A Defensive Computing Checklist    by Michael Horowitz
<--Back to the Main Defensive Computing Page

VPNs     (Last updated: November 28, 2021)

New to VPNs? See my article An introduction to six types of VPN software from 2017. I also wrote A Defensive Computing term paper on privacy: VPNs, Tor and VPN routers in 2016 which offers an introduction to VPNs and Tor. Seeing as this is a checklist website, what follows is a very short intro.

With a VPN, software on your computing device (computer, tablet, phone, etc) makes a secure connection to a VPN server computer. Once this "tunnel" is established, all data entering and leaving the computing device is encrypted. Thus, nothing that sits between your computing device and the VPN server computer (a router or an ISP) can spy on you at all. BLocking spying by an ISP is especially important in the US, where ISPs are allowed to spy on their customers and sell that data. For details on this see, Internet Service Providers Collect, Sell Horrifying Amount of Sensitive Data, Government Study Concludes by Karl Bode (Oct. 2021).

That a VPN hides everything from a router is how people in China can interact with the rest of the world. It is also how students in a school can bypass restrictions and see websites that teachers try to block.

In addition, other computers connected to the same network (LAN) as your computing device are also blind to what you are doing online. For this reason, a VPN should always be used on a public Wi-Fi network.

Some people have argued that since a "secure" website (using HTTPS) prevents others from reading the content of web pages, there is little need for a VPN. However, others can still tell which websites you visited. In some cases, just the website name gives away too much information. And, websites are not the only thing on the Internet. With mobile apps, for example, you can not tell if data is being transmitted securely or not.

In addition, a VPN will change your public IP address, so you can pretend to be in a different physical location.

Picking a VPN provider is mind bogglingly difficult. See one attempt and another and another and another and another and another. Even agreeing on the criteria to judge them with is impossible. I have my opinions on good/trustworthy VPN providers, email me for my suggestions. The big danger in picking a VPN provider that is not trustworthy is that they can spy on you, in the exact same way that an ISP can spy on you when you are not using a VPN.

There are four sections below: (1) Is the VPN working?, (2) Choosing a VPN - Features to look for , (3) Blocking Ads and Tracking while using a VPN and (4) an FYI on Location Hiding

  IS THE VPN WORKING?

  Things to test before and after connecting to a VPN:

 Choosing a VPN - Features to look for  top

 To the rest of the world, you judge a VPN by speed, price, logging and the number of servers. All of these criteria are wrong.

  Block Ads/Tracking While Using a VPN   top

As a rule, the job of blocking ads and/or trackers falls to your web browser and its extensions. But some VPNs can do this too. One advantage of VPN blocking is that it applies to the entire operating system, not just one web browser. If you connect to one of these VPNs from a router, it can block ads/tracking on any device connected to the router. The downside of any such blocking (in a browser or a VPN) is carving out exceptions to the rules.

These VPNs do blocking:

  1. IVPN calls their tracker blocking feature AntiTracker.
  2. ProtonVPN calls their ad/tracker blocking feature NetShield. It uses DNS filtering to protect you from malware, blocks ads, and prevent website trackers from following you around the web. It is only available to paid customers.
  3. In April 2021, Mullvad added support for custom DNS server configuration on macOS, Windows, Linux and Android. This can be used with an assortment of DNS providers that block ads/trackers. In May 2021, they introduced ad blocking How to set up ad blocking in our app. In June 2021, ad and tracker blocking was a new feature in their iOS app (How we’re knocking down ads and tracking. They also offer ad blocking for free to anyone, not just their customers, via their secure DNS service. DNS over HTTPS and DNS over TLS (July 2021).
  4. At Perfect Privacy, their TrackStop feature blocks ad-tracking and phishing.
  5. The Disconnect Privacy Pro SmartVPN blocks trackers on iOS. Their Premium VPN blocks trackers on iOS, Android and macOS.
  6. Windscribe VPN offers what they call a "One-of-a-kind customizable server-side domain blocking tool" that blocks ads and trackers. And, you can customize it. They call the feature R.O.B.E.R.T.
  7. The Freedome VPN from F-Secure blocks trackers on iOS, Android, Windows and macOS.
  8. The Guardian Firewall + VPN app on iOS "blocks digital trackers from secretly collecting your information." It is from the Sudo Security Group. For free, their VPN service alerts about tracking but does not block. I wrote about it in August 2019.
  9. On Android, there are three versions of the Blokada ad-blocker. The free version that blocks ads is not allowed in the Play Store. It installs a VPN, but only to block ads by intercepting DNS requests. There was a trivial version in the Play Store that also installed a VPN but all it did was modify the DNS servers. Currently (Feb.2020) the version in the Play Store is called Blokada Slim and it combines the older DNS changer with a fairly new, real, VPN called Blokada Tunnel which costs 5 Euros/month (roughly $5.50 in US dollars). Great feature: customized white and black lists.
  10. Coming: AdGuard VPN (Jan 2020). They are writing a new VPN protocol, which is not a good sign.
  11. Android 9, 10 and 11: There is an interesting conflict between a VPN and the Android Private DNS feature. Each wants to be in charge of the system-wide DNS. In a test of Android 10 with three VPN providers, Private DNS won out every time. This was not a DNS leak, the DNS requests went through the VPN tunnel and the Private DNS resolver sees requests coming from the VPN server, not from the VPN client. However, in a test with Android 9, the VPN DNS won out. Beats me why. If Private DNS wins, and you use NextDNS, then any VPN can be used alongside the ad and tracker blocking from NextDNS. The best of both worlds. I tested with multiple DNS testers on my RouterSecurity.org site.

  FYI ON LOCATION HIDING   top

All VPNs claim to hide your physical location and/or let you appear to be somewhere else. In the old days this was sold for the anonymity it offered. Later, it was sold so that people in the US could listen to the BBC. It stems from the fact that, with a live VPN connection, all data going to/from the Internet passes through the VPN server. Your pubic IP address is that of the VPN server not your home or office.

But the claim predates smartphones, spy machines that they are. A smartphone can locate itself using GPS, Wi-Fi, cell tower location and probably even Bluetooth (not sure). I have tested Wi-Fi based locating and found it extremely accurate. So, if the phone knows where you are, who is to say whether it leaks this information to the outside world. And the outside world, on a phone or a desktop computer, is not just websites. Modifying your public IP address is not the be-all and end-all that it used to be. It is still a good thing, but it may no longer be sufficient.

If hiding your location is really important, use a device without Wi-Fi or GPS or Bluetooth. On a smartphone or tablet, disable them and hope the phone operating system honors your request. On a cellphone, airplane mode should prevent it from contacting cell towers. I say "should" because I don't know how to verify this. Even if you can not make or receive a phone call, that does not insure that the phone is not communicating with a cell tower. After disabling Wi-Fi, GPS and Bluetooth, re-boot the device to insure that it is not still using a recently detected location.

Clearly, Ethernet is your friend here. iPhones and iPads can use Ethernet with an appropriate adapter. Likewise there are USB type A and USB type C adapters for Ethernet that can be used with any computing device with a USB port.

To put this in perspective, the strongest option is preventing the operating system from knowing where it is. If this is not possible, then you need to try and prevent the operating system from giving the location to applications and to web browsers. In the case of browsers, there are probably configuration options in both the browser and the operating system for this. For more on this, see the Location Tracking topic on the main page.

Windows 10, for example, offers OS level configuration options for Location in System Settings -> Privacy -> Location. In the resulting panel, insure that everything is off. On a lower level, Windows users should probably disable the Windows Geolocation service (a.k.a. lfsvc). The description says that it "...monitors the current location of the system and manages geofences (a geographical location with associated events). If you turn off this service, applications will be unable to use or receive notifications for geolocation or geofences." There may be a down side to disabling this service, I have not tested this extensively. But, I doubt it.

As an example of browser location settings, consider the Location settings for the Chrome browser (the screen shot is from Chrome 93 on Windows). You can access the location settings directly at chrome://settings/content/location. Here is where you control whether the Chrome browser is allowed to tell websites the location of the computer/phone/tablet. The assumes that the operating system and the browser already know the location. One slip-up in configuring this and a VPN can no longer hide your location from a website.

An article on this: How does my browser know my real location when I'm on a VPN? by pcwrt (January 2021).

I have yet to see any VPN provider mention that location blocking should be configured in both the operating system and the web browser that you use. That would burst their marketing bubble.

Fighting with the operating system and the browser is complicated, error prone and, even if done right, involves some trust that the software is doing what its told. The safer approach is to insure the operating system can not learn its location in the first place. Ethernet is your friend.

 1,371 views of this VPN page since October 17, 2021
Last Updated
November 28, 2021
Total
Page Views

 260,248
Page Views
Today

  1
Previous
Website View

11.9 minutes ago
Website by
Michael Horowitz
@defensivecomput
top
<--Back to the Main Defensive Computing Page
Copyright 2019 - 2021