On VPNs

They’re everywhere…

If you’ve been on the internet for the last few years, you’ve surely seen an ad for at least one of the many “VPN” services advertising themselves online, be it because you forgot to enable your ad-blocker or because the ad was a baked-in YouTube sponsorship. Although there are many, all advertise the exact same things: privacy, security, and circumventing georestrictions. But how true is it? And what’s a VPN anyway?

Back to the basics

Networks are complicated, but for the purpose of this article we can break it down into the local/private network (LAN), and the internet (everything else). The Local Area Network (LAN) is the immediate network, the one you connect to directly, such as the local network of your home, school, or office. It’s where you connect to your wireless printer, or a NAS, or a friend’s computer or games console for a LAN party. Because LAN is generally pretty small and simple, some programs are made to work seamlessly with it, and some programs may even only work over LAN. A LAN is also sometimes referred to as a private network as it requires you to be physically there, can’t just connect to it from across the country or even the same city… Or can you?

As networks and computers evolved, it became clear that sometimes people just need to be able to interact with computers that are not in the same physical network as if they were. Be it to play a LAN-only game with that friend who lives across the country, or to access your workplace network remotely as a sysadmin. So people thought, “what if we mapped a virtual network that made devices appear as if they’re in the same private network even tho they’re not, a Virtual Private Network”.

So yes, if ever you’ve used something like Hamachi to play games with your friends, then congrats, you’ve used a VPN.

“But wait”, I hear you asking, “that sounds nothing like what’s advertised by NordVPN/ExpressVPN/AtlasVPN/etc”.

Indeed, the core functionality of those services is quite different from that of a textbook VPN, being more akin to a proxy, but using protocols originally created for VPNs such as OpenVPN or Wireguard. This definitely creates some confusion when it comes to grouping different networking tools, but usually you’ll hear people refer to this class of routing as a “VPN Proxy”, and that’s the term I’ll use for the rest of this article.

Okay, but what about the claims in the ads?

There are three main claims in ads for practically all VPN proxies:

  • Privacy
  • Security
  • Circumventing Georestrictions

So let’s get over all three, shall we?

Circumventing Georestrictions

Generally, this one’s the most truthful. VPN proxies most often route your connection trough their servers which may or may not be in the same country as you. Most of those services allow you to choose which country you want to appear to be in, and so your connection is routed trough a data center in that country. Anyone you connect to trough a VPN proxy won’t be able to see your real IP from your real location, instead seeing the data center’s IP from whatever country it’s in, and thus they’ll serve whatever is available in that country. Note that some services may ban the use of VPN proxies and might block connections from IPs known to belong to them. More rarely they might also ban accounts making use of such services, but this is less common.

Privacy and Security?

And now we get into the reason so many people are pissed off by the advertising. The privacy and security points usually go hand in hand, so instead I’ll go over the more technical parts about them: hiding your IP address and encrypting the connection.

Hiding your IP Address

Above I said that anyone you connect to trough a VPN proxy will see its public IP address as opposed to yours. This fact is often times used to make outlandish claims regarding privacy and security to scare less technically savvy people into subscribing to a VPN proxy.

IP addresses are used to identify computers on the network and help route traffic to the correct correspondent. Kinda like a phone number or a physical street address. But how granular is that identity? Some will say it can be used to know your exact location down to your house, but that’s rarely the case. More commonly, the address will point to a data center owned by your ISP that manages all traffic for a region. The size of that region varies from ISP to ISP, but generally is no smaller than a few counties. The ISP itself has more granular information in order to know exactly where to physically send the internet traffic, but that information is almost never made public (government authorities can still request that information, legally only trough a warrant, but on occasion they might also request it without one, the joys of the modern world!)

But why does it point to a data center and not your exact house? Well, the reasons are many. There’s pretty much no well-meaning use for making it publicly known what IP belongs to what house, but there are a number of malicious uses such as doxxing or swatting as learning someone’s IP address is relatively easy (just go in the same game of GTA: Online with them and the IP address is there for the taking).

Another reason is more technical: between trying to avoid the aforementioned malicious acts, and the existence of mobile devices which physically move all the time but still need an active internet connection, IP addresses are often times reassigned. Keeping track of what IP address everyone has within that data center’s region has to be done anyway, but updating the public information to reflect who has what IP address at any given moment is just a pain in the ass, so they’re simply not made public to begin with.

So how does this tie in with the VPN proxy advertising? Well, most of them advertise hiding your IP address as some sort of killer privacy feature, when in reality your IP address doesn’t convey that much information to begin with, and can be changed anyway by rebooting your router or phone. The only case in which hiding your IP can be vital is when you’re hiding from state agents, but in that case they can just coerce the VPN proxy to give away that information anyway. Many services claim to not keep any sort of logs as a preventive measure here, but that only affects historical connections, they can still be forced to let authorities know when your next connection is made and from what IP. Another issue is the money trail: you had to pay for that VPN proxy, and that money can most often be traced back to you, not your IP address, but your person.

In short: hiding your IP is barely better than snake oil.

Encrypting the connection

Once again, all VPN proxy services claim encrypting your internet traffic, and this is technically true, the connection between you and the VPN proxy is most often encrypted as required by the protocols used, but the devil is in the details.

The VPN Proxy can ensure an encrypted connection between you and them. This means that the connection is pretty much guaranteed to be much much harder to hijack between you and the VPN proxy.

But what about the rest of the connection? Once the traffic leaves the VPN proxy’s servers to be sent to whoever you’re actually trying to connect to, that encryption from earlier has to go. This means the last half of the connection has no more security than connecting directly to that server without a VPN proxy. For example, if you’re connecting to a website that uses SSL encryption, then the connection is encrypted all the way and no one can see the contents or hijack the connection in between, assuming no known vulnerabilities in the encryption used. But if there was no encryption to begin with, such as with a plain ftp or http connection that doesn’t use SSL? In that case, the connection is just out in the open and can be hijacked by anyone between the VPN proxy and the other end of the connection.

Now to be clear, sometimes this can still be enough. If you merely want to hide the connection from the local network because of a draconic network administrator or a public network such as the free WiFi from your local McDonald’s, then this encryption does the job. However, this isn’t how it’s advertised by any VPN proxy service that I’m aware of, all of them claim the connection is always plain text without their service, and encrypted all the way with it.

Conclusion

VPN proxies can still be useful. If all you need is to circumvent georestrictions to watch “The Office” from the other side of the ocean, hide your traffic from a draconic network administrator, or use the free WiFi at your local McDonald’s, then they can do the job, just don’t fall for untruthful advertising that claims you have no security without their service, and all the security in the world with it.

Okay, but what if I want something that gives me all the privacy and security in the world?

Okay, fine, I lied, there’s a bit more to this article.

VPN Proxies are no help against certain threats, particularly state agents, but if that’s a concern for you, either because you have reason to believe they’re targeting you, or because you simply want to go that extra mile, then there are a number of overlay networks out there with the express purpose to offer free, strong privacy and security to all who want or need it.

The Tor Project creates the software for the largest of those networks: The Onion Router (Tor). It honestly deserves its own article, but in short: it employs techniques which make it possible to be truly anonymous online. Key phrase, “makes it possible”. Tor is still no good if you use it wrong. That being said, if you want true online anonymity, it hardly gets any better than Tor.

And with that, article actually over! Hope you learned something