The fact that a VPN server can send you a route for 0.0.0.0/0 always was and always will be a happy accident.
This. And the idea that these so called ‘VPN’ services somehow improve your security and privacy on the internet is laughable. All they do is let you get onto the public, untrusted, internet through a different on-ramp. There is no point to them. The internet is just as untrustworthy through a VPN service as it is through any other internet connection.
Not true, at all. There are several good reasons to use VPNs to get a different on-ramp to the otherwise untrusted internet.
- Avoid ISP tracking: Your ISP should see only traffic to and from the VPN.
- Access content intended for those in other regions: Many sites and services only show certain content to people who enter the internet from specific places.
- Limit the amount of activity linked by trackers: Visiting certain sites only from different IPs/browsers will help keep logs of that traffic isolated from the logs of your other browsing.
- Allows you to connect to sites and services that cannot connect back to you once you've disconnected: A lot of people, even those with dynamic IPs, keep their address for months or years at a time. VPNs provide a great way to cycle through IPs.
There are many many very valuable uses for VPNs some that offer privacy/security benefits and some that are just plain useful. It's wild to hear anyone say that "There is no point to them."
No it's not gonna make you an invisible unhackable ghost, but at least I don't have to worry about my ISP screwing me over.
And your "VPN in YouTube ads" surely does that
What about this?
"Under the provisions of the Investigatory Powers (IP) Act, it is now possible for the Law Enforcement Agency (LEA) community to lawfully obtain Internet Connection Records (ICR) in support of their investigations. Following the completion of some initial trial activities, work is now underway to provision a national ICR service."
https://www.digitalmarketplace.service.gov.uk/digital-outcom...
So yeah, it's a kinda a big deal if it leaks. (Which is why most privacy experts, were you to tell them you were sufficiently paranoid, would have you fire up a pfSense and link it permanently to a VPN service and then run a separate brand of VPN software on whatever device, so that you have two layers going through two companies.)
I also do this type of work on the side. When it matters a device level VPN is never the correct option, because every OS leaks to some extent. They get a device where the cellular components have been disabled and it can only connect to a fixed wifi AP carried by one of their EP guys that tunnels the traffic back to a datacenter.
A VPN solves this, and does protect your privacy, so your comment is just needless hyperbole.
I trust Mullvad more than I trust Optimum.
I recommend VPN services in regions where legislation of your home country might difficulties getting data.
Actually, they do: Neither your ISP nor the government (assuming the VPN provider is in a "hostile" jurisdiction) can intercept, analyze or modify your Internet traffic when you are using a VPN to mask your Internet access. There have been multiple instances of this in the past [1][2] and ongoing (e.g. DNS [3]), and ISP "middleboxes" have been historically the biggest impediment in rolling out new features.
Ubiquitous HTTPS has shut down a lot of that shit, but until DNS-over-HTTPS becomes actual mainstream DNS (and SSL SNI!) will still leak a lot of information to entities that have a direct financial interest in collecting, packaging and selling this data to advertisers - there is a reason why ISPs oppose any legislation that turns them into "dumb pipes" after all.
Security-wise, at least if you are using any kind of untrusted network (e.g. university campus, public hotspots) a decent VPN software that uses the OS-provided firewall to completely drop any incoming and outgoing packets except for the VPN tunnel connection is also a massive benefit.
The downside of course is that you are now forced to trust the VPN provider instead of the ISP - but at least the VPN provider market is healthy and extremely competitive, which means any sort of shady bullshit would be a virtual death sentence, unlike the ISP market where you are in many cases stuck with one or two options.
Not to forget, VPNs also provide privacy on the "other end": as many providers don't cycle through IP addresses sometimes for months, advertising providers can track your movement across the Internet simply by collecting your origin IP. A good VPN provider regularly changes the origin IP visible to sites you access.
[1] https://www.privateinternetaccess.com/blog/comcast-still-use...
[2] https://labs.ripe.net/author/babak_farrokhi/is-your-isp-hija...
[3] https://www.csoonline.com/article/2953718/t-mobile-caught-in...
No, you're just delegating those capabilities to some completely unregulated random actors instead.
> which means any sort of shady bullshit would be a virtual death sentence
This assumes that their shady bullshit is discovered by someone. I would bet good money that the vast majority of it isn't. They could be sampling traffic and selling it to other companies without modifying it and users would never be any the wiser.
Honestly, I wish we could get past this broken narrative that VPNs are a panacea.
This is exactly the problem with VPNs, they give you a false sense of security. When your traffic goes over the public internet, you should assume everyone and their grandmother can track it. So the traffic cannot be intercepted at your ISP, that only leaves a billion other places where it can be intercepted.
> The downside of course is that you are now forced to trust the VPN provider instead of the ISP
No. The point is neither should be trusted.
There might be no point to their security and privacy, but they are still good for getting foreign-country Netflix.
To be clear, is what you're saying that it is ok for VPNs to be broken (or at least less bad) because their most popular usage isn't what they were originally intended for?
If that wasn't your point, what was?
what people expect, and what is being sold, is an encrypted tunnel that all traffic goes through, to an endpoint. That this is called "VPN" is irrelevant.
I have a GL-iNet Mango that i have setup to provide "always on wireguard" to a computer in a datacenter i control the public IP for. I haven't tested, but i expect all data sent to and from any devices connected to that Device's SSID to be tunneled via wireguard to the computer in the DC, and therefore, to all outside observers the DC is where my device is. Obviously the ISP can see the session, but since they have no say over the DC endpoint, they have no way of knowing what the traffic is or where it's going. It could just be me doing SSH or video streaming or backups to and from the datacenter, or i could be watching netflix or youtube.
In that circumstance, an iOS device shouldn't be able to leak my local network's ostensible "public IP", since the actual transport layer is outside of the iOS device's control.
With all of this being said, i don't think there's any way to guarantee that leaks are impossible without literally air-gapping your devices and forcing all traffic through something that cannot communicate with anything but the remote endpoint - that is, if the wireguard connection fails, all pings fail, all TCP/UDP/etc traffic times out, and so on. In this manner, probably all things sold as "secure VPN" or as a service that does that are scams. This is the issue that TFA is complaining about.
in a situation where it's life and death - i would find an open wifi access point and connect a wireless bridge device (e.g. tp link TL-WR802N), with an STP ethernet cable to something similar to the gl-iNET mango, with 100% forced wireguard connectivity. I'd only consider this viable after doing tshark or tcpdump on the server i control log access to, to verify that my (local) MAC address and/or stuff like webrtc or whatever are blocked/dropped.
sorry for the length, but i didn't want to make multiple comments all over the threads.
While you could only route client traffic to an intranet endpoint and prevent access to any external services, that wouldn't be very practical in most deployments so a proxy is added on top. This type of deployment is common and has been used for decades.