I had that happen a few weeks ago, and Support would not move forward until I had Uninstalled the app, not just turned it off. What does it do when it is installed and off?
I have used PIA for some time, but having read about Kape’s business practices in the comments on Adam’s original article on VPNs I have switched to ProtonVPN. Looks like it’s a bit cheaper too!
Zscaler is kind of interesting. Let’s say you’re a company that needs to provide a VPN for employees to use when they’re at home or otherwise not in the office. This VPN will connect into the company’s network.
There’s two ways to do this:
-
Full tunnel: all of the traffic from the user’s computer is routed through the VPN, including traffic that isn’t for the company at all.
For example, let’s say the user starts the company VPN, then goes to TidBITS. TidBITS isn’t on the company’s network, so the traffic needs to route user > VPN > company network > firewall (probably) > public Internet > TidBITS
-
Split tunnel: the VPN sets up the routing on the user’s computer so that company IP subnets are routed through the VPN, but non-company are not tunneled into the VPN and instead go our the user’s normal network interface.
The problem with a full tunnel is that now the VPN and the company network has to handle all of the traffic. This even includes company traffic that is actually hosted in The Cloud, where it would be more efficient to just route it to the Internet.
So a split-tunnel is better. But, it has security concerns. What if the user tries to go to TidBITS but mistypes it and actually goes to a malware serving site? The user’s machine is compromised. Companies don’t like it when you connect compromised machines to their network. And due to the VPN, in effect the user’s machine is connected to the company network. So, users working away from the office can serve as a means of infiltration of malware.
Enter Zscaler. What it does is leave the split-tunnel VPN alone, but it redirects the out of tunnel traffic to Zscaler servers, where it can block access to malware sites. And do other content blocking.
1 Like
A post was split to a new topic: Trouble with the Cloudflare human test
Vivaldi now sports Proton VPN (free) right in the browser now so there you go.
1 Like
It’s possible that I mentioned this in the the thread asking which VPNs people use, but I think I decided to wait until this thread; so, these are how and why I use VPNs (note the plural):
- Most of my VPN use is a private Tailscale network that allows me to access computers and devices behind a double-NAT set of two routers. It’s possible that I could remove the inner router from one of those remote networks, but I prefer not to - the outer router is a gateway router/modem from the telecom company that provides our fiber-optic internet service (and telephone service - we still have a landline), and I don’t recall the gateway device ever getting firmware security patches/updates. So I have only two devices connected to the gateway - another router, which provides service to everything else on the network except one device - an LTE Verizon network extender, which provides cellular signal while we are within it’s service radius. Otherwise we have weak to no cellular signal, which kills the battery levels on our phones. This VPN is running all of the time. I do have a couple of “exit nodes” specified so occasionally I use this when I want to make it appear as if I am using one of my home IP addresses when I am not there, but that’s very infrequent. (For example, the few times that I use Facebook or Facebook Messenger I may do this - I don’t want Meta getting any extra location data from me if I can avoid it.) [edit - I’ll just add that the remote access app Screens 5 integrates really well with Tailscale networks - it has a dedicated sidebar page that shows all hosts on my Tailscale tailnet network.]
- I also have a ProtonVPN service, which I use for two reasons. The first is to watch the occasional Bruins hockey games - we have no TV service that provides the local NESN network that has exclusive rights to carry the games. NESN does provide a $30 monthly subscription, which I have used before, but considering the cost the service is terribly unreliable much of the time, even with 750 mbs download speeds. So ProtonVPN allows me to appear as if I am somewhere else in the US and watch games on ESPN+. (Side note: the Bruins have a ridiculous exclusive geography of all New England states, and considering that, say, Burlington VT is closer geographically to both Montreal and Ottawa, and I think parts of Rhode Island are closer to the NY Islanders than Boston, this is crazy to me. I really wish the NHL and MLB baseball would remove these restrictions, charge a little extra to watch the local team - which nearly everyone would want to do - and provide that extra subscription to the local franchise.) I chose Proton because I already had an account and because it works really well on tvOS, which I use to watch the games. But I also use Proton occasionally when traveling outside the country to appear as if I was in the US, because there are web sites that I access that will not respond to foreign IP addresses.
- Back when I used Eero Plus, they offered an included subscription to Encrypt.me, changed later to Guardian, which I used as described above while traveling - to get a US IP address to allow access to web sites that were blocking foreign IP addresses. But now I use ProtonVPN for that.
- I have a client for which I set up Tailscale so that remote users could access their internal devices and servers, and I have a Windows VM that connects to that network to allow me access when I need it.
1 Like
For years, I’ve used SSH to provide remote support to friends/family/clients. While some might not consider SSH to be a VPN, it does provide a point-to-point secure tunnel to remote sites. I use PKI (public/private key pairs) to connect securely to the sshd process running in the remote router. Then the SSH port forwarding feature lets me access various servers and other hosts on the remote LAN. Old school technology perhaps, but still effective.
For some remote sites, I’ve used OpenVPN, connecting to an OpenVPN server running in the remote routers (mostly ASUS). On macOS: I use the TunnelBlick client. On iPhone/iPad, the OpenVPN Connect app. I’ve found that configuring OpenVPN can be a bit of a pain - too many options, settings, and certificates to manage. Incompatibilities between the OpenVPN client and the vintage of OpenVPN that is found on the routers. Not to mention various inscrutable error messages.
For ongoing remote support duties for friends and family, I’m now migrating to Tailscale. I’ve found AppleTV to be a useful adjunct for that. The tvOS Tailscale client provides both subnet routing capability (remotely access all the local subnets) as well as serving as an exit node. I’ve also deployed Raspberry Pi’s with Tailscale software at a couple of sites. Tailscale is so much easier to manage than a bunch of OpenVPN endpoints.
Finally, I occasionally use PureVPN when I want to appear to be somewhere I’m not. No complaints, but from reading some of the other comments here, it seems my “Lifetime Subscription” may be coming to an end. I was able to renew it after the 1st five years, but perhaps I’ve reached the end of that road.
So, I use TunnelBear. Sometimes I do writing research, and I’m not always crazy about having my identity noticed and logged by web sites. I got a locked-in rate on it years ago, and because the company is made up of Plucky Canadians®, they’ve honored it ever since.
What feels like an excellent fit for an average user like me is that it uses client-side apps to configure the VPN settings, and so there are apps for MacOS and iOS. I’ll run into occasional issues when the OS upgrades, but that’s been happening less often lately.
It doesn’t hurt that they have one of the more captivating Web login screens. Who could resist an animation of a cartoon bear covering its eyes with its paws while a password is being typed in?
I use ProtonVPN and Mullvad, mostly Mullvad lately. I don’t use these at home or at work, but do when out and about. I have to assume the security aspect as I have no way to test it, but I find the claims of geolocating misleading. I rarely can use either to watch things in different countries, whether to watch US programs when overseas or to watch Premier League when home. I also find many sites block VPNs. I have to turn off the VPN to use Ticketmaster for example.
I use a Firewalla router at home (Gold Plus). I have the built-in wireguard VPN configured and applied to my devices. If I’m on any network other than my SSIDs, the VPN automatically connects and all of my traffic is routed through my home network and back out through my ISP. I also have Proton VPN (part of my Proton package), and I use that on the Firewalla to provide Unbound over VPN to prevent DNS modification and encrypt the outbound DNS queries (while the content still uses the ISP connection). I will occasionally use the Proton VPN directly if I need to access something in a specific country (I work for a global organization and occasionally I need to do so).
If I didn’t already have a working solution that does what I need, or if I needed peer-to-peer connections between my devices, then I would be using tailscale. It’s a really interesting project, but it doesn’t fit my current use case(s).
I use VPN all the time because it is the only way you can implement DNSCrypt on iOS and iPadOS (encrypted DNS protocol). Plus specific DNS servers block ads and trackers while browsing and within apps. This is good for privacy, it reduces data traffic over networks and time in displaying content.
The survey does not take into account this use case. It is different from hiding the IP address.
2 Likes
I have no choice: my employer – a major university health system, which is required to protect patient information – allows remote network access from Macs using F5 Access from F5 Networks.
Before F5 Access we used F5’s standalone BIG-IP Edge Client, and before that Juniper Network’s Pulse Secure before it moved to Ivanti.
The F5 BIG-IP Edge Client used to be a pre-packaged download from the employer’s IT page. But when the university switched to F5 Access we then could only get the app from the Mac App Store. That meant it was no longer pre-configured for our VPN server, which meant the user had to follow instructions to configure it themselves.
The employer also requires that users first get added to a “VPN Client Exception List” in Active Directory, which always complicates the first connection for a new user since a support ticket will be needed.
I only use F5 Access for the short periods I connect remotely to the hospital network; then I disconnect and quit F5 Access. I don’t otherwise use any VPN for anything, as I’m not convinced that they make the Internet safer.
I use TunnelBear, too. I agree with everything you said.
1 Like
I only use VPN for accessing my university’s network from home or when traveling. They use Palo Alto Global Connect.
Question for ProtonVPN current & prospective users:
With their current “Anniversary” offer, new users will pay about $72 for a two year subscription. It seems the price will then go up over 3x to $240 for two years at renewal. Will it be worth it to pay the higher rate? Do you expect the price to be lower? If not, will you switch VPNs?
I failed to see one nice feature of NordVPN mentioned: You can identify secure networks where automatically VPN will be switched off.
NordVPN indicates this by: “You are on trusted Wi-Fi.” There is also a button to switch off this feature for the respective network.
My router at home (TP-Link Deco) has a VPN built into it. I use it when I need to appear to be at home rather than traveling internationally.
Be wary of ‘lifetime’ offers, they are a marketing tactic. They work well to obtain a large number of new customers but eventually it is not sustainable. If they have too many users not paying the going rates they are losing money as the companies operating costs will always go up.
See the same story over and over you sign-up for a lifetime offer only for it to eventually be cancelled.
Hotspot Shield
For me, it has been generally better-behaved than Nord, which I likely will not renew.
Just adding a link to my other post regarding VPN ownership and security issues, such as Crossrider / Kape Technologies buying up a number of VPN companies (and review sites) or malicious VPN extensions found spying on Chrome users in recent months.
2 Likes