Do You Use It? VPNs

Originally published at: Do You Use It? VPNs - TidBITS

Virtual private networks, or VPNs, promise enhanced privacy and security by routing your Internet traffic through an encrypted tunnel to a theoretically trusted remote server, ensuring that no one on your local network or between you and the destination can see inside that tunnel. VPNs are also commonly used to circumvent location-based restrictions, such as watching the BBC from outside the UK, and IP-based limits, such as those schools employ to block games and adult sites.

But what about that remote server? You have to trust that the VPN provider has your best interests at heart because it can see all your unencrypted traffic. Even with encrypted HTTPS connections, the VPN provider can still track which sites you visit, when you visit them, and how much data you transfer. You’re essentially transferring the visibility of your online activity from your Internet provider to your VPN provider.

All that is a long way of explaining why it’s a big deal that a recent report from the Tech Transparency Project identified 20 of the top 100 free VPN apps in the App Store as being owned—often surreptitiously—by Chinese companies. One of these companies, Qihoo 360, has been sanctioned by the US Department of Defense as a “Chinese military company.” It’s behind at least five free VPN apps: Turbo VPN, VPN Proxy Master, Thunder VPN, Snap VPN, and Signal Secure VPN.

If you’re using one of those apps, or one of the many others listed in the Tech Transparency Project report, now would be a good time to pick another. Or perhaps you’re unhappy with the VPN you use, or have been thinking that you should start using a VPN. This week’s Do You Use It? poll aims to determine which VPNs are most popular among the TidBITS audience.

This seemingly simple question quickly grew in complexity. Many people don’t use VPNs at all, and others use them only occasionally or to achieve a specific outcome. So our first question is: When do you use a VPN?

For those who answered something other than “Never,” the questions continue, with this next one aimed at helping those who aren’t sure what the point of a VPN is: Why do you use a VPN?

A system-level VPN protects all the traffic from your device, but there are also browser-based VPNs that are limited to traffic in Web browsers unless you install additional software to bring them up to full VPN status. Additionally, there are browser extensions that are proxies that route traffic through a different remote server without strong encryption—again, they protect only data within the browser. Depending on the desired outcome, that may be a distinction without a difference for most people. Our next question—What type of VPN do you use?—at least tries to tease out some of that distinction.

At long last, we can return to the original question, focusing on the system-level VPN services to keep things somewhat manageable. Since Discourse polls are restricted to 20 answers, I’ve chosen what seem to be the most popular VPNs with help from TidBITS Talkers. If your VPN isn’t listed, please add it in the comments, with a link. We’re also interested in hearing what you like or don’t like about the VPN service you use. So, which VPN do you use?

Now we get to make comments…

First, a note that a disadvantage of using a VPN is that it bypasses the firewall-ish protection provided by NAT in a router. For example, without a VPN my Macs do not see Windows Networking connection requests (netbiosd port 138 and smbd port 445) because I haven’t made any outgoing connections on those ports, so they’re not in my router’s NAT table. When I have a VPN up I do get these requests. Thus, it is important to be running a firewall when you use a VPN, such as the MacOS built-in firewall.

In the news this week is that VPNSecure was taken over by a new company, who then decided to cancel lifetime subscriptions. Shame!

The reason I use VPN Unlimited is because I have a lifetime subscription, but not because I chose them. I actually bought a lifetime subscription to PureVPN back in 2017 from Stack Commerce.

There was a catch, though. PureVPN didn’t sell lifetime subscriptions. So the Stack Commerce deal terms were disclosed in two places:

Subscription term is for 5 years. At the conclusion of the 5-year term, customers may renew their subscriptions completely free-of-charge by contacting support@stackcommerce.com.

Your initial subscription term is for 5 years At the conclusion of your 5-year term, please contact support@stackcommerce.com to renew for an additional 5 years completely free-of-charge!

When my five years were up I contacted Stack Commerce. The conversation went like this:

Me: I want to renew my PureVPN subscription per the terms of the deal.

Them: Sorry, PureVPN is only available in up to 5-year subscription increments. But you can get VPN Unlimited lifetime subscription for free!

Me: I’d rather renew PureVPN for another 5 years.

Them: Sorry, we were unaware of PureVPN’s business decision. How about VPN Unlimited and a $20 credit?

Me: What’s the problem? The deal was for 5-year subscription increments. You said “PureVPN is currently available up to incremental 5-year subscriptions”. So why is a 5-year incremental subscription not an option?

Them: I’ve been approved to offer you a one-time 2 year extension of PureVPN.

…at that point they had worn me down so I just accepted the lifetime subscription to VPN Unlimited.

Anyway, it does work but not as well as PureVPN.

VPN kill switches are desirable

But don’t always work on Macs…

My employer uses Fortinet’s VPN offerings (FortiClient installed on the client side). The setup is opaque enough that I’m uncertain if my employer is the VPN provider using Fortinet hardware and software, but that would be my best guess.

My VPN use is strictly for accessing my employer’s network when I’m not at a corporate site (which is almost all the time), so the software isn’t one of the poll choices. But for the curious:

• Our main corporate VPN is via Cisco AnyConnect.

• Some remote sites (not on the corporate network) have their own VPNs, based on the community edition of OpenVPN, and managed by the site’s IT team.

  Years ago, when I was working at such a remote site, I frequently used it to access the site’s local servers when out of the office.

• We also use ZScaler products to identify and block traffic that violates corporate policy. This isn’t a VPN, but it does intercept and redirect all non-local network traffic, so it’s VPN-adjacent.

But my personal systems never use VPNs. So far, I have not read a convincing reason why it would help me.

I use Tailscale to access far flung devices as if they were a single network. I can use it to have my traffic come from any of the exits in my Tailnet which optionally includes Mullvad nodes.

My previous employer deployed a Fortinet VPN via its own Fortinet routers, solely for accessing a limited number of internal systems from outside the company. It worked well, but it was important to have professional staff actively monitoring and maintaining it.

I use Private Internet Access, both on a Mac mini and my iPhone and iPad, but only 100% of the time on the mini. I also use Tailsafe for other machines on my network, which I guess is a bit like hosting my own vpn, so that I can access them easily when away from my LAN.

I have been using NetShade (Rayner Software) for many years. It is a standalone application that works primarily through browsers. I like how it works through any browser and requires no special plugins or extensions. It can work as a proxy or VPN. The number of countries where Rayner has servers is somewhat limited (mostly Europe and the USA but others exist) but its service has been exemplary.

I use Tailscale for remote access to my home network and to provide tech support to family members. I also use their Mullvad integration, which isn’t terribly good, and mostly rely on NordVPN for web browsing.

There are always weird hiccups with some web sites, like how Home Depot blocks access to their web site from IP addresses outside the US. So many online stores try to geo-locate visitors based on IP address that it can be maddening when I get redirected to the wrong site. (Amazon does this a lot, especially with affiliate links.)

I’ve wondered if Apple’s “private relay” is actually useful at all, but enabling it just seems to result in odd popup messages that tell me it was unable to connect. It’s surprising to me that they don’t offer a system-level VPN service for iCloud subscribers.

I use Cisco Secure Client for work constantly, and ProtonVPN to circumvent geoblocking when necessary. The latter mostly on my NVIDIA Shield.

LetsVPN is missing from the list

First, I am typing this on my phone as I cannot get past the Cloudflare human test using either Brave or Safari on my Mac (without a VPN). If this is just me I will investigate my settings but if others also have difficulty please fix it.
I use Proton VPN on my iPhone and MacBook when on public WiFi but it is very frustrating as I have to switch it on and off several times before I can get an Internet connection. I also use 1.1.1.1 which is not listed here. These are both free, perhaps a paid service is better.

I use Tailscale as well, mainly for having encrypted access to servers and other suystems when I’m away from home. It is easy to set up and very reliable. They offer free access for personal use.

My employer uses GlobalProtect (PaloAltoNetworks) which is what I use for my work, access, and encryption.

I use Tailscale a lot now thanks to an article on this very site. I use my own exit nodes. I have a lifetime cheap subscription to Torguard which I barely use. Tailscale pretty much solves every need for a VPN for me. I don’t really care about my exit IP address because I’m not doing anything shady, I just want to control my traffic and access my resources. Helps on restricted networks like libraries and hotels as well for general privacy and restriction bypassing. I don’t want to bother anyone’s network, I just want to get to the internet through it sometimes without them messing with my traffic.

I downloaded a VPN once, installed it, and then wondered what on earth good it was. How to use it. What was even going on. I’ve been a Tidbits subscriber since it was a Hypercard stack, yet I can’t remember ever reading one article that clearly explained the answer to these obvious questions. I can’t recall ever reading a software review of any VPN that explained the most basic principles. How did I miss it? I read it every week.

I’ve seen a disturbing trend with Apple Support over the last couple of years; in-store or remote.

When providing support for apps (Apple Music search function stopped working for a month and was fixed without a software update) or for iOS system-level issues (CarPlay random disconnects), one of the first questions I am asked is “do you have a VPN installed?”.

This has been regardless of what the actual issue has been. After answering yes, they have required the VPN to be completely uninstalled from the Mac or device before providing any support.

While this article is about VPN apps and services, I also support clients by connecting to their networks via the Apple VPN client and third-party clients and they have also required those to be removed on the Mac.

I have argued that I need them configured for work purposes and they will not proceed until all VPNs are removed or uninstalled.

I understand that many support issues may be caused by VPNs preventing connections to web sites and services. This goes against Apple’s stance on privacy and security and has caused me hours of time reconfiguring them afterwards over multiple support tickets and shouldn’t be the first thing they require on support calls and Genius Bar appointments. Especially when required for work.

I will “me too” David Shamino’s response: I use my employe’rs VPN via Cisco AnyConnect.

However, I have an advantage: I’m the sysadmin where I work. I’m the one who set up the VPN configuration. By using it constantly, I verify that it works and it’s usable. On the minus side, if something is not working, the source of the problem can be found by looking into the mirror.

I work from home. Because I require VPN to access the systems at work most of the time, I basically use it 24/7 even for personal tasks. It would just be too much of a hassle to turn it on and off; for example, if I’m editing a file at work in an extended session that lasts for days, toggling VPN would break off the editing session.

A consequence of this setup is it provides zero anonymity. If someone examined the IP address from which our VPN connections come, it points back to my workplace.

I explain all this to my users, whom I’m sure don’t remember.