Feature Request: Easy Way to Add VPN Service

I got that from this comment …

I don’t have any research, but I can refer to articles which confirm that some VPN services are not able to provide information to authorities because they don’t log. For example …

https://torrentfreak.com/vpn-providers-no-logging-claims-tested-in-fbi-case-160312/

To be fair, there are also articles that demonstrate how using a VPN does not guarantee protection:

https://securitygladiators.com/fbi-purevpn/

I do not think the decision whether to rely on an ISP or VPN service is a black and white issue. However, I think the decision whether a user wants to put more trust in their ISP or a VPN service should be left up to the user.

That is a claim. I have no idea how they could prove that they are not doing this.

At the same time ISPs generally do not log such activity. Some are legally obliged to. Some log some things to sell it to advertisement companies.

I think it isn’t. I have asked for some research that would support the point for a VPN provider. The only thing you posted is against your point.

So how do you still think this is helping?

You are choosing who is spying on you. That can of course make a difference. But Peters point on tor still stands and won’t give a single party the chance to spy on all your data traffic.

Re.: “Can I ask why you are with an ISP that you do not trust at all and why that is?”
The reason is that, in the US, we don’t have choices in this regard. Most (all?) local service areas here have effectively 1 or 2 high-speed ISPs to choose from. These ISPs are mostly massive corporations that have massive influence on our governments. See this and this from the Electronic Frontier Foundation.

Re. “Why do you trust the VPN providers?”
I don’t completely, but I trust my ISP choices less. Ultimately, in my case at least, everything comes down to me trusting in what others whom I decide are reasonably trustworthy trust. This is also true with my trust in Ipfire. I understand that Ipfire is open source, but I have neither the technical ability nor the time to personally verify that Ipfire is safe. So, for me, it comes down to the same thing: trusting in what others whom I decide are reasonably trustworthy trust.

That’s why I have been using a VPN. However, because of Peter’s suggestion that I look at Tor, I’ve read about it and would very much like to configure my network to use Ipfire’s add-in support in lieu of a VPN. But, I need help. I followed the instructions here. However, I can’t confirm that devices on my local network are going through Tor. Navigating to https://check.torproject.org/ on my Windows and phone Firefox browsers, I’m told that I’m not using Tor. I have also tried setting the Windows system proxy and Firefox proxies to my Ipfire address and port 9050, to no avail. I tried using the Tor browser, and that does work, but I’m guessing it’s not going through Ipfire’s Tor add-in and in any case, I want all traffic on all our home network devices to go through it, not simply web browsers.

Thanks once again to you, Peter, and everyone at Ipfire.

But here is a big difference: you could fine someone who understands the technical aspects that you trust and them to conduct an audit for you.

With the VPN providers you can’t. People have to reverse engineer what could go on inside.

But the situation with too few ISPs to choose from is not different in most parts of the world. Unfortunately.

Hi,

The reason is that, in the US, we don’t have choices in this regard. Most (all?) local service areas here have effectively 1 or 2 high-speed ISPs to choose from.

this is funny as the situation in Germany is very much the same: Especially in rural areas, there only is Deutsche Telekom AG, which cooperates with the Federal Intelligence Service and has been providing IP address space to it - in fact, I have no reason to believe it has discontinued to do so.

I tried using the Tor browser, and that does work, but I’m guessing it’s not going through Ipfire’s Tor add-in and in any case, I want all traffic on all our home network devices to go through it, not simply web browsers.

This is true, the Tor Browser is using it’s own Tor daemon so it does not rely on your IPFire system.

Personally, I strongly recommend against

• tunneling all traffic through Tor. Most applications are not prepared for this, they might leak your public IP address, and making them using Tor is difficult and might be dangerous.
  I rather recommend creating firewall groups for devices which are really required to access the internet, and prevent anybody else from doing so. The less network traffic you emit, the smaller your attack vector becomes.
• using something else rather than the Tor Browser or solutions like Whonix if you need extra security. This includes not to re-configure any existing browser to use the Tor daemon of IPFire, as they mostly lack important privacy protections.
  Looking at Whonix, they did some pretty amazing things in order to prevent deanonymisation through your systems clock, keystrokes, and so on. Most browsers even allow accessing your MAC address (the FBI took advantage of that), which is disastrous if you aim to stay anonymous.

To keep it simple: Please use the Tor Browser, or Whonix if you are more paranoid. (You might have a look at Qubes OS then, it’s what I use, and makes dealing with Whonix more simple.) Only allow essential outgoing internet traffic, and consider enforcing all of your clients to go through the web proxy integrated into IPFire.

Setting up all of this stuff is work, but in the end, you do not need to worry about your ISPs messing around with your privacy. All they see is you are using Tor - as ~ 400,000 people in the US do - in fact, this number is believed to be much higher.

Sorry for the length of my reply. Like anything else, there are no simple answers to complex issues, and staying anonymous definitely is one.

Thanks, and best regards,
Peter Müller

I would say you can judge VPN providers by how they react when they are engaged in legal action. Like when Thepiratebay was said to use a certain VPN provider to hide its true location, the VPN provider just continued to say they have no logs and as such cannot hand over any information. They also said to the court that they do not require users to provide an email or physical address and is happy to accept Bitcoin or cash.

Hi,

I would say you can judge VPN providers by how they react when they are engaged in legal action.

but how do you know if they are engaged in legal actions in the first place? Neither VPN providers nor law enforcement agencies usually have an interested in making such cases public, so you never know how big the iceberg is beyond the surface.

[…] just continued to say they have no logs and as such cannot hand over any information.

Yes, they said so, but we will never know if they provided some information behind the scenes. As long as there is no technical guarantee they can’t, I do not believe it.

Thanks, and best regards,
Peter Müller

how do you know if they are engaged in legal actions

You read about it in the news, one example is here:

All Swedish court info is open for the public to read, and therefore you can see that OVPN never gave any info.The case is still active, so we will see if OVPN provides any info or not, but so far not.

Hi,

I am sorry, but you do not seem to understand this topic.

Nobody is going to jail for you for a couple of dollars per month. A VPN provider certainly not.

Thanks, and best regards,
Peter Müller

Have you considered that maybe it is you who, outside your geographical area, don’t really know how it works?

Those who work with the VPN service obviously do not want to end up in prison to protect their users. But if there is no saved data, there is nothing for the supplier to disclose (ISPs in Sweden must save info, but not VPN providers).

In Sweden there are no laws that state that VPN providers need to store any logs or data about their customers activity. No need to save User information, Connection logs, Usage logs etc, see How OVPN prevents any traffic logs | OVPN.com . Similar laws in Panama and British Virgin Islands. To some extent also Romania.

It is a stated fact that OVPN have not given any info, not because they want to go “to jail for you for a couple of dollars per month”, they have collaborated with the authorities, but they just simply don’t have any data to give.

Also, if we look into the logic of in secret saving logs even you don’t need it. If we assume VPN providers do their thing because they want to earn money. Then there are no reasons to say they do not save, but then secretly do so (except if one might believe in conspiracy theories). On the other hand, if they say they don’t save data, but do so in secret, they would brake GDPR rules that in Sweden gives huge penalties and possible jail time. Also lying in court about not having secret logs would give jail time and penalties. And when the information is leaked to the public about their secret logs, they lose their source of income as most customers leave them.

So hard facts from Swedish court, Swedish laws, logic and reason say that OVPN don´t need to save and don´t have any saved info, and therefore simply don´t have any info to give. I would say that is VPN provider you can trust (and there are others).

Hi all,

haven´t dig deeper into that topic (cause i do have also other concerns) since it appears on the first page of the search results → https://www.bestvpndeals.com/sweden-to-keep-vpn-logs/ (this is no promo for this company or country) , probably 2017 is a little old but the first fact that surveillance becomes more and more attractive also in Sweden → https://www.thelocal.se/20200304/what-you-need-to-know-about-swedens-new-digital-surveillance-law makes this problem even worse in my opinion and the second fact that it needed “leaks” to inform the public point out that non-transparency in that scope might be the rule and not an exception ?!

Best,

Erik

Okay, I think we should all take a step back and breathe. There is no point in calling anybody stupid here.

On the topic: Laws are different from country to country. There is again no debate on this. Nobody here will be an expert on all those different systems of law and so we might need to generalise.

Now, we do know a couple of things though:

• It can be irrelevant where the company is being registered. Laws where the customer is may apply. Simply put: If I sell something from Germany to France, I have laws in both places to comply with.
• There might be unlawful espionage on the VPN provider
• There are promises made by the VPN providers - just as any other company does that, too. We call it advertising or marketing and the truth is sometimes stretched.

This is different in various European countries and I would argue still an ongoing debate on who falls under regulation and who doesn’t.

This might be true in your case, but generally we cannot validate this which is Peter’s point here. There are reports of players who have passed data to authorities and said at the same time that they are not storing any data. In the US, they might have received a national security letter. I am sure we are all aware what those are and how they work.

Exactly. And storing those logs and selling them in raw form, or aggregated is a way to make money.

I don’t think that this is a conspiracy. It simply is a possibility that the companies do not do what they are saying (i.e. save no data), but there is no way to prove that. The company cannot prove it, and I cannot prove the opposite. However, as mentioned above, there are cases where someone has breached this promise.

To paraphrase Peter again: If the VPN provider cannot technically guarantee that they are not doing it, there is only a little bit of black ink on some white paper that is going to stop them.

This might be true in your case, but generally we cannot validate this

In Sweden we have transparency in court, all documents are open to the public (the one exception is cases involving children). OVPN also have a a transparency page where you can read more here Transparency | OVPN.com

I say it again, there are hard facts from transparency, Swedish court, Swedish laws, logic and reason. But when all proof say otherwise, still without proof I hear things like they are “storing those logs and selling them in raw form, or aggregated is a way to make money”. When we have explanations that are more probable than that, then we are talking about conspiracy theories. Like Wikipedia say

A conspiracy theory is an explanation for an event or situation that invokes a conspiracy by sinister and powerful groups, often political in motivation, when other explanations are more probable. The term has a pejorative connotation, implying that the appeal to a conspiracy is based on prejudice or insufficient evidence.
Conspiracy theories resist falsification and are reinforced by circular reasoning: both evidence against the conspiracy and an absence of evidence for it are re-interpreted as evidence of its truth, whereby the conspiracy becomes a matter of faith rather than something that can be proved or disproved.

We could say the same about any company, organization and software, there is a hidden agenda or a hidden clever code that looks like something else.

As an example, how can you prove to me that there are no hidden clever codes in IPFire that looks like something else? “Deep state” may have hidden it anywhere, maybe even in combination of files in a way that is impossible to know if you don´t know their huge multi country zero exploit organizations thousands of secret exploits (that organization also actively daily inserts new exploits in thousands of targeted open and commercial software every day). Well, we cant have that kind of proof, we must have trust. Most of us have to trust IPFire, based on the facts we can find, without being able to examining the whole source code for IPFire, drivers, kernel, installed software etc.

If we randomly download and install software, we probably will get malware. But with some research we can find software that we in the end judge trustworthy. If we randomly chose a VPN provider, we probably wont will get what we thought. But with some research we can find VPN providers that we in the end judge trustworthy.

In the end of the day we must try to make rational decisions based on the knowledge we actually have and the evidence we actually have, we must ultimately be able to choose to trust someone. And that’s something we have to be able to do ourselves, we should not let anyone else make that decision for us (what is that person’s agenda? )

Hi,

I say it again, there are hard facts from transparency, Swedish court, Swedish laws, logic and reason.

well, that does not protect you from

• the VPN provider or one of its employees being forced to cooperate
• an uplink or data centre used by the VPN provider being compromised
• future governments changing those laws
• legal actions against a VPN provider which later turn out to be illegal (but data have been provided, anyway)
• and all sorts of technical issues arising if you are using a VPN provider (MiTM, traffic correlation attacks, etc. pp.)

If you decide to use your trustwothy VPN provider of the day, go ahead and do it. The IPFire project, however, strongly recommends against this, and will not add a feature to use such VPN services in IPFire. Period.

Thanks, and best regards,
Peter Müller