Who Owns, Operates, and Develops Your VPN Matters
85 comments
·September 3, 2025fujigawa
davepeck
Long ago, in the era of Firesheep and exploding prevalence of coffee-shop Wi-Fi, consumer VPN services were definitely valuable.
But that was long ago. Now, HTTPS is the norm. The only use cases for consumer VPNs today seem to be (1) "pretend I'm in a different geography so I can stream that show I wanted to see" and (2) "torrent with slightly greater impunity".
I live in Seattle and Mullvad VPN seems to have bought approximately all of the ad space on public transit over the past couple months. Their messaging is all about "freeing the internet" and fighting the power. It's deeply silly and, I worry, probably quite good at attracting new customers who have no need for (or understanding of) VPNs whatsoever.
elondaits
What about a malicious DNS (on a public spoofed or hacked WiFi) that forwards you to a lookalike domain? Unfortunately many times public WiFi doesn’t work with Google’s or Cloudflare’s DNS servers (I think the Deutsche Bahn’s WiFi was such a case, if I remember correctly, but I know I came across a few on the last few years while traveling). I don’t think there’s anything protecting against that when you’re using a browser.
Sometimes circumstances force one to connect to a public WiFi (e.g. airports, where WiFi is always super dodgy).
jkaplowitz
Also (3) work around overbroad restrictions on public Wi-Fi, which still sometimes do things like block Reddit or HN or SSH. But I guess more typical consumers than those of us here are less likely to experience those obstacles.
ghssds
(3) The fare aggregator that sold you a ticket to visit BFE conveniently also geoblock that very place.
john01dav
What about (3) "bypass government censorship"? UK and China are examples of where this is desirable. This is different from (1) because it's broader than just streaming shows and is about authoritarian rather than capitalist restrictions.
eviks
Apparently, weaklings censor, so fighting them doesn't raise above the silly level
flumpcakes
I think the general discussion is conflating censorship with age restrictions. Lumping the UK with China is very disingenuous.
The UK law is stipulating adult content can only be viewed if you are provably over 18. They are putting all of that responsibility onto the websites/platforms to enforce that.
If a child goes to a shop and tries to buy a pornographic magazine and they are denied, is that censorship?
If a child tries to see an 18 film at the Cinema and is denied, is that censorship?
The fact is both of these were freely and easily done on the Internet as most websites do not verify a users age.
I do not like the online safety act as it is, but it is not "censorship".
null
oldpersonintx2
[dead]
some-guy
Mine is simple: avoid my ISP complaining about torrents.
ThatMedicIsASpy
Avoid my ISPs piss poor routing and peering - especially during peak times.
thisislife2
My ISP is smarter - they just block all the torrent and streaming site I visit, and try to push me to upgrade to plan with many streaming platforms bundled in it. Sucks for them, because I already subscribe to a few of them but still prefer torrent-ing to download videos to watch them offline whenever I want, without unnecessary time limits, in the video / audio quality I want, in the medium I want (TV, computer, mobile devices etc.), with the software (player) I like, without ads and other nags.
IlikeKitties
And shitposting here in germany has become slightly more dangerous. If you use a vpn to call your local politician an idiot, you are much less likely to get into legal trouble.
NoMoreNicksLeft
Here in the United States, I don't know that I could trust the vpn to protect me from that. I remember an incident from a few years ago, some idiot at Harvard emailed in a bomb threat to get out of finals. They arrested him only a few hours later. It's possible he misused the vpn, but I suspect that they merely contacted the vpn provider, got a shortlist of people going through that endpoint, and eliminated all of them not in Boston. Didn't require any Stuxnet-type fuckery or super-secret technology. Be careful and good luck.
nostrademons
Mine are:
1) I like Canadian shows in Netflix more than American
2) People in Silicon Valley get charged more on certain travel sites than people in Detroit.
giancarlostoro
> 2) People in Silicon Valley get charged more on certain travel sites than people in Detroit.
I wonder how this compares to Florida vs Detroit... Hmmm...
2OEH8eoCRo0
Which provider? How do you forward ports?
timpera
Port forwarding is really easy with PIA's client. I had to switch to them because Mullvad doesn't offer port forwarding anymore unfortunately.
NoMoreNicksLeft
Run docker and the haugene-transmission image if you don't want your wife complaining and asking why Facebook thinks she's visiting Romania.
spikej
Most non-technical people I know that have VPNs simply have it for streaming media from platforms that geo-restrict. It's a cat and mouse game as the provider bans servers/providers.
giancarlostoro
I used to pay for IPredator because it allowed me to "port forward" without exposing my actual IP. Used to host minecraft servers for friends behind a Swedish IP. Also funnily enough, I could login to it on my college computers and bypass the college firewall.
immibis
I pay to route my traffic through a barely known intermediary to obscure its origin. It all depends on your threat model for that traffic. If the traffic itself is not sensitive (or already encrypted) but you want to obscure the origin from the destination, or the destination from your ISP, it works.
tomrod
Commercial VPNs do indeed vaguely promise to protect your data, access, etc.
For those of us that are technical but unschooled, what resources would you recommend we learn from?
null
busterarm
You can operate your own VPN (algovpn, openvpn, etc). There's low utility to doing so, but it's fairly straightforward these days.
Or run Tailscale (and a self-hosted DERP relay).
jonny_eh
> You can operate your own VPN
On what infra? Can you trust that one? Doesn't that solution just move the problem down one level?
martin_a
I did this for a while in combination with a PiHole setup on a small vultr.com package.
Utility in that was that the traffic of all devices was routed through a "PiHoled VPN", so very little advertisements came through...
doublerabbit
And the caveat with this is you're going to encounter every Cloudflare capture possible.
zoklet-enjoyer
I use a VPN to access crypto apps that I'm geoblocked from
NoMoreNicksLeft
I was a Suddenlink cable internet customer, and they threatened to reveal my identifying information to copyright trolls. The $4/month was cheaper than a court judgement against me or the $250/month+ it'd cost to subscribe to all the various streaming services and premium cable channels (magazine/books/music/movies is probably closer to $4000/month in retail price tags). Last week I thought to myself "what if I downloaded the entire Book-of-the-Month-Club since 1924?"
VPNs work. I never got another single nasty letter from Suddenstink.
A few months back, I sat down for a week with a free trial of an obscure webapp, downloaded all of their data and formatted it into json via the javascript console, and pirated by first webapp. Since it's not making xhr calls constantly, it's even snappier than the official one. I'm inventing new piracy methodology. Some of us are more dedicated than the rest of you.
tetris11
MullvadVPN seem to be pretty decent at the moment, but it looks like they're laying down a worldwide VPN infrastructure of sorts that other VPN companies can rent (similar to phone networks)
This makes me feel a little uneasy of their unstated longterm goals (corner the entire market), but I do think they are the most trustworthy out there right now
timpera
I think Mullvad's market share is still pretty low compared to NordVPN, which actually cornered the market thanks to their suspiciously large advertising budget.
pydry
Of the two im more suspicious that NordVPN is a CIA honeypot in the style of Crypto AG.
giobox
I also think this is the scandal waiting to emerge in this space; with what we know from Snowden/CryptoAG/Encrypted message app sting operations etc it is borderline impossible for me to believe not one of the major players is owned by a State level intelligence service.
aborsy
Do people here trust their ISPs more than their VPN providers? That’s the question!
On the other hand, as far as privacy from the end point is concerned, users can be identified regardless of IP addresses. Visit fingerprint.com, you will get an identifier, then connect to a privacy VPN and change servers once in a while. The website will identify you, tell you are the same user visited last week from such location, and the number of times you visited.
Browsers (except Tor) send so much data that accurate identification is possible without IP address. And services could refuse to work if users don’t provide the required information, although that info could be randomized.
thisislife2
I do trust my ISP more than any foreign VPN service providers because I have the option to take my ISP to court if they violate my rights. I stopped caring about anonymity on political subjects when I realised not being anonymous made me more civil online, and more mindful of what I want to talk about. (Ofcourse, I can think like this because I have the privilege of living a democracy).
immibis
If you lived in a place like Germany or the UK, you could get arrested for posting online that you don't like Israel. In this case, routing your traffic through an unknown intermediary makes sense.
adiabatichottub
I'm more worried about all the sites that require my phone number under the auspices of two-factor authentication. It's probably the most trackable bit of personally-identifying information these days.
vincnetas
How realistic is possibility that some VPN providers use clients (computers of person who installed VPN) to just be able to crawl (or rent crawl infra) sites and make it look like regular residential traffic? (This is speculation i heard somewhere)
Like reverse VPN :) on one side makes client look like he's accessing internet from VPN exit location, and on the other end allowing for money someone to pretend that he's a residential client.
stordoff
There are various services that do this, e.g. BrightData:
> Bright Data is the World’s Largest Residential Proxy IP Network providing companies the ability to emulate a real user in any country, city or carrier (ASN) in the world. [...] Bright Data has an SDK (software development kit) that is implemented into applications. Bright SDK provides an attractive alternative to advertisements by providing the app user with the choice to opt-in to Bright Data’s network instead. For every user that opts-in to the Bright Data network, Bright Data pays a monthly fee to the application vendor, who passes that value on to the user by not displaying ads.
I haven't heard of any of the VPN providers doing this, but it wouldn't really surprise me.
nostrademons
This isn’t VPN providers per se - most want to be able to control their own exit nodes.
There are however a fair number of commercial proxies that do exactly that, sometimes via consumer malware. I know several startup founders who have used them as a way to scrape lots of data and not get banned. Usually the interface they provide to the customer is just a normal SaaS “pay us money and give us a list of URLs and we will give you the page content”, and the interface they provide to the end user is a game or marginally useful utility, and nobody but the company realizes they’re doing something dodgy.
kube-system
There are a number of "free" VPN providers that have been documented to do this, if you search you should find some articles about it.
tashian
The notion of "zero trust" shouldn't just mean corporations not having to inherently trust users and networks. It should also mean users not having to inherently trust corporations.
VPN providers all run the same two or three VPN protocols, all with similar security guarantees and privacy limitations.
I've been playing with MASQUE relays over the last year. Apple's iCloud Private Relay is a MASQUE relay (two, actually). MASQUE can offer genuine privacy improvements via traffic separation, preventing any single party from correlating the traffic source and destination.
Some of the privacy concerns of VPN users can be mitigated with better technology. And relays are built into Apple operating systems today. I'm surprised that they aren't very widely deployed yet.
arewethereyeta
That's why we sell only the service [1] and point our users to the default app install (Wireguard in our case). Ever since Holla VPN and the entire Brightdata/Luminati clusterf~ VPNs are a risky business for users. Most of them are proxy nodes underneath, they rent you datacenter IPs while they sell your residential internet to third parties.
mzajc
> We offer highly secure, /.../Residential /.../ Proxies.
Where do you get residential proxies? I ask because I'm always reminded of https://sponsor.ajay.app/emails/.
arewethereyeta
Our residentials are actually dedicated which are advertised as residentials by the provider. Sort of a mix where you get speed and stability as opposed to real residentials which are known to barely hold a connection sometimes. We also tried subrenting some real residentials but we will probably close that service since it brings nothing but pain due to unreliability. We're more focused now on privacy oriented services or anti censorship ones. Working atm on bringing Amnezia Wireguard up, we launched Trojan proxies earlier this year also.
timpera
Do you have a source that shows that popular VPN providers such as Mullvad or NordVPN actually sell your residential internet to third parties? That's a bold claim, but pretty scary if true.
arewethereyeta
yes, search for NordVPN vs Luminatti (guys behind Holla VPN) scandal: "nordvpn luminati lawsuit patent". Basically Luminatti, now known as bright data, reached out to NordVPN in order to utilise their user's internet as residential proxy nodes. NordVPN thought otherwise and created their own network instead (Oxylabs if I'm not mistaken). They are still in patent wars I believe.
I don't know anything bad about Mullvad! That being said I, as a small business owner in this space, will not use any of them, ever. I know it sounds like a "yeah right" because I sell the services but I know better.
rpcope1
I mean can they really even if you're using off the shelf client software like plain OpenVPN?
arewethereyeta
maybe, harder tho and they will refuse to do so because that client install is close to malware on some providers. That's why we only hand out the config and instruct the user to install the official app.
username135
Ive been a proton supporter since email. I like theor product suite. I use a vpn for all the reasons listed here, but mostly for obfuscating my traffic (and torrenting).
OutOfHere
Their email UI is extremely clunky and unrefined, both on the desktop and on the app. When I delete a message in the app, it just stays there in the folder. When I empty spam in the desktop, the count doesn't update. It's like they don't use their own product.
mlhpdx
I’ve been keen to point out there is more utility in the technology underlying VPNs than the VPN functionality itself. The WireGuard handshake and transport encryption are lightweight and secure and I added support for it to my service as an option to secure data in flight. It’s getting used by developers and enterprises, not consumers.
IPSec perhaps less so since it is more complicated and open to insecure configurations (transport mode).
try_the_bass
My pet theory for a while now has been that all of the biggest VPNs are secretly run by the NSA or other equivalent nation-state organizations.
arewethereyeta
Or worse, as the article points out,
Terr_
I'd like to point out that a regime may find it worthwhile to compromise more kinds/sizes of VPNs than we might expect.
The evil regime doesn't need to have a popular evil VPN that everybody uses... it may be enough to operate (or hack) a smaller VPN which can unmask enough dissidents that their friend-groups can be found by other means.
01HNNWZ0MV43FF
That threat model for Signal worries me.
If I was the US government, I'd push Google Play to offer compromised updates of Signal silently to a few people I was interested in. Even among the highly-technical, who is going to be inspecting binaries installed on a phone regularly?
Does Signal even have reproducible builds? How do I know the code matches the binary?
I'd make my own messenger.... but I don't have the money for that at all.
I wish these risks could be split up and handled separately - Suppose I run a private dark network for me and my friends, and then the GUI for chatting over it runs in a sandbox where it can only message servers that I control, using public/private keys that I control.
Conflating a million lines of Java GUI code with "Noise is a simple and secure protocol" seems like a big attack surface.
can16358p
I'd love to know how many people use VPNs because of "fear of being hacked" (hack covering everything non tech-savvy here).
Almost everyone I know use VPNs only to bypass restrictions, not for fear or privacy.
CGMthrowaway
What is this list that doesnt include NordVPN and ExpressVPN?
arewethereyeta
A list made by NordVPN or ExpressVPN
akaksbsb
> ExpressVPN
You mean the one owned by an Israeli billionaire? Hopefully they don’t find a way to make your monitor remotely explode.
Commercial VPNs will go down as one of the greatest money-making schemes of the last decade. Outside of a few specific use cases their sales often rely on leveraging non-technical users' fear of what they don't fully understand.
I have non-technical friends and relatives that have fully bought into this and when I asked why they use a VPN I got non-specific answers like "you need it for security", "to prevent identity theft", or my personal favorite: "to protect my bank accounts".
Not a single person has said "I pay to route my traffic through an unknown intermediary to obscure its origin" or "I installed new root certificates to increase my security."