Potential VPN options/ replacements

28 replies [Last post]
strypey
Offline
Joined: 05/14/2015

I'm currently located in China and my household and I need to use some kind of VPN to hop over the Great Firewall. So far, we are just paying ExpressVPN once a month, and getting reliable service seems to require use their proprietary apps (which appear to be wrappers for OpenVPN). Every time I've done a bit of reading about what other options we might have, I've ended up getting lost in the weeds. Switching to another commercial VPN provider is a bit pointless unless there is one that releases the source code of their client-side software (ideally all their software) under free licenses.

Other options that I've considered are:

* using Lantern (https://github.com/getlantern) - this only seems to work for websites (not other internet tools like IRC or torrents), and even then it was a bit hit and miss when I tested it. That was a while ago though.
* using BitMask (https://bitmask.net/) with a gratis provider like RiseUp.net - I've had a few attempts at working out how to do this but no joy so far
* using Mysterium (https://github.com/mysteriumnetwork/) - this is an experiment with building a decentralized VPN on a blockchain. Haven't tested it yet. Might be still in alpha.
* using WireGuard (https://git.zx2c4.com/?q=wireguard) - not even sure what this is yet. An experimental OpenVPN replacement?

If anyone can share any knowledge about VPN services and software, that would be much appreciated. Even just linking to relevant discussions about this on the Trisquel forums would help. I have tried searching previous threads, but couldn't find anything helpful.

GNUser
Offline
Joined: 07/17/2013

I confirm that BitMask with RiseUp used to work great in Trisquel 7 but I never got it to work properly in T8.
Might be something wrong on my end though...

Why not using Tor and I2P? Way more secure than VPN.

nadebula.1984
Offline
Joined: 05/01/2018

In order to access I2P or Tor in China, you must first jump the Great FireWall.

Because I live in China, I'm quite adapted to the highly censored network. This is why I stick to decentralized solutions such as XMPP. Because they are decentralized, they are hard to completely block.

strypey
Offline
Joined: 05/14/2015

I can confirm I was trying to use it on T8. No joy. But then I don't really know what I'm doing ;) It would be great to debug this and get it working. Did you file a bug report on Trisquel's issue tracker and/or the LEAP issue tracker for the relevant Bitmask package?

chaosmonk

I am a member!

I am a translator!

Offline
Joined: 07/07/2017

I have been using Mullvad for a while. They claim not to keep logs and accept anonymous cash payments. They have servers in many different countries, and their desktop/mobile client makes it easy to switch between these servers to circumvent geoblocking. Unfortunately the latest version of the client does not work for me on Trisquel 8. I haven't gotten around to figuring out why, but in case you have trouble, this version does work.[1] Or, if you don't want to use their client at all, they provide openVPN configurations.[2] You can make an account anonymously and it will work for three hours, during which you can determine whether or not it works for you. You can then pay for more time if you want to keep using it.

[1] https://github.com/mullvad/mullvadvpn-app/releases/download/2018.6/MullvadVPN-2018.6_amd64.deb
[2] https://www.mullvad.net/en/guides/linux-openvpn-installation/
[3] https://www.mullvad.net/en/account/create/

GNUser
Offline
Joined: 07/17/2013

I am not familiar with the current state of the Firewall of China, but I know Tor has ways to bypass blockage of access. I am not sure if it is working now or not. Maybe ask for bridges?

As for I2P, it's decentralized and they have a new Protocol that should be resistant against blockage and censorship. Try installing the newest version, you get all sorts of services (email, IRC, xmpp, etc).

As for VPNs, I don't trust them really... But yes I did open some tickets for BitMask. However they never resolved any. I don't think there is a constant development of the app.

For me Tor and I2P would be the way to go. But I am not sure how it goes in China, maybe the Firewall is winning right now?

chaosmonk

I am a member!

I am a translator!

Offline
Joined: 07/07/2017

> As for VPNs, I don't trust them really...

Tor and I2P are better, but Tor is unsuitable for certain things like Bitorrent, and I2P can't access the clearnet, so there are some cases where a VPN is the best option. Some are more trustworthy than others, but of course none are completely trustworthy. However, given the choice between a VPN or nothing, the question is not whether you trust your VPN completely, but rather whether or not you trust your VPN less than your ISP and the owners of the servers you connect to.

GNUser
Offline
Joined: 07/17/2013

Well, I trust none :P
That's why I use Tor and I2P (anonymity, no trust required).
I2P can actually access the clearnet for general browsing and some other things (email and such). BitTorrent I suspect is not the main concern of people in China anyway but there is a good tracker inside I2P anyway.

I concede the point that sometimes it's better to trust a VPN than an ISP.

chaosmonk

I am a member!

I am a translator!

Offline
Joined: 07/07/2017

> I2P can actually access the clearnet for general browsing and some other things (email and such).

Cool, I wasn't aware of this. Thanks.

GNUser
Offline
Joined: 07/17/2013

No prob. If you need help with I2P I could try to help. I have been using it sometime myself (though only for torrents).

GNUser
Offline
Joined: 07/17/2013

Strypey did you found a solution by now? What exactly are you trying to access that Tor will not work for, or has China been able to block Tor lately?

strypey
Offline
Joined: 05/14/2015

GNUser:
> What exactly are you trying to access that Tor will not work for, or has China been able to block Tor lately?

I have to admit that I only tried Tor once, about a decade ago, saw how much it slowed down my web browser, and haven't used it again since. I had a similar experience with PGP. I used it for a while, realized that almost nobody I communicate with uses it, and that I couldn't read my stored emails using anything other than the desktop email client I had used to set up it up, and dismissed it an impractical for my needs.

What do you suggest is the way option for using Tor on:
* a 32-bit netbook running Trisquel 8: https://www.coactivate.org/projects/disintermedia/bishop
* a couple of old mobile devices running Android 4x (not supported by LineageOS and probably not Replicant either due to MediaTek SoC)

Thanks for the info about I2P. I am interested in obscuring my use of BitTorrent here, just in case. Again, what do you suggest is the best way to use I2P on the old netbook? Links to up-to-date overview and HowTos guides would be most helpful.

Thanks also to chaosmonk for the info about Mullvard. I will look into that. Do you know if they support 32-bit systems?

chaosmonk

I am a member!

I am a translator!

Offline
Joined: 07/07/2017

> I have to admit that I only tried Tor once, about a decade ago, saw how much it slowed down my web browser, and haven't used it again since.

I'm not sure what it was like a decade ago, but I'm sure it's better now, just because there are more relay nodes. It's even improved in the two years I've been using it. I think this is partly because the browser itself became faster after upgrading to a Quantum base, and maybe partly as a side effect of this.[1]

> What do you suggest is the way option for using Tor on:
> * a 32-bit netbook running Trisquel 8: https://www.coactivate.org/projects/disintermedia/bishop

If you just want to use Tor for web browsing, download 32-bit Tor Browser executable tarball.[2] All you need to do to run it is extract it to a directory, enter that directory, and run the executable. However, if you'd like to be able to launch it from menus or from a terminal as if it will natively installed, see here.[3]

> * a couple of old mobile devices running Android 4x (not supported by LineageOS and probably not Replicant either due to MediaTek SoC)

It looks like Tor Browser is not in F-Droid yet, but has .apk packages for X86[4] and ARM[5].

If you need *all* of your traffic to go through Tor (not just web browsing), I'm not sure how to safely configure that in Trisquel. You could look into Tails or Heads. I think Tails has a blobby kernel, and if your machine is old it might have trouble running GNOME. Heads is all free-software, but I've never gotten it to work.

> I had a similar experience with PGP. I used it for a while, realized that almost nobody I communicate with uses it, and that I couldn't read my stored emails using anything other than the desktop email client I had used to set up it up, and dismissed it an impractical for my needs.

You should be able to read encrypted emails across devices, as long your devices each contain a copy of your private key. Even you you find PGP too inconvenient to use regularly, it is not a bad idea to set it up and make your public key known, so that if someone needs to contact you securely they have the option.

> Thanks also to chaosmonk for the info about Mullvard. I will look into that. Do you know if they support 32-bit systems?

Sorry, I didn't consider architecture. It looks like they only provide 64-bit binaries, and with Electron dropping 32-bit support that probably won't change in the future. :( If you're fine with OpenVPN then the client isn't really necessary, it just makes things a little easier to set up.

[1] https://support.torproject.org/tbb/tbb-2/
[2] https://www.torproject.org/dist/torbrowser/8.0.8/tor-browser-linux32-8.0.8_en-US.tar.xz
[3] https://notabug.org/chaosmonk/mozilla-tarball-install
[4] https://dist.torproject.org/torbrowser/8.5a11/tor-browser-8.5a11-android-x86-multi.apk
[5] https://dist.torproject.org/torbrowser/8.5a11/tor-browser-8.5a11-android-armv7-multi.apk

nadebula.1984
Offline
Joined: 05/01/2018

In one word, you gravely underestimated the Great FireWall.

strypey
Offline
Joined: 05/14/2015

I was looking at laptops on the ThinkPenguin and I noticed a reference to "PenguinVPN". I did a web search for that but couldn't find much. Is it this one:
https://www.penguinproxy.com/faq

I can't see any link to source code or information about software licenses on their site.

strypey
Offline
Joined: 05/14/2015

Finally found a page on the ThingPenguin site confirming that PenguinVPN is a service they run (or resell under their brand):
https://www.thinkpenguin.com/gnu-linux/penguinvpn-subscription-1-6-and-12-month-options

This appears to be nothing to do with PenguinProxy.com.

strypey
Offline
Joined: 05/14/2015

I read the announcement of the Purism libre.one service with some excitement. Their family pack costs about the same per month as what we've been paying for ExpressVPN, and includes not only the Librem Tunnel VPN service (based on OpenVPN), but a range of datafarm replacements, including email, chat (Matrix *and* XMPP), and a fediverse account. If it works well on all our devices (GNU/Linux, MacOS, and Androids) I will be cancelling our ExpressVPN account.

andyprough
Offline
Joined: 02/12/2015

> strypey - If it works well on all our devices (GNU/Linux, MacOS, and Androids) I will be cancelling our ExpressVPN account.

Please give us a review of your experiences, I am quite interested in hearing more.

chaosmonk

I am a member!

I am a translator!

Offline
Joined: 07/07/2017

> I read the announcement of the Purism libre.one service with some excitement. Their family pack costs about the same per month as what we've been paying for ExpressVPN,

Aren't they an American company? I'd look into where their servers are located before considering them as a VPN or email provider. The screenshot on this page[1] implies that they have at least one VPN server in California, but I couldn't find information about whether they'll have servers in a variety of countries like Mullvad does, or where their email servers will be located.

> and includes not only the Librem Tunnel VPN service (based on OpenVPN), but a range of datafarm replacements, including email, chat (Matrix *and* XMPP), and a fediverse account.

If you find it desirable to have many services hosted by the same organization, you might look into disroot.org.[2] In addition to email, they have XMPP servers, a Searx instance, a Diaspora instance, cloud storage via Nextcloud, Etherpad for collaborative document editing, and more. They use a donation-based model, so their services are accessible to everyone while being funded by those who can afford to pay rather than by exploiting user data. Encouragingly, it looks like they are receiving enough funding in donations that they can afford to make some donations to various free software projects.[2] They don't have a VPN service at this time, so this doesn't address your OP, but you might be interested in their other services.

[1] https://librem.one/
[2] https://disroot.org/en/#_white-bar
[3] https://disroot.org/en/blog/donating_floss

chaosmonk

I am a member!

I am a translator!

Offline
Joined: 07/07/2017

Sorry, I screwed up the footnotes.

> The
> screenshot on this page[1] implies that they have at least one VPN server
> in California

> If you find it desirable to have many services hosted by the same
> organization, you might look into disroot.org.[2]

> In addition to email,
> they have XMPP servers, a Searx instance, a Diaspora instance, cloud
> storage via Nextcloud, Etherpad for collaborative document editing, and
> more.[3]

> Encouragingly, it looks like they are receiving
> enough funding in donations that they can afford to make some donations
> to various free software projects.[4]

> [1] https://librem.one/
> [2] https://disroot.org
> [3] https://disroot.org/en/#_white-bar
> [4] https://disroot.org/en/blog/donating_floss

Also,

> In addition to email,
> they have XMPP servers, a Searx instance, a Diaspora instance, cloud
> storage via Nextcloud, Etherpad for collaborative document editing, and
> more.[3]

It's not advertised at that link[3] but apparently they support Matrix
too.[5] No Mastodon instance yet, though. I'd like to see them add that
as well.

[5] https://riot.disroot.org/#/welcome

strypey
Offline
Joined: 05/14/2015

Thanks for the tip. I already have a Disroot account ;) Yes, it's an excellent service and great to hear their pay-what-you-can model is working out for them. But as you say, it's not (yet) a replacement for ExpressVPN for our needs.

I also have a RiseUp account, which I've had for more than a decade, but I've yet to get their BitMask VPN service working from inside the GF.

Purism (and Private Internet Access their VPN partner) are headquartered in the US, as is RiseUp, and like them, Purism have a warrant canary. But I'm not operating under the delusion that a VPN will magically protect my privacy. I just need it because of the country I'm in, as I said in the OP. If I'm going to give about NZ$20 a month to a company for that service, I would rather it be one that is investing significantly in free code software and more freedom-respecting hardware and services. The other hosted services that come with librem.one are a bonus.

Before any of the resident Purism knockers on this forum chime in, I'm aware of your criticisms, but let's at least try to keep this thread focused on the topic of VPN options that don't require running proprietary software (including JS) on the client-side (and ideally don't use it on the server side either).

Coming back to Disroot though ...

chaosmonk:
> apparently [Disroot] support Matrix too.

They started off running a Matix server but decided to close it to new users late last year and switch their focus back to XMPP. The Riot web client can still be accessed at https://riot.disroot.org but only users who have logged in during the last 2 months can still log in. See:
https://disroot.org/en/blog/matrix-closure

> No Mastodon instance yet, though. I'd like to see them add that as well.

They do have a Hubzilla hub, with the federation plug-ins that make it compatible with all the other federated networks that use ActivityPub protocols (and OStatus and Diaspora), but it's still in beta.

chaosmonk

I am a member!

I am a translator!

Offline
Joined: 07/07/2017

> Purism (and Private Internet Access their VPN partner) are headquartered in the US, as is RiseUp, and like them, Purism have a warrant canary.

It's not necessarily a problem that the *company* is based in the US. The location of the *server* is what determines things like whether or not they have to keep logs. Mullvad has VPN servers in a few dozen different countries. If Purism has VPN servers in safer jurisdictions then the US, then it is not such a problem that they are an American company. Same goes for their email servers.

> Before any of the resident Purism knockers on this forum chime in, I'm aware of your criticisms, but let's at least try to keep this thread focused on the topic of VPN options

I agree. Although I have expressed concerns about Purism in the past, I'm only evaluating them as a VPN and email provider here. I'd ask these same questions about any provider.

> They do have a Hubzilla hub, with the federation plug-ins that make it compatible with all the other federated networks that use ActivityPub protocols (and OStatus and Diaspora), but it's still in beta.

Good to know, thanks.

Regarding Mullvad, assuming that your X60* is one of the 64-bit models, you can now use their three-hour trial[1] with their desktop client[2] to see if it gets you past the GF. If it works, it should also work on macOS and your Android devices. To get it working with Bishop you'll need to use openVPN instead of the desktop client, but that shouldn't take you long to set up. I couldn't get the desktop client working on my Hyperbola system, but the openVPN configuration is pretty painless.[3]

* Congrats, btw. My X60 is my favorite computer I've owned. The backlight went out a few months ago, and after trying and failing to fix it I bought an X200. The X200's brighter screen is nice, but I miss the X60's more compact keyboard. I recently acquired an old X61 (can't be librebooted :( but same build as the X60) on which I'm now testing Trisquel 9, and it's such a relief to type on. Not everyone likes the trackpoint, but I think it's worth getting used to. I get annoyed by laptops that require me to remove one hand from the keyboard in order to access the mouse.

[1] https://www.mullvad.net/en/account/create/
[2] https://github.com/mullvad/mullvadvpn-app/releases/download/2018.6/MullvadVPN-2018.6_amd64.deb
[3] https://www.mullvad.net/en/guides/linux-openvpn-installation/

strypey
Offline
Joined: 05/14/2015

chaosmonk:
> The location of the *server* is what determines things like whether or not they have to keep logs.

I don't have a reference off the top of my head but I remember reading that US law had been altered to say that any US company is under US legal jurisdiction, regardless of where their servers are physically located.

> If Purism has VPN servers in safer jurisdictions then the US

Even if I'm wrong about that, what I've found with ExpressVPN is that we don't get the luxury of picking what country we want to access a server in, because only a handful of their servers are accessible from inside the GF at any given time. We just have to hope every day that we can find some that are working and quite often that includes US-based servers. I notice they tend to be the ones with better bandwidth too.

Regarding Mullvad, I've paid for librem.one so I'm going to focus on getting that working for now. If I can't get it going by the end of the month, I'll ask for a credit, and try again in a few months time. At that point, I'll certainly consider Mullvad. Also I noticed PenguinVPN mentioned on the ThinkPenguin website. Is that their service? If so, that would be another one I'd like to support if it works for our needs.

strypey
Offline
Joined: 05/14/2015

I'm trying to figure out how to use .ovpn files to set up VPN connections in Trisquel, so I don't need to install ExpressVPN's non-free client app. I searched the forums but only found old, dead threads related to Trisquel 7 and older (with GNOME instead of Mate). Can anyone offer any tips or recommend any resources on setting up OpenVPN under a Mate DE?

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

The instructions for Trisquel 7 probably still apply: both Trisquel 7 and Trisquel 8 have NetworkManager.

strypey
Offline
Joined: 05/14/2015

MagicBanana:
> The instructions for Trisquel 7 probably still apply

Maybe, but all the ones I've found were about how to do it using various parts of the GNOME GUI. I tried to follow them in Mate and got hopelessly lost.

strypey
Offline
Joined: 05/14/2015

I finally got connected to ExpressVPN without their non-free app, using these instructions:
https://www.jvnkmqh.com/support/vpn-setup/app-for-linux/#install

FYI here is another discussion on the topic of VPN options on this forum, not sure how I missed this:
https://trisquel.info/en/forum/vpns

chaosmonk

I am a member!

I am a translator!

Offline
Joined: 07/07/2017

> > The instructions for Trisquel 7 probably still apply

> Maybe, but all the ones I've found were about how to do it using various parts of the GNOME GUI.

nm-applet and nm-connection editor are not "parts of the GNOME GUI." They are standalone programs that work in any desktop environment (as long as the DE has a systray for nm-applet). Since MATE uses them just like GNOME 2 did, (I think LXDE and XFCE do too) the DE shouldn't make a difference. What might make a difference is the fact that Flidas presumably has newer versions of nm-applet and nm-connection-editor. Can you link to the wiki page(s) that need to be updated?

strypey
Offline
Joined: 05/14/2015

chaosmonk:
> the DE shouldn't make a difference

The instructions I found were all based on using GUI tools, not issuing commands, and the way NM is configured in Mate is quite different from the GNOME-based instructions I found.

> Can you link to the wiki page(s) that need to be updated?

I couldn't find any wiki pages about this using the site search, so all I had to go on was old forum threads. I think it would be a lot easier for new users if help pages were on a separate subsite, with its own search, somewhere like help.trisquel.info.