Recently I was discussing with friends about tools I use for improving online privacy and security. Today I wanted to talk to you specifically about VPNs (Virtual Private Networks).
( Photo by Sepp Rutz )
Define your objective
As a general rule I recommend, before measuring and/or comparing anything, to define what are our main criteria. After all, there are many different scenarios to consider!
Here, I am thinking about a regular user: they will be performing "typical online activities" and are not considered a "power user".
In this scenario, a "power-user" would be an enthusiast, an online security researcher, or possibly someone with specific needs such as a journalist, a political or social activist and so on. Likewise, with "typical online activities" I am thinking about web browsing, watching video streams, chatting, purchasing items and so on. If you are a spy working for a global superpower and looking to exfiltrate some highly classified intel - then this list is unlikely to be relevant to you 🤣
Secure your connection - Why?
Firstly, let's think about how we connect to things over the Internet. Irrespective of what we are using (mobile phone, laptop, etc...) we want to safeguard the data that transits between our device and our destination. There are two main technologies involved here:
- DNS: the "phone book" of the Internet, it maps the name of the site we are visiting with the IP address used by our device to communicate with it
- Communication protocols: once our device knows who to talk to, it needs to exchange data with it in a safe way. For simplicity let's focus on HTTP, the protocol used by your browser to load a website and its resources - or by your favourite mobile app to pull the data it displays.
When these technologies are in action, they exchange messages over an heterogeneous group of networks, down to the physical cables (or wireless links) transporting electrical (or other) signals. Along the way, there might be several actors which have a chance to snoop on your data when it's not secured.
For example, by looking at the DNS requests your phone is making I can figure out which sites or services you are using. Or, by looking at the content of the HTTP exchanges, I can figure out exactly the content of the requests and responses. For sure, nowadays most web services offer secure (encrypted) communication over HTTPS which goes a long way to hide most of the details.
Some of these are still visible, depending on the version of the protocol in use. And, incidentally, this is why some countries have disabled (or are considering to disable) the most secure implementations of these protocols.
By the way - if you want to dig into the details of HTTPS I've already written a couple of articles on this:
What is a VPN?
Great - now you understand the basics. But how do you protect your connection from snoops?
A VPN (Virtual Private Network) is a way to create a secure, point to point, encrypted tunnel between your device and some other machine somewhere around the world. Once this has been set up, all the communication flows inside this tunnel, protected from prying eyes.
Let's look at a diagram to understand it. Imagine you are on your phone and want to load my blog:
Let's imagine your phone's IP address is
192.0.2.1. When you open the phone's browser and type
www.paolotagliaferri.com, a few things happen:
- Your phone needs to know where to send the traffic for
www.paolotagliaferri.com. It uses DNS to find which IP address is responsible for providing the data for my blog.
- Once it knows the address, it attempts to open a TCP connection to that address. The TCP connection is used as a base to then create a secure TLS connection (because my site supports HTTPS) and finally to exchange HTTP(s) messages (for example "give me the data for the homepage of the blog"). This is basically how you load and see the content of the page.
By default, DNS request are sent unencrypted. This means that anyone in between your phone and the DNS server could learn, for instance, that
192.0.2.1 wants to know the address of
www.paolotagliaferri.com. Once the IP is mapped to you, anyone can know that you specifically were looking at my blog at that date and time.
Similarly, the data in the HTTP (unencrypted) requests would be visible. If HTTPS is in use, depending on the version it might be possible to figure out the site that you're attempting to open (read more about SNI), or even intercept the communication and act as a "man in the middle", gaining the ability to read all the content exchanged in the requests and responses.
When a VPN is in use, the phone establishes a secure connection with the VPN provider first, and then typically all the data (DNS requests included) will flow on the encrypted tunnel. From the perspective of someone outside the tunnel (the bad red robot in the diagram), the data exchanged is all jumbled up and cannot be read.
It is important to note that the VPN works until we reach the "exit node" of the VPN provider. This is where the VPN tunnel is terminated and the original message is sent out on the network. Crucially, from the outside, it appears that this traffic is generated by the "exit node" (and not by you - when the VPN offers this service). For example, imagining the exit node has an IP of
203.0.113.5, this is where the traffic would appear to originate from. If I looked into the logs of my web server, to see where the requests are coming, I would see them arriving from
203.0.113.5 and not
In the previous section, we have seen how it works from a technical (high level) perspective. But there is another important aspect to consider: when we use a VPN, we are placing our trust in the VPN provider. This means that we expect them to avoid doing exactly the things that pushed us into using a VPN in the first place!
Typically, the VPN provider can see your IP, can see your DNS queries, can log the traffic and could correlate the information to reconstruct a good profile of your internet activities for marketing or other purposes.
It is therefore crucial that the provider chosen gives you strong guarantees on what use (if any) is made of the data that can be potentially collected, and that this is stated clearly in their Terms and Privacy Policies.
When choosing a VPN service it is also important to check how the encrypted tunnels are implemented in practice:
- VPN Protocol: I'd recommend looking at providers that use well-known, battle-tested options such as OpenVPN, Wireguard or IKEv2/IPSec. I'd be reluctant to use a provider that works with some obscure, "never heard before" bespoke protocol!
- Configuration: check that the cypher suites used are strong, that the key size is adequate and that the protocol configuration supports Perfect Forward Secrecy.
Let's see now some of the VPN options that I'm familiar with.
For my needs, I am quite happy to use Cloudflare's WARP Client (as a note, Cloudflare is where I work). For it to function as a VPN, you will need to install the WARP app (which is available for most operating systems, including App Store and Play Store.
The WARP Client can work in DNS only mode or WARP mode. When using WARP mode, a secure tunnel (Wireguard) is established between your device and the closest Cloudflare data centre, and all the traffic (including DNS) is sent through this tunnel. There is also a paid option (WARP+) which includes traffic acceleration capabilities, offering improved performance for your navigation.
The tool is very easy to use, it essentially has just a single "ON/OFF" button. Looking into the configuration options, there is also a simple setting to include Malware and Adult Content protection (so that your device will be prevented from reaching this content)
There is an excellent article explaining the philosophy behind WARP on the Cloudflare blog. I wanted to quote this part about the privacy commitments underpinning this tool:
WARP continues all the strong privacy protections that 220.127.116.11 launched with including:
1. We don't write user-identifiable log data to disk;
2. We will never sell your browsing data or use it in any way to target you with advertising data;
3. Don’t need to provide any personal information — not your name, phone number, or email address — in order to use WARP or WARP+; and
4. We will regularly work with outside auditors to ensure we're living up to these promises.
It is important to note that this option provides security (by protecting your DNS queries, and by encrypting the traffic from your device to the Cloudflare network).
It does not hide your IP address, and it does not allow you to choose specific exit countries. If you need these features then you might consider a different VPN service.
In addition to WARP, which is always enabled on all my devices, I also keep my ProtonVPN client at hand. ProtonVPN is a Swiss-based, fully-fledged VPN service that includes a free option as well as paid options with more capabilities.
ProtonVPN can be useful when more anonymity is required, as it will hide your real IP behind the exit node IP address. It also offers geolocation options, as it operates a network in 55 countries (The free plan restricts this choice to 3 countries).
The paid features include adblocker capabilities, and a "Secure Core VPN" configuration, which chains your connection to high-risk jurisdictions so that they pass first in one of their Secure Core servers. These servers are located in jurisdictions with strong privacy laws (Iceland, Switzerland and Sweden) and operated directly by ProtonVPN. I have not tested this feature directly but I'd imagine it could introduce some latency due to the additional hop - would be good to hear from someone that has used it!
ProtonVPN comes with good privacy features too: no logs policy, no personal data required at registration, and their apps are open source.
AirVPN is another service I have direct experience of - having used it in the past. I would class this as a "Power User" tool. Compared to WARP and ProtonVPN, it requires some manual tinkering and configuration, but it also allows more specific configurations and it is great if you want to understand how it all works in more detail.
The (paid) service runs on the OpenVPN protocol and a subscription gives you access to their entire network (whereas with ProtonVPN it depends on the level of your subscription). In addition to classic OpenVPN configurations, it supports encapsulation modes such as OpenVPN over SSH, OpenVPN over SSL and OpenVPN over Tor.
AirVPN's mission is focused on avoiding censorship, preserving Net Neutrality and offer strong anonymity protections.
I hope I gave you some useful information on why you might want to use a VPN. I also shared a few options (with varying level of user-friendliness, features and costs) that you might consider if you decide to start using this type of service.
Do you use other VPN services? Do you have feedback on the ones I have discussed? Let me know in the comments!