Hii guys,

A lot of YouTubers these days seem to advertise VPN services like NordVPN, TunnelBear, ExpressVPN etc. etc; And even on Facebook, Mastodon etc. I see the occasional "What VPN do you recommend?" post come by.
Additionally, when I say that I don't use commercial VPN garbage, people that aren't in IT (or are shit at it) tend to look at me all surprised.
In this post, I'll be going over what a VPN is, what it does and why I don't use commercial VPNs.

Let's get started!

What is a VPN?

A VPN or "Virtual Private Network" provides an encrypted connection to a server elsewhere.
It was originally designed for businesses so that they could allow access to services on their LAN (or "Intranet") without having to completely expose them on the WAN (commonly known as the "Internet"), this is known as a "remote-access VPN"

Additionally, it allowed businesses to also let servers across different physical locations to each access the LAN of another location, again, without exposing it on the WAN, this is known as "site-to-site VPN".
This offers a cheap, yet secure alternative to renting a line directly between two sites.


Remember that I said "encrypted", this is a very important part of a VPN connection.
Back in the day, using encryption on servers themselves in the form of HTTPS or SMTPS was expensive because you had to buy certificates for this, as such, encryption of these services wasn't too common either.
By encrypting your data before sending it out, it makes it more difficult for a malicious person to sniff out your data, so, it was ideal to keep data secure without paying a lot to do so.
Again, ideal for remote work, especially when using hotspots, which don't have encryption either (you wouldn't want the login details for your company accounts just spilling out right?).
VPN was a cheap way to have your employees connect from outside securely.

There are a few standards used for making a VPN connection:
- PPTP (old, very well-supported, insecure)
- L2TP/IPsec (Secure-ish but can be troublesome with firewalls and is inefficient)
- IKEv2 (not very common)
- SSTP (Shit support outside Windows)
- OpenVPN (Open-Source, very common)
- Wireguard (Open-Source, experimental)
In this post, I won't go into the details about the specific standards, just avoid PPTP and use OpenVPN were possible.

In more modern times, a VPN is often used by "regular people" as a proxy server in order to hide your traffic from your ISP and hide your IP from the service you're trying to access.

Why I use a VPN

I also use a VPN, which runs at home, for exactly the same reason VPN was designed, allowing remote access to my LAN without having to expose everything.
Eg. When I'm on the road but need a file from my NAS, I connect to my VPN and just do it that way instead of exposing my NAS to the internet.
That's it really...
- Need to connect to the SSH of my server? VPN.
- Need to access files on my NAS? VPN.
- Need to administer my Minecraft server? VPN.

Why I don't use a commercial VPN

As I've already said, a VPN is often used by regular people as a proxy server as opposed to using it for remote access.
Commercial VPNs are a big part in this.
Their marketing often promises the following things:
- Protecting you from hackers.
- Securing your data with "military grade" encryption.
- Privacy.
- Bypassing censorship.
However, there are some problems with these claims.
Let's break each of them down, shall we?

A commercial VPN does not help much against hackers.
Remember, we live in 2021 (at the time of writing), we have awesome initiatives like Let's Encrypt which allows websites to have HTTPS for free.
This means when you visit a website, your data is already encrypted.
When you visit my website, for example, your traffic to and from my website is encrypted using TLS1.3 and the AES-128-GCM encryption protocol.
My OpenVPN server, for example, uses this very same encryption and so do most other VPN providers.


This means that your data is already secure from hackers during the transport.
As such, a VPN wouldn't add anything at all.
Most of the time when an account can get hacked, it means something else went wrong like:
- The website itself may have been vulnerable.
- You used a weak/compromised password.
- You didn't use 2FA.
- You simply forgot to log-out elsewhere.
In none of these cases, a VPN would even remotely help you.
And if a site your visiting doesn't use HTTPS in 2021, then you should start considering whether you want to be on that site to begin with.

"Military grade" encryption also doesn't mean too much, it is simply a marketing term.
Most of the commercial VPN providers don't even provide this to begin with.
The NSA has approved AES-256 to be the first publicly available and open cipher approved by the NSA to protect information classified as "top secret".
However, most commercial VPNs only use AES-128.
The difference between AES-256 and AES-128 are some minor details like how much rounds data goes through the encryption before being sent out and the size of the key used.
But fret not, AES-128 is, at this moment, a very strong cipher that is actually also used for a lot of communication within agencies like the NSA.
If it's good enough for the NSA, it's good enough for us right?

For privacy, a VPN also doesn't do much.
Think about it, what do you do before you turn on your VPN?
- Do you use a hardened OS like TailsOS?
- Do you clear all cookies in your browser?
- What sites do you visit?
- If your OS leaking data elsewhere?
There is so much more to privacy than just swapping your IP.
Facebook and Google, for example, have plenty of cookies in your browser that can be used to track you anyhow.
The only way it helps for privacy is because it makes it difficult for your ISP to see where you are going.
However, there are other ways for them to find this one out, eg. if you still use their DNS.
As such, a VPN for the sake of "privacy" won't help here.

The only reason one can realistically use a commercial VPN is to bypass something like GeoIP blocks (eg. to access the American KetFlix if you're from Europe), but that is where it ends.
For bypassing censorship, depending on what you do, you might be better off using TOR or I2P.

So basically, 3 out of the 4 "reasons" to use a commercial VPN are just bogus meant to empty your pockets.
- If you want security: make sure you keep your accounts secure (use unique passwords that are hard to guess).
- If you want "military grade" encryption: Don't worry about it, you are very likely already using more than adequate encryption.
- If you want privacy: Use TailsOS and don't use it for shit like Facebook or Google.
- If you want to bypass GeoIP blocks: Sure, use a VPN.
- If you want to bypass censorship: Use TOR or I2P.
To put it frankly, if you use a commercial VPN, think about why are you using it.

Anyhow, that is it for this one.
I hope you learned a thing or two about VPNs and why commercial VPNs just suck and that you are off better just ignoring them (unless you want to get around GeoIP blocks)
As always, feel free to join me on my subreddit.

Cheers.