4 and IPv6 addresses, not usually for onion, but they could do it (but the EV cert is expensive).
  • Sales responded to my emailed questions within one day.
  • I can't find any reviews of Ablative online.
  • I can't find any uptime stats about Ablative online.

IncogNET ($40/year; more info)

A "Tor2Web proxy" lets people using a normal browser access an onion server. But:
Matt Traudt article

Hosting the site yourself:
Matt Traudt's "How I set up my websites with Tor and Nginx"

Shen Zhou Hong's "A Complete Guide To EOTK, The Enterprise Onion Toolkit"

Onion domain names are limited to 16 chars (v3 increases it to 56 chars) and are assigned essentially at random; you can't specify a domain name you want.

Your onion domain name is generated automatically when you set up your onion web site. No need to buy a domain name or register it with any registrar.

NordVPN's "How to make a .onion site"
DeepWebSitesLinks' "Deep Web Hosting ..."
/r/onions' "Hosting a Hidden Service"
Riseup's "Best Practices for Hosting Onion Services"
nachash's "So, you want to be a darknet drug lord ..."
Bashir Barrage's "How To Build a DarkWeb Server" (PDF)
Daniel Aleksandersen's "Promote your Onion site with the Onion-Location HTTP header" (link from clearnet site)

Scan your onion site for problems:
tokyoneon's "Detect Misconfigurations in 'Anonymous' Dark Web Sites with OnionScan"

From someone on reddit 4/2019:
> How do I go about hosting a Tor site. I know how to make a clear web site using node JS ...

Unless this is just a toy project and nothing really bad will happen if you get traced, do not take the advice to run Tor on a machine, run a Web server on that same machine, and have Tor forward .onion address to that Web server.

With the naive configuration, you will be pwned if anybody puts in any real effort, so don't use that configuration if being owned is a problem and you think anybody might put in any effort.

The biggest problem with hidden services is that there are roughly 87 billion bugs, misconfigurations, and bad defaults that can show up anywhere in your Web server, framework, language, database, libraries, or whatever, and leak the server's real IP address to remote clients. Or even give remote clients the ability to run arbitrary code on the Web server, which means that you lose if it can even send any clearnet traffic at all.

You have to close all the holes you can, and then you have to assume that you'll still have missed some. That means that you can't let the server know its own real IP address. That means that you can't have the Tor process running in the same network address space as the Web server process. You shouldn't have them share a kernel, and really shouldn't even have them on the same physical hardware.

Have a look at the Whonix physical isolation configuration. I think that's unsupported and requires some skill to set up, but it's still safer than rolling your own for most people in most circumstances.

The bottom line is that this is a "full stack" endeavor. You have to think about everything from the hardware up through the application. Otherwise you will lose. If there's any part of your system that you do not completely understand, you have to deprive it of any sensitive information, and then surround it with a wall of stuff that you do understand. Otherwise you will lose.

Keep everything as simple as possible. Use as little software as possible, and choose software that's as bulletproof as possible. Don't put in any nonessential features.

Remember that many of your clients will be running with JavaScript disabled.

If it's a really hot service, assume it will be compromised anyway, so put another layer between you and it. Buy your hosting in a way that can't be traced to you, and manage it over Tor or I2P.

"Sign all your posts with PGP, so if your site gets taken down you can move to a new host, and then your readers can verify that you are who you say you are."

Hosting services:
OneHost Cloud (about $7/month)
Impreza ($25 one-time setup fee, about $8/month, includes domain)
Kowloon (on onion) (about $20/month, includes domain, must pay in BTC, must use onion mail to sign up)

Have content hosted, without having your own domain:
Deep Web Pastebin

onionshare (file-sharing via hidden onion addresses)


Monitor the traffic in/out of your LAN. Best ways probably are custom software in your router, and a Pi-hole doing DNS filtering.

From Security in Five Podcast - Episode 746, investigation of traffic volume exceeding data cap found that iCloud was uploading/downloading the entire collection any time one thing was added, and after that was fixed almost 50% of all traffic was due to blockable scripts (ads, trackers).

From someone on reddit:
> Best way to connect two external USB-powered HD's to network?

The HDDs need power from the USB ports they connect to. This limits your options.

The quick and dirty way is using a PC and sharing the drives through SMB, as the PC has enough power to power the usb ports. But this means keeping the PC on at all times.

You can use a Raspberry Pi 4 to do it instead, but the RPi cannot supply power through its USB ports. Some people have used the USB on a Pi to power devices, but it's not stable enough and generally not recommended. And trying to power 2 HDDs simultaneously through the Pi is almost certainly going to fail, as it is a very low-powered device.

Instead you can get a separate, powered USB hub that comes with its own power supply, and then attach that hub to the RPi in order to share it on the network.

If your router has a USB port, you can also try that, but it too will have problems supplying the necessary power. You can use the powered USB hub there too, but expect this type of connection to have very modest performance. Reading from a HDD using the router's USB port is generally fine, but writing to it is slow, in the range of 40-120 Mbps or so, even if it's a USB 3.0 port.


EFF's "What Should I Know About Encryption?"
Latacora's "The PGP Problem" (and rebuttal)

I'm not sure how valid or useful this test is: Is BGP safe yet?
But see AAL article.
And Is Cloudflare safe yet?
These guys I respect Open Source Security Podcast - Episode 195 say Cloudflare is right to push for better BGP security.

From someone on reddit:
Hub: sends all traffic to all connected cables.

Switch: uses MAC addresses and ARP to figure out within a local network who to send data to, it he can't find a destination, he sends to all.

Router: sends traffic based on IP address and network mask, it can route between different networks.

Dennis Jackson's "Say (an encrypted) hello to a more private internet"


Why do many VPN setup guides advise you to disable IPv6 ?
From people on reddit 6/2017:


A lot of VPNs only handle IPv4, so on those any IPv6 traffic bypasses the VPN.

Easiest fix is to disable IPv6. Better long-term solution would be to get a VPN that properly handles IPv6.


... the main reasons are:

  • Many ISPs still do not support IPv6 to clients. Unlike retail ISPs, VPN providers tend to be global services, so this is not a small deal.

  • Less than 20% of server sites support IPv6 - google conveniently tracks these sorts of stats.

  • IPv6 has very different configuration and security characteristics than IPv4, especially in extensibility at a protocol level. It is very easy for network and stack providers, i.e. including your OS, to mess up on both fronts, leading to an insecure network potentially at multiple levels. These issues are several factors worse on mixed networks, i.e. tunnelling IPv6 through IPv4 or IPv6 and IPv4 on same networks.

  • Related to the above, IPv6 is still maturing. Even the hardware tech to support both the equivalent level of configuration and security at scale for IPv6 is not readily available or is more costly than IPv4.

  • By default IPv6 uses globally routable addresses, i.e. every client gets an address that uniquely identifies them perhaps forever for a given ISP-client combination. Any leak there would be bad news. Since many VPN providers cannot even maintain leak-free status in IPv4, IPv6 over a VPN is not something to be carelessly keen about.

  • OpenVPN, the most popular retail VPN protocol, has been slow to add IPv6 support and it is still incomplete.

That's why, if you really care about security, your first concern is finding a strong VPN provider. Something like supporting IPv6 is not on most people's priority list, including not your VPN provider, except the best-in-class ones that at least prevent leaks at the client no matter which IP protocol they use.


Most budget/end user VPNs only cover IPv4 traffic, and anything sent over IPv6 is ignored.


I have seen anecdotally IPv6 messing up network applications. On more than one occasion.

Apparently there are a number of ways of setting your IPv6 address, and this has been increased since IPv6 first came out. Addresses can be permanent/unvarying (for servers), but outbound client traffic by default uses a temporary address (IPv6 "privacy extensions") so you can't be tracked. Generally your address is the same on LAN and WAN ?

From a privacy POV, I like to disable IPv6, and have the NAT on IPv4 make all devices in my LAN use the same public IP address. Even better if my ISP uses CG-NAT and I share same public IP address with my neighbors.

To disable IPv6 system-wide in Linux:
Edit /etc/sysctl.d/99-sysctl.conf to add this:

Then reboot or do "sudo sysctl -p".
Also: Comment out any IPv6 addresses found in /etc/hosts and /etc/ntp.conf
Also: In Network Manager, do "Edit Connections", select each connection and in IPv6 tab set "Method" to "Disabled".
Also: There is a kernel parameter "ipv6.disable=1".

Test via "ping6 2001:4860:4860::8888" or "ping6 google.com" ?
Or "ping -6 2001:4860:4860::8888" or "ping -6 google.com" ?
Also test via "ip -6 address", should get no output.
"nmcli device show | grep IP6" should show just empty entries.
"sudo sysctl -a --system | grep _ipv6"
"nmcli | grep inet6" should get no output.

Jack Wallen's "How to disable IPv6 on Linux"
GoLinuxCloud's "Linux disable IPv6 properly"
Test IPv6: ip6only.me, IPv6 Systems, Ipv6 Locator

Why IPv6 still is a LONG way from "taking over" (from 2.5 Admins episode 05 6/2020):
IPv6 assumes all devices in LAN are directly public [not sure this is true; there is "link-local" vs "global"], which is a very new paradigm.

Needs separate real firewall with zones etc.

IPv4 and IPv6 firewall/security will be completely separate, have do it right twice.

NAT with IPv4 works okay.

IPv6 won't replace IPv4, so IPv6 will be an addition, and thus has to be justified on its own.

Mathew Duggan about IPv6 adoption as of 8/2023
Wikipedia's "IPv6"
Tailscale's "IPv4 vs. IPv6 FAQ"
Julia Evans' "Reasons for servers to support IPv6"
zacwest's "IPv6 in a home environment"
Thomas Claburn's "How legacy IPv6 addresses can spoil your network privacy"

My home LAN:
ISP is MasMovil (Spain).
Router is Sagemcom F@st 5657. Label gives but no IPv6 address.

Router has toggle to enable IPv6, but then none of the fields are filled in. After a while, "LAN IPv6 Address" of fe80::46ad:b1ff:fecc:7a61 appeared, derived from router's "Local Ethernet Mac address".
Router's link-local IPv6 address (gateway) should be maybe http://[fe80::1]/ ?

G-phone IPv6 address is FE80::4819:83FF:FEA5:2259, derived from Wi-Fi MAC address.
Z-phone IPv6 address is FE80::B61C:30FF:FEF8:6963, derived from Wi-Fi MAC address.
Linux laptop IPv6 address is fe80::fe93:c31a:656c:25e7

On phones, http://ipv6-test.com says IPv6 is not supported.

As far as I can tell online, MasMovil does not support IPv6.

Professional-level network emulation software (FOSS): GNS3