privacyguides/privacyguides.org
1
0
Fork 0
mirror of https://github.com/privacyguides/privacyguides.org.git synced 2025-07-02 01:32:41 +00:00
Code Issues Activity

update: Add criteria to VPN Services page and update other sections (#2788)

Browse Source 
Updates include:
- Obfuscation info, ProtonVPN IPv6 and added missing download links
- added a few criteria

Testing:
- Proton has IPv6 support on Linux but it didn't work for me
- Requirements for FDE/ram servers make sense to prevent logging by malicious employees.
- Mullvad/IVPN are ram-only while Proton has FDE.
- Requirements for the jurisdiction is to prevent cases like RiseupVPN (https://riseup.net/en/about-us/press/canary-statement).

Co-authored-by: redoomed1 <161974310+redoomed1@users.noreply.github.com>
Co-authored-by: fria <138676274+friadev@users.noreply.github.com>
Signed-off-by: Daniel Gray <dngray@privacyguides.org>
This commit is contained in:
Triple T
2024-11-10 08:32:10 +00:00
committed by Daniel Gray
parent 3573915166
commit 1c30ca8cbc
6 changed files with 37 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
docs/vpn.md
View File

@ -32,7 +32,7 @@ Our recommended providers use encryption, support WireGuard & OpenVPN, and have
| Provider | Countries | WireGuard | Port Forwarding | IPv6 | Anonymous Payments
|---|---|---|---|---|---
| [Proton](#proton-vpn) | 112+ | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Partial Support | :material-alert-outline:{ .pg-orange } | Cash
| [Proton](#proton-vpn) | 112+ | :material-check:{ .pg-green } | :material-alert-outline:{ .pg-orange } Partial Support | :material-information-outline:{ .pg-blue } Limited Support | Cash
| [IVPN](#ivpn) | 37+ | :material-check:{ .pg-green } | :material-alert-outline:{ .pg-orange } | :material-information-outline:{ .pg-blue } Outgoing Only | Monero, Cash
| [Mullvad](#mullvad) | 45+ | :material-check:{ .pg-green } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero, Cash
@ -56,6 +56,7 @@ Our recommended providers use encryption, support WireGuard & OpenVPN, and have
- [:simple-appstore: App Store](https://apps.apple.com/app/id1437005085)
- [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases)
- [:fontawesome-brands-windows: Windows](https://protonvpn.com/download-windows)
- [:simple-apple: macOS](https://protonvpn.com/download-macos)
- [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup)
</details>
@ -89,9 +90,9 @@ Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://wiregua
Proton VPN [recommends](https://protonvpn.com/blog/wireguard) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols) for the protocol is not present in their Linux app.
#### :material-alert-outline:{ .pg-orange } No IPv6 Support
#### :material-alert-outline:{ .pg-orange } Limited IPv6 Support
Proton VPN's servers are only compatible with IPv4. The Proton VPN applications will block all outgoing IPv6 traffic, so you don't have to worry about your IPv6 address being leaked, but you will not be able to connect to any IPv6-only sites, and you will not be able to connect to Proton VPN from an IPv6-only network.
Proton [now supports IPv6](https://protonvpn.com/support/prevent-ipv6-vpn-leaks) in their browser extension but only 80% of their servers are IPv6-compatible. On other platforms, the Proton VPN client will block all outgoing IPv6 traffic, so you don't have to worry about your IPv6 address being leaked, but you will not be able to connect to any IPv6-only sites, nor will you be able to connect to Proton VPN from an IPv6-only network.
#### :material-information-outline:{ .pg-info } Remote Port Forwarding
@ -179,7 +180,7 @@ IVPN previously supported port forwarding, but removed the option in [June 2023]
#### :material-check:{ .pg-green } Anti-Censorship
IVPN has obfuscation modes using the [v2ray](https://v2ray.com/en/index.html) project which helps in situations where VPN protocols like OpenVPN or Wireguard are blocked. Currently this feature is only available on Desktop and [iOS](https://ivpn.net/knowledgebase/ios/v2ray). It has two modes where it can use [VMess](https://guide.v2fly.org/en_US/basics/vmess.html) over QUIC or TCP connections. QUIC is a modern protocol with better congestion control and therefore may be faster with reduced latency. The TCP mode makes your data appear as regular HTTP traffic.
IVPN has obfuscation modes using [v2ray](https://v2ray.com/en/index.html) which helps in situations where VPN protocols like OpenVPN or Wireguard are blocked. Currently this feature is only available on Desktop and [iOS](https://ivpn.net/knowledgebase/ios/v2ray). It has two modes where it can use [VMess](https://guide.v2fly.org/en_US/basics/vmess.html) over QUIC or TCP connections. QUIC is a modern protocol with better congestion control and therefore may be faster with reduced latency. The TCP mode makes your data appear as regular HTTP traffic.
#### :material-check:{ .pg-green } Mobile Clients
@ -195,7 +196,7 @@ IVPN clients support two factor authentication. IVPN also provides "[AntiTracker
![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right }
**Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since 2009. Mullvad is based in Sweden and does not offer a free trial.
**Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since 2009. Mullvad is based in Sweden and offers a 30-day money-back guarantee for payment methods that allow it.
[:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary }
[:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" }
@ -244,7 +245,7 @@ Mullvad provides the source code for their desktop and mobile clients in their [
#### :material-check:{ .pg-green } Accepts Cash and Monero
Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. Prepaid cards with redeem codes are also available. Mullvad also accepts Swish and bank wire transfers.
Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. Prepaid cards with redeem codes are also available. Mullvad also accepts Swish and bank wire transfers, as well as a few European payment systems.
#### :material-check:{ .pg-green } WireGuard Support
@ -262,7 +263,12 @@ Mullvad previously supported port forwarding, but removed the option in [May 202
#### :material-check:{ .pg-green } Anti-Censorship
Mullvad has obfuscation an mode using [Shadowsocks with v2ray](https://mullvad.net/en/help/shadowsocks-with-v2ray) which may be useful in situations where VPN protocols like OpenVPN or Wireguard are blocked.
Mullvad offers several features to help bypass censorship and access the internet freely:
- **Obfuscation modes**: Mullvad has two built-in obfuscation modes: "UDP-over-TCP" and ["Wireguard over Shadowsocks"](https://mullvad.net/en/blog/introducing-shadowsocks-obfuscation-for-wireguard). These modes disguise your VPN traffic as regular web traffic, making it harder for censors to detect and block. Supposedly, China has to use a [new method to disrupt Shadowsocks-routed traffic](https://gfw.report/publications/usenixsecurity23/en).
- **Advanced obfuscation with Shadowsocks and v2ray**: For more advanced users, Mullvad provides a guide on how to use the [Shadowsocks with v2ray](https://mullvad.net/en/help/shadowsocks-with-v2ray) plugin with Mullvad clients. This setup provides an additional layer of obfuscation and encryption.
- **Custom server IPs**: To counter IP-blocking, you can request custom server IPs from Mullvad's support team. Once you receive the custom IPs, you can input the text file in the "Server IP override" settings, which will override the chosen server IP addresses with ones that aren't known to the censor.
- **Bridges and proxies**: Mullvad also allows you to use bridges or proxies to reach their API (needed for authentication), which can help bypass censorship attempts that block access to the API itself.
#### :material-check:{ .pg-green } Mobile Clients
@ -270,7 +276,7 @@ Mullvad has published [App Store](https://apps.apple.com/app/id1488466513) and [
#### :material-information-outline:{ .pg-blue } Additional Notes
Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers). They use [ShadowSocks](https://shadowsocks.org) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22).
Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers). They also provide the option to enable Defense Against AI-guided Traffic Analysis ([DAITA](https://mullvad.net/en/blog/daita-defense-against-ai-guided-traffic-analysis)) in their apps. DAITA protects against the threat of advanced traffic analysis which can be used to connect patterns in VPN traffic with specific websites.
## Criteria
@ -293,14 +299,15 @@ We require all our recommended VPN providers to provide OpenVPN configuration fi
- Killswitch built in to clients.
- Multihop support. Multihopping is important to keep data private in case of a single node compromise.
- If VPN clients are provided, they should be [open source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing.
- Censorship resistance features designed to bypass firewalls without DPI.
**Best Case:**
- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.)
- Easy-to-use VPN clients
- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses.
- [IPv6](https://en.wikipedia.org/wiki/IPv6) support. We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses.
- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble).
- Obfuscation technology which pads data packets with random data to circumvent internet censorship.
- Obfuscation technology which camouflages the true nature of internet traffic, designed to circumvent advanced internet censorship methods like DPI.
### Privacy
@ -325,13 +332,16 @@ A VPN is pointless if it can't even provide adequate security. We require all ou
- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption.
- Forward Secrecy.
- Published security audits from a reputable third-party firm.
- VPN servers that use full-disk encryption or are RAM-only.
**Best Case:**
- Strongest Encryption: RSA-4096.
- Optional quantum-resistant encryption.
- Forward Secrecy.
- Comprehensive published security audits from a reputable third-party firm.
- Bug-bounty programs and/or a coordinated vulnerability-disclosure process.
- RAM-only VPN servers.
### Trust
@ -340,6 +350,7 @@ You wouldn't trust your finances to someone with a fake identity, so why trust t
**Minimum to Qualify:**
- Public-facing leadership or ownership.
- Company based in a jurisdiction where it cannot be forced to do secret logging.
**Best Case:**
@ -371,4 +382,4 @@ Responsible marketing that is both educational and useful to the consumer could
### Additional Functionality
While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include content blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc.
While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include content blocking functionality, warrant canaries, excellent customer support, the number of allowed simultaneous connections, etc.