Pidsec

Vpn Analysis: The Use Cases of VPNs and Fixing Mistaken Notions

vpn

There is a plethora of views throughout various technical commentators that offer variant ideas about VPNs, whether they are reliable or not, the extent of their privacy or lack thereof, and some technical aspects to the service. Very few of them are reputable and offer spot on accuracy, while most VPN commentary is pure propaganda, mainly for profit motives. There are few selective and reputable commentaries that are pretty spot on, whether one acquires them from solid channels like Mental Outlaw,The private Guy, Intel Techniques, and possibly even from Techlore. What this post aims to do is to offer a conglomerate overview of the entire field and to properly categorize use cases for using VPN's so you have a holistic and accurate view of them.

ALL VPN Usage Can Be Neutralized to 2 Main Uses Cases

There are plenty of reasons, most of them valid i.e. non-criminally oriented, to validate the use case of using a vpn. Hell, even in the state-sponsored conception of 'criminal activity', even such a definition becomes increasingly flawed with an ever increasing surveillance state panopticonical global structure being constructed under the noses of an unwitting, cavalier attitude of the public. What I mean is that common normal activities can enter the category of criminal activity, thus creating an ever increasing need for people to protect themselves from the tyrannical injustices of a system enabling this at a global level against the herd they believe themselves to be managing.

Anyways, putting the geopolitical reality aside, if we were to adopt the typical 'use a vpn at the coffee shop' argument, the more versatile use cases for VPN's range from corporate logins which is typically used to create a secure tunnel to traffic outside access points to their internal LAN for their employees. This is also a similar structure for schools, medical facilities, and other brick and mortar work environments. Other use cases range from going around app-platform specific geolocation restrictions whether it be Netflix, Hulu, or other webapps, which generally tend to restrict or provide certain content purely based on jurisdiction of country. This would be the "streaming" use case.

However, all of these reasons are what I would classify the "Corporate Tier" use case for the legitimate use of a VPN. The second category I would classify using a VPN for is for what I call the operational security tier for internet users. In short, for privacy and security, which will be identified here as simply OPSEC. OPSEC aims to either pseuodonomize, anonymize, obfuscate, or spoof either your identity or location, or both, from any snooping by unwanted parties the user might have in mind. This is done in order to maintain the integrity of one's own operational security.

Keep in mind that this is not to say that the corporate usage of vpn's does not have OPSEC in mind whatsoever or vice versa, however these two categories serve as a major dichotomy that will affect user choice of a vpn and why.

In the technical corporate tier use case for VPN's, then one should keep in mind that such VPN's are not strong, or, I should say, should not be used in the realm of OPSEC. Most VPNs are virtually owned by a handful of corporate companies, most likely who are owned by intelligence agencies of the anglo-israeli-american establishment. Even the CEO's of these companies come straight out of Israeli intelligence. One would have to be naive to believe that their entrance into the 'private sector' has no bearing or connections to their continuing ties to those agencies even if they may be considered 'inactive' by their own internal infrastructure of a particular agency. I'm going to disregard most of those VPN's that get aired and shilled across virtually 98% of all VPN review sites, all of which are contrived reviews and are co-opted by being bought off from the mother companies of these VPN providers. Those that I mention by name, will be so due to experience and to help offer an analysis in order to determine the condition of that said VPN.

Before I get into the analysis, It is my personal opinion that a single internet user, it is best for each user to actually have multiple VPN choices. Having one choice from the corporate tier is good and one choice for the OPSEC tier is good, and I personally prefer 3, one on the corporate tier and two on the OPSEC tier. Having multiple strengthens your hand in several ways. Relying only on a single vpn reduces the integrity of maintaining good OPSEC dramatically, especially if that single one option you have is a VPN more favorable to the corporate use case of VPN traffic. Before providing commentary to the types of VPN structure, its best to get the flaws that both have unanimously. Another thing to keep in mind is the vast landscape of corporate tiered VPNs vs the OPSEC tier, while the corporate tier has dozens, if not, hundreds, while on the OPSEC side only has literally a singular handful. Thus the only good thing about this, is that it is easy to identify the OPSEC tiered VPNs.

Universal Flaws

  1. All VPN providers are simply a replacement for your ISP (internet service provider). What is essentially happening is that instead of routing your traffic data to your ISP, you are simply redirecting that data to a VPN provider.

  2. Another flaw, is that all VPNs are grounded and subdued by the system of laws that they are subjected to, and governed by. What this should mean to the end user is that in order for a VPN to "remain" active, it MUST comply with the laws of the land in which it operates in. So there is a case for the locality of a VPN company to be made in where it resides. However, one SHOULD NOT rely on the mere governing juristic locality of the VPN, as that is corollary and not exactly fundamental. What is fundamental is that when any and all VPNs DO comply with local law enforcement, then how much the VPN has handicapped themselves and hamstrung their ability to supply LE with incriminating data is of UTMOST importance. The less quantitative and more obfuscated the data is, the much better that VPN is for the sake of OPSEC. The less obfuscated and the more quantity of de-anonymized data it is, the more that VPN will naturally slide towards the corporate tier model of a use case rather than fitting into the OPSEC tier.

  3. Another constant in the realm of the VPN market is that it is a "for profit" model. Due to the nature of servers and bandwidth, it can only exist as a business for profit and thus CANNOT be free. A vpn that is free means you are the product. So end users cannot expect that a service operate as a free of charge protocol in such a market.

The Corporate Tier

You could technically lump all VPN's to this category of VPN usage by default. In fact, it is best to make this your default view of any VPN and then make an exception when there is good reason to, which I will provide exceptions in the next category of VPN traffic. The traditional norm of this format of VPN traffic is that it should NOT be used for OPSEC reasons. You should assume that VPN's under this category do not do what they say. Most of them say "no logs" when in fact they do keep logs. The only misdirection these VPNS can do is if you wish to mask your true location from non-state actors like corporate or any individual hackers, websites, etc.

Most of the systemic structure of corporate VPN traffic is that most of them default to a KYC program. So they all use a traditional identifier like an email or phone number. Pretty much all of them opt for traditional funding mechanisms like your KYC banking system like credit, bank cards, PayPal, etc. Although some exceptional platforms among this category of VPN providers do opt for cryptocurrency payment, usually Bitcoin or some other surveillance digital currency. It is for these reasons alone that renders these VPN providers into this category of VPN traffic rather than depending on it for OPSEC purposes.

I would categorize Nord VPN as among the top provider of this category of VPN's. I only categorize it as the top of this class in category because it misses the mark for an entry level position in the OPSEC tier. It has some good security, and has recently opted to use cryptocurrency like bitcoin, ETH, and I believe XRP however, it still has a corporate use case tied to it. And, the choice of crypto isnt all that OPSECish, and the only true private way to fulfill an opsec use of NordVPN is to pay it in bitcoin, and only through a non-KYC platform from which that bitcoin is tied to. If it was supplied with bitcoin using a KYC based platform, then there is an identity tied to it, and hence anonymity remains to be fulfilled. Adjacent to this, AFTER selecting your choice for a private non-KYC bitcoin stream to pay Nord, is to create an alias email in order to use a non-identifying email as a way of establishing an account. If creating a NordVPN account is done in this way, then maybe, you have a chance for pretty decent opsec. And the last requirement is to create all of this in a public wifi network so that your actual home location is not used in creating that account.

Anyways, Nord are one of the few proven to not keep logs, but I feel their ethos as a company would seem to betray that depending on the political climate. Mind you, as of right now, all security audits till date prove they don't log and thus I have no actual data to back my own suspicion up, it is just a hunch on my end. Hence I only use this for my corporate strategy. But from the corporate tier, NordVPn is probably the most strongest in OPSEC in comparison to the rest of the VPN providers that fall within the corporate tier. They also like to use propagandized gimmicks like being based offshore in Panama that is not subject to governmental scrutiny. Yet, this is an advertisement ploy which offers nominal security, but it would not prevent an adversary, if ambitiously motivated, to subject Panama to extract that information from their servers. Typically, that would be a state actor.

Moreover another major universal trait of this tier of VPN's is their monumental affiliate promotional programs who even offer them a variety of ad-tracking features to them for temporary periods of time for getting new paying subscriptions.

What simply makes Nord better, is mainly the operational aspect of their infrastructure. They have 5500 servers across more countries than most other providers. Their speeds are reliable and fast. They are able to circumvent blocking from Netflix, Google, etc. So I would definitely vouch for Nord only for these reasons, and because it does offer a decent standard of security, but again, I would not add this to the OPSEC tier, and my reasoning for why I opt to this conclusion will be further explained below.

Nord in relation to PIA

PIA (Private Internet Access) was once regarded as a strong platform for an OPSEC use case, even highly recommended by Michael Bazzel of Intel techniques, and to some degree, it still holds a bit of that pedigree, mind you, a bit. However, after it was taken over by a mother company and some changes to its infrastructure, I dont wish to place PIA into the OPSEC tier and they lost that status since they were bought over. So I place PIA into the corporate tier and it rivals Nord, but I would say Nord over powers it in both OPSEC and more importantly, speed and global reach.

Now, for those of you reading thinking I am somehow schilling Nord, here is where I digress from that sentiment. It would not surprise me that the core security devs of Nord, were exposed as Israeli intelligence that created the most undetectable spyware system unknown to man till date where they logged everything and was undetectable from any auditing either from internal or independent audits using some form of scripting, language, or protocol not known in existence yet that allowed them to track everything while being undetected, and all of a sudden, this somehow leaked to the public, possibly with some degree of the company mercing people to prevent that leakage, and somehow, one got away, a Snowden like individual in which it then gets exposed. I don't doubt that this can be a reality which is why I would not place NordVPN in the OPSEC tier and simply remains under a corporate tier use case.

Now, for the people forming a logical argument against this by saying 'Well, if that is your suspicion, can't this be true and applicable for VPNs you may classify within the OPSEC tier', to which I would say in response 'yes it can'. However, In this climate, we also analyze the actions of companies that help contextualize what it can, or more importantly, what it is either LIKELY to do, or UNLIKELY to do. So when commenting on those VPNs I place into the OPSEC tier, it is only so because their historical actions i.e. their track record, give an indication that these type of suspicions stated above is currently UNLIKELY to emanate from them. If they, in the future, display a course of action that tilts that UNLIKELY behavior into a LIKELY behavioral pattern, then I will adjust my view accordingly. After all, we can only judge reality based on actions people take.

There is more criticism of Nord that really makes it sus. Nord merged with Surfshark to create a parent company called Cyberspace. Hence it is Lithuanian company, registered in Panama, and owned by a Dutch corporation. As you can see, the advertising gimmick of their being based in Panama is en vogue with setting up a tax free haven offshore in Panama. So what is technically a tax-free gimmick on their end, is turned around by the Perception Management Industry i.e. Marketing and Advertisement, as a win for users as Nord won't be bound to the demand of government forcing them to cough up user data, allegedly, since Panama is not part of 5, 9, or 14 eyes countries. Furthermore, the next major problem is Nord's expansion fueled by their drive for business and profits. The problem with this in relation to the VPN industry, is that to the unsuspecting and naive person, there is nothing wrong with business expansion. That is true, except it does not hold true on absolute terms for a VPN market. You see, Nord is also in the password management industry, cloud storage industry, and now, in the network access industry where businesses can develop their IT infrastructure with Nord. All of these reasons are why Nord should be rendered as a business enterprise solution and in the corporate tier. How is this bad for VPNs? Well, it is bad for business for a VPN provider to collect user IP data and to log traffic. However, its technically sound to collect that data for cloud storage and all of their other suite of products. There is another company within the OPSEC tier that has a multi-layer business model like this as well, but I will get into how they differ. And that is Protonvpn

The OPSEC Tier

Quite frankly, there are literally less than 5 or about 5 VPN providers that make the list. A few years ago, there was an excel sheet created by "That Privacy Guy" that created a grading system that judged the rank of a VPN with embedded rules in how to curate and rate a VPN with a grading system. That excel file can still be accessed here

https://docs.google.com/spreadsheets/d/1L72gHJ5bTq0Djljz0P-NCAaURrXwsR1MsLpVmAt3bwg/edit#gid=0

Im sure a portion of the data is outdated or defunct, but it does provide a handy judgment system to determine the nature of a vpn.

NordVPN gets all green except it gets a red flag on ethics. That is pretty much were I stand, but I add an additional caveat that due to that said ethics, it may be a comprise to OPSEC, which is why I do de-list Nord from the OPSEC tier and into the mere corporate tier.

iVPN gets all green, but two yellow (amber alert) flags, one on its jurisdiction and on on pricing. Mullvad gets all green minus a yellow flag due to its location. The chart is decent in that it gives you a grading system for each aspects of a VPN provider so that the user can determine whether that particular field is of importance to them, or not so important, as for some users, certain fields may not be all that relevant. For example, a yellow or red flag for pricing might affect some users but will be disregarded by other users. Green being easy on price and flexible on payment options, and lower flags denoting more pricier price tags and less payment options.

Windscribe gets all greens minus a red flag due to its location which is based in Canada, and hence part of the five eyes, as well as a yellow flag for ethics. However, the windscribe blog does considerable to devalue VPNs for OPSEC and critiques its own self, in recent years, which to me may possibly elevate that yellow flag back onto the green flag in my own estimation.

So quite literally, if I were to choose a "top five" of the best VPNs for OPSEC purposes, I'd say my number 1 pick would be iVPN with Mullvad coming in at an extremely close 2nd. These two are the top VPNs for OPSEC purposes in my estimation.

The second two rivals that jive for the 3rd and 4th positions would be protonVPN and windscribe. I would give more reliance on these two over something like Nord, since the ethics of these two are primarily focused onto privacy whereas Nord, although advocate privacy, it seems they are more focused on market, and hence another reason why I place it into the corporate tier as they seem to be motivated solely and purely on business. Again, each one of these has their own particular set of flaws, and the end user has to determine which particular subject those flaws reside under, and then make their own judgment as to what is more useful for their OPSEC since there is really no one-size-fits-all standard in the realm of OPSEC.

Now, its hard for me to place either one into the 3rd category and slating the other as under it. Although my gut feeling is to place Windscribe as 3rd and ProtonVPN in the number 4 spot. ProtonVPN is actually a product initiated by what was originally Protonmail. And now they have built up a collection of suite products similar to Nord. HOWEVER, the two differ tremendously, which is why I don't hold Proton to the same standard as Nord. Yes, they have motivation for increased growth in business. Yet, they differ dramatically. Nord is purely driven by business and profit and much more easily detectable as far as marketing to sell a bag of false assumptions to the user. Proton does not, or at least not to that extent. Moreover Proton had its humble beginnings at offering a private email solution, and began expanding their horizons with other network products. So it was built from the ground up with enhancing the end user's opsec in mind, and more importantly, their focus seems to be userland in userspace. In other words, their target and focus is the common individual market, not business enterprise.

Yes, Proton did come under fire by the privacy community last year for supplying a users IP to Swiss authorities which came under the French request from the Swiss authorities to force Proton to cough it up. This incident left a sour taste to many in the FOSS and privacy communities, including myself. However, one has to look objectively at what has happened and the context. The first thing folk must understand is that a legitimate company, that wishes to operate in business, and remain, must comply with the laws of the jurisdiction it resides in. This is a universal constant, there is no escaping this law, it is essentially akin to the law of gravity. This is actually why the best solution to this problem is email aliasing, and NOT to choose aliasing by the actual provider, but an independent email solution, for example, simplelogin. Simplelogin is an aliasing solution that essentially creates a proxy email account between you and your primary email account and the sender or recipient of your email. In other words, that alias is the proxy between you and the person you are sending communications to.

In recent history though, simplelogin did join forces with protonmail, by which through their collaborative efforts, were able to create an experience where members of simplelogin can easily be de-facto absorbed into protonmail. I would say to this, that it is better for the sake of OPSEC to prevent merging. The thing about OPSEC is that it has a relationship with centralization and decentralization. To put it in laymen's terms, the more of your eggs that are in a single basket, the further the extent of any damage and compromise on your own security, and likely opening yourself up to being vulnerable to an attack of some kind. The less eggs in a single basket, the greater the mitigation is in blunting the damage of any kind attack against one's own operational security.

iVPN and Mullvad In Relation to ProtonVPN

In comparison, Protonvpn has much more servers globally than each of these have on their own. That might increase in network speed. Where Proton may be better than Mullvad and iVPN is in unblocking access to big named sites for streaming. Another aspect to this, is in circumventing google CAPTCHAs. mullvad and ivpn fail to register and refresh google CAPTCHAs. Although in recent time in post 2023, they seem to be reduced, but they are still there. While I haven't tried it with proton, the typical circumvention of stream sites blocking vpn's runs in tandem to this and protonvpn may be able to get around and allow the user to fully perform the google captcha and proceed to logging into a website they're signing into whereas iVPN would not.

In order to get some kind of non-identity onto Protonvpn, you have to start a free account, preferably with an alias email, and then upgrade to paid and opting to use bitcoin, and again, doing so from a non-KYC based platform to send your BTC in. This maneuver may deter most nominal snooping attacks, but may not deter a state-sponsored targeted attack. The only way to ensure such an attack is unsuccessful is to ensure that all routes to acquire bitcoin into that address used to send bitcoin to protonvpn is to ensure that all methods of acquirement are also anonymized or that several transactions occurred between initial source address and final address and the further you get to a target address, then those addresses prior to the final address should be non-KYCed accounts AND without joining a mixer as this may risk the coins becoming tainted which destroys bitcoin fungability. At any single point where an identifier is side-loaded onto the chain linked to your address, chain analysis tools will be able to give a lead to the attacker in order to find the identity of that bitcoin account.

This is where Mullvad and iVPN reign supreme over Protonvpn since they accept monero payments, and allow for purely anonymized account setups, two really based features that truly leave the competition to the dust. As for setting up Protonvpn anonymously, it can be done. The best way is to utilize a linux os, utilize Qemu KVM virtualization and download and deploy Whonix os from the developer website and download the KVM edition as Whonix devs themselves confirm that thee most secure of their deployments, even over virtualbox, is using their KVM deployment. Deploying Whonix has two virtual machines that come with it, the gateway, and the user end OS. Use the gateway and connect another linux vm of your choice and connect it to the whonix internal network inside virt-manager. Thus your linux distro of choice will be connected to the tor network system wide and won't just be isolated within the tor browser. For a guide on how to set this up, click on this link to set up tor via virtualization here Torify Kali VM Network Traffic via Virtualbox & Virt-Manager | The Cryptologist

The Proton website can be accessed through tor so there is no problem in setting up proton while connected through tor. As for an email account, I would opt to deploy an alias email used as a proxy, like simplelogin for example. Or you could use Mysudo or some other email you'd prefer like tutonota. Do not use identifying names for the email, simply just type "kjcbiugvbas" or some randomized generation like this. Obviously you'd want a super awesome password, any password generator can do this but the best password manager to utilize would be KeepassXC. Once you've created your free account, you can then click upgrade and select which plan, and choose payment method, and then select bitcoin. As long as the rules outlined above are observed for bitcoin transactions, you should be fairly decent with good OPSEC, even to the point that your OPSEC is fully deterring even state attackers, or at thee very least, making it extreeeeeeemely difficult for dedicated attackers to target you.

Again, the sacrifice between the two is that protonvpn will be able in most cases, if not all, to stream popular sites like youtube, post to Instagram, sign in to sites that use google CAPTCHAs, whereas iVPN won't be able to. I've tried Mullvad, and it is able to get on YouTube, Netflix, post on Instagram, I haven't tried to log in to a site using a google captcha.

A Note on Login and Streaming sites

I've performed these actions above only to provide intel for the development of this article. However, with regards to opsec rules of online engagement, which ever vpn you choose to utilize as your primary OPSEC-tiered vpn provider, the key principle to keep in mind is to ensure that you DO NOT login to a site. If you wish to spoof your location from that site identifying your real location, This is where having a secondary vpn comes in handy. So I would personally use protonvpn to log into sites I wish not to have my actual location, but if i want to completely disable any possibility of any identity tied to any action performed online, I'd use something like iVPN and/or Mullvad. Just keep in mind that you WON'T be able to peruse through YouTube while on iVPN. Now, this rule comes in handy ONLY if you have used personal "accurate", or what I call real world credentials about yourself. As for myself personally, I have never utilized any accurate real world data of myself as credentials for anything online. Fake, names, fake dates of birth, burner cell numbers with no identifying tie to your real identity, or if you can get away with it, voip numbers. So if you abide by these rules as a fundamental principle, then there won't be as much damage control needed if you merely logged into a site that merely asks for email and password and has no other real world identifying information. If it merely has a cell number and you've tied your real world number ot it, then this will damage your opsec. Understand "out of site, out of mind". If you utilize absolutely no identifying data of yourself with an OPSEC tiered vpn provider, then there should be no worries. Treat your OPSEC-tiered vpn like a tor connection. The moment you've logged into something like facebook etc on a tor connection, is the very second you've completely destroyed your opsec, especially if you've used real world identifying data of yourself as your profile on any such site.

Hardware/Software Solutions

A thing to keep in mind is hardware and software. With software whether on an operating desktop environment or even more vulnerable, a phone, it is possible to loose your vpn connection and data leakage can happen. This is where grounding it or creating extra layers come in handy.

So for Grounding, it is best to deploy your vpn at the router level. Pfsense, openwrt, opnsense router firewall of some kind will give you much more granular control of any possibility of vulnerability like connection drops. Mobile devices are extremely vulnerable to this attack, and yes it is an attack enabled by the cell manufacturers, especially with android, and iPhone is right under them. To circumvent this attack, having your device connect to such a router, will ensure this attack is nullified.

As for creating extra layers, This comes in if you don't have the hardware capabilities, then the software capabilities should be observed. You could deploy a vpn server virtually using a virtual manager, and have another operating system installed as a vm to NOT be connected directly using the host nic card, but rerouted to the vpn machine. Thus if your vm drops connection, the internet connection will simply cease and cut off on its own. The main threat here is that if the vpn is deployed at the device level, and it drops connection for whatever reason as it sometimes does, the network hardware and the underlying OS will simply keep you connected even if your vpn connection gets dropped, which is a bad thing. Now, these applications do offer kill switches, but I find it best to use the kill switch as a secondary backup, and to simply harden your own security utilizing these steps outlined above.

Conclusion

As the reader can see from all the material above, the topic of vpn usage is quite convoluted which validates the age old adage "The devil's in the details".

You will notice that there are different reasons for using a vpn, and the primary reason that the user may have in mind will then dictate which provider to use.

Secondly, while each human being has their own set of circumstances that will determine the nature of their threat model, I believe universally that all end users have the simple base minimum threat model in that each user NEEDS, not recommended, but NEEDS, at minimum two vpn providers. One on the opsec tier, and one on the corporate tier, and that the opsec tiered is neutralized for pure anonymous non-identifying traffic. I do however recommend 2 on the opsec tier. I would recommend either iVPN or Mullvad as the primary opsec tiered vpn and either protonvpn or windscribe as the secondary one, preferably I'd say protonvpn.

Why recommend two? Well, firstly, a key principle of opsec is redundancy. However, there is more technicality to it than simple redundancy. I would say use the secondary opsec tiered vpn for your primary mobile device and consider that one as more vulnerable, and use your primary opsec-tiered provider and utilize it for your desktop environment of choice. Linux or bsd would be the best solution over Macos or Windows. Why? The reason is because mobile phones are much more vulnerable to your opsec. Here is why

Thus, in these ways alone, makes your mobile device, much more vulnerable to attack than any desktop environment.

#anonymity #opsec #privacy #vpn