With six strikes on the horizon, I'd like to make my network more secure. Need help!

[ekuest]

I've been building computers for many years, but never played with networking and security before. I am aware of proxies and VPNs but never used them before. I would like to avoid a paid subscription service like a VPN because I don't like monthly fees and I'm not entirely sure I want to send all my information through a third party. I am fine with spending money on hardware, such as a small router build, but just don't like monthly fees.

So my question is, what is the best way to effectively hide my internet activity from my ISP and other spying eyes? Proxy? VPN? Both? And what is the best way to implement this for myself? Any links to walkthroughs or in-depth articles on how to set up your own system would be appreciated. Thanks!

~ekuest

 

[XOR != OR]

Any method sufficiently advanced to avoid detection by your ISP ( aka; your next hop ) is going to add latency and will involved filtering your traffic through a third party ( mostly correct. as correct as I'm going to be in this thread anyway )*.

Well, almost any method. The safest method is to stop downloading stuff you shouldn't be downloading.

* - Additionally, there is nothing saying that that third party won't give up their logs if pressed.

 

[Liger88]

VPN by far, but it will drag your connection down and at the very least add lag to even a top plan. There is no getting around it. For decent anonymity you're going to have to shell out the dough because you're no longer just using your own bandwidth, but that of the VPN server (whomever it may be) which is the reason why it costs money to begin with.

Proxies and things like TOR were not designed for downloading much more than images/text on the Internet. People quite often abuse those methods and hurt others in the process, unless of course there is a proxy service specifically designed for mass downloads. VPN's usually don't keep logs, at least not for very long for purposes crucial to their business practice, not for selling out your information to the first person that tries to be intimidating.

 

[Skripka]

VPN by far, but it will drag your connection down and at the very least add lag to even a top plan. There is no getting around it. For decent anonymity you're going to have to shell out the dough because you're no longer just using your own bandwidth, but that of the VPN server (whomever it may be) which is the reason why it costs money to begin with.

Proxies and things like TOR were not designed for downloading much more than images/text on the Internet. People quite often abuse those methods and hurt others in the process, unless of course there is a proxy service specifically designed for mass downloads. VPN's usually don't keep logs, at least not for very long for purposes crucial to their business practice, not for selling out your information to the first person that tries to be intimidating.

The good vpns keep no other user info than subscriber email and credit card info... Most keep no logs of activity for more than a day as the log files of a commercial vpn service get to be terabytes with only timestamp and login name.

They might turn over the little info they have under subpoena, but the good ones keep no logs of real value for more than a matter of hours if that.

 

[Kaos_Drem]

Or you could not do illegal things...JK...

VPN is definitely the way to go, finding the right one is difficult and may take you some troubleshooting/testing.

 

[ekuest]

Ok thanks for the advice guys. So i thought I've heard people talk about building their own VPN servers or routers or something, does that make sense? It seems like in order for something like that to work, you need to have a VPN set up with a unit somewhere other than your own home, so therefore it can't be done without a third party. Is that right? If there really is no way to do this locally, what is the best paid VPN service that you guys recommend? I dont need super fast speeds as long as i can go on my regular network if i need to, say, download a 10GB steam game or something. I just want something that can keep most of my data hidden at around 2-5MB/s.

 

[Skripka]

Ok thanks for the advice guys. So i thought I've heard people talk about building their own VPN servers or routers or something, does that make sense? It seems like in order for something like that to work, you need to have a VPN set up with a unit somewhere other than your own home, so therefore it can't be done without a third party. Is that right? If there really is no way to do this locally, what is the best paid VPN service that you guys recommend? I dont need super fast speeds as long as i can go on my regular network if i need to, say, download a 10GB steam game or something. I just want something that can keep most of my data hidden at around 2-5MB/s.

Life hacker has had write ups on vpns. There are several good ones. I use Private Internet Access, costs $40 per year with lots of servers no logs and no bandwidth limits.

I pay for 20/2 cable and I get that over my vpn with minimal impact on ping. Only sucky thing is that most wifi routers do not have the computational power to run vpn on your router for an entire network.

 

[ekuest]

Life hacker has had write ups on vpns. There are several good ones. I use Private Internet Access, costs $40 per year with lots of servers no logs and no bandwidth limits.

I pay for 20/2 cable and I get that over my vpn with minimal impact on ping. Only sucky thing is that most wifi routers do not have the computational power to run vpn on your router for an entire network.

I have a linksys e3000, and I think 15/1 internet. I'm pretty sure I will either be building a tiny PC to use as a router/firewall, or else to use as a dedicated bittorrent/sensitive browsing rig. I would just RDP into it from my laptop. $40/year isnt very bad at all actually. Do you like the service? Good features, etc?

 

[Red Squirrel]

You could look at getting a VPS at http://www.bahnhof.net/. I'm thinking about it, since this shit is pretty much happening in Canada too, they recently snuck a bill through where they can request info from ISPs now (like they've been doing in the states for a long time). Before that, downloading used to be legal here, which made this country awesome. Now we're just turning into the US. But enough politics...

Definitely a good idea to be more protected in this day and age. But yeah you need to decide what traffic you want to send as if you send everything it will definitely slow things down, and VPS/dedicated servers also have bandwidth limits so you want to be careful not to go over.

 

[Skripka]

I have a linksys e3000, and I think 15/1 internet. I'm pretty sure I will either be building a tiny PC to use as a router/firewall, or else to use as a dedicated bittorrent/sensitive browsing rig. I would just RDP into it from my laptop. $40/year isnt very bad at all actually. Do you like the service? Good features, etc?

Price depends on how much throughput/bandwidth you want. Generally for uncapped usage expect $40-80/year IME right now. Go read on Lifehacker and other places.

I'm quite happy with what I've gotten so far out of PrivateInternetAccess. They're by no means the only fish in the sea though...though they are the most competitive when it comes to price and still offering all the features as of when I was shopping.

Most wifi routers simply lack the computational power to run encrypted VPN. Severely lack. I was chatting up my VPN provider via their online chat this afternoon (they were home on a Sunday which was damn convenient). Typically due to CPU constraints most wifi routers at best can only throughput 2-4megabit via VPN. I was seeing exactly that on my 20/2 connection using my DD-WRT router for VPN tunneling and was wondering if it was a configuration thing or normal...turns out it is normal. I was seeing normal throughput for my ISP on standalone client on the same servers on my Android and desktop.

All wifi routers, even new ones, are simply tremendously computationally underpowered when it comes to running VPN on them.

*Note you can VPN tunnel on Android, but it burns battery fairly quick. Quick even by my Note2 and it's 3100mAh battery standards.

You could look at getting a VPS at http://www.bahnhof.net/. I'm thinking about it, since this shit is pretty much happening in Canada too, they recently snuck a bill through where they can request info from ISPs now (like they've been doing in the states for a long time). Before that, downloading used to be legal here, which made this country awesome. Now we're just turning into the US. But enough politics...

Definitely a good idea to be more protected in this day and age. But yeah you need to decide what traffic you want to send as if you send everything it will definitely slow things down, and VPS/dedicated servers also have bandwidth limits so you want to be careful not to go over.

Bandwidth limits or the lack thereof completely depends on the VPN service. Many of the good paid VPN services don't cap....but you're going to pay $40-80/year for no caps.

As to throughput impact, it can be minimal, this is me pretending to be in the old New York Port Authority building...only reason this isn't 20/2 is it is peak usage time for Time Warner here, ping is typical for my cable modem:

 

[TCM]

Go pro and setup a dedicated DMZ for a single VPN host. Block off everything except the VPN so nothing leaks. Do your stuff on the VPN host and your normal stuff in your LAN.

Personally, I use privitize.com since it's free. Just pay extreme attention when installing, check every option and every "Advanced" button you find. They want you to install some serious crapware. I strictly use it only to cloak my IP address from BitTorrent, no browsing, nothing else and it's firewalled completely except for the VPN connection itself.

For a free solution it works pretty well if you pay attention and don't install the crapware parts.

Free also means no money trail. Also you're behind NAT which means no incoming connections but also shared IP address with other users, so even more "cloaking".

Edit: Fun bit: Download links on thepiratebay.se change to "Download ... anonymously" when using this VPN, so this might suggest the TPB guys are somehow involved or endorse it.

 

[ekuest]

Go pro and setup a dedicated DMZ for a single VPN host. Block off everything except the VPN so nothing leaks. Do your stuff on the VPN host and your normal stuff in your LAN.

Personally, I use privitize.com since it's free. Just pay extreme attention when installing, check every option and every "Advanced" button you find. They want you to install some serious crapware. I strictly use it only to cloak my IP address from BitTorrent, no browsing, nothing else and it's firewalled completely except for the VPN connection itself.

For a free solution it works pretty well if you pay attention and don't install the crapware parts.

Free also means no money trail. Also you're behind NAT which means no incoming connections but also shared IP address with other users, so even more "cloaking".

Edit: Fun bit: Download links on thepiratebay.se change to "Download ... anonymously" when using this VPN, so this might suggest the TPB guys are somehow involved or endorse it.

Can you explain the DMZ thing like youre explaining it to a 6 year old? Can you also explain the privitize.com thing a bit more too? It sounds like all your normal browsing etc is not hidden, but everything you download with bittorrent goes through a VPN? Also how is it free? Do they just hope you'll accidentally install their junk adware? Do you have any worries about them keeping logs of any of your information and might give it up?

 

[TCM]

Can you explain the DMZ thing like youre explaining it to a 6 year old?

http://en.wikipedia.org/wiki/File:DMZ_network_diagram_1_firewall.svg

In this picture, you'd have for example a virtual machine in the DMZ running the VPN stuff and a firewall blocking off everything from that VM except the VPN connection. This way you can be sure that nothing from that VM leaks your real address to the Internet. For a 6-year old, this is advanced stuff, though.

Can you also explain the privitize.com thing a bit more too? It sounds like all your normal browsing etc is not hidden, but everything you download with bittorrent goes through a VPN?

By choice, I only do BitTorrent stuff in that VM I described above. You can do browsing, but I don't trust Privitize enough.

Also how is it free? Do they just hope you'll accidentally install their junk adware? Do you have any worries about them keeping logs of any of your information and might give it up?

Yes, they seem to be ad-sponsored by logging people's browsing. Whether they do that with the adware only or by completely logging your traffic, I don't know. That's why I only do BT. I can't even be sure I completely evaded installing their adware. That's where all the firewalling helps, too.

The real threat these days with BitTorrent is "IP protection" companies that either 1) hop on popular torrents and record all IP addresses in the swarm so they can send demanding letters to ISPs via their lawyers or 2) put up fake torrents themselves and do the same.

So it all depends what Privitize is doing with such a letter (save for the fact that Privitize might actually be a company of the music/movie industry running a giant entrapment honeypot). With their VPN, you are behind NAT, sharing an address with other people. They would have to log IPort on their end plus your IP address - basically they'd have to store the complete NAT table _and_ the requesting lawyer would not only have to request an IP address plus a timestamp, but also a port number.

I'm basically trusting Privitize to not store NAT tables 24/7 since that would be a huge nightmare for them. At the same time I'm not trusting them with my browsing habits.

It all boils down to evaluating your threat model and your available options very carefully. Depending on your level of expertise, this can be hard I'm afraid.

 

[Skripka]

Can you explain the DMZ thing like youre explaining it to a 6 year old? Can you also explain the privitize.com thing a bit more too? It sounds like all your normal browsing etc is not hidden, but everything you download with bittorrent goes through a VPN? Also how is it free? Do they just hope you'll accidentally install their junk adware? Do you have any worries about them keeping logs of any of your information and might give it up?

DMZ stands for Demilitarized Zone for the military and in computing as well.

The theory is that you route all your web traffic in your house through an in-house proxy server that is running the VPN software (and whatever other security software) on your web traffic before leaving your house or coming back into your house before/after hitting your ISP...rather than having standalone clients. Thus securing all your devices in your house and all your traffic. All your web traffic goes through it. The DMZ has everything locked down that doesn't absolutely not need locked down so spare ports etc are not open etc etc.

In simpler terms it is the same thing in idea as using your wifi router to run VPN and be a firewall...just taken to the logical next step in supplying with adequate computing power, having a fancier name...and providing more options. Strictly speaking a router doesn't count as a DMZ, as they implement a DMZ simply through additional firewall rules...whereas a true DMZ has incoming traffic hit the DMZ computer first before reaching the firewall.


As far as Privitize, it is connected to Pirate Bay they don't actually run it as it is a 3rd party that runs it and TPB gets the ad revenue...last I knew you had no choice but to install adware like a search bar to install their client. In general for clearly explained services of high quality and all the desired features, expect to pay between $40-$80 or $100 USD per year. Lots of VPNs are VERY wishy-washy about what they do with the privacy of your data, and those are generally the not-well-thought-of ones...and with VPNs the entire point is privacy-if they don't explicitly state something on their website presume they do NOT have it. In our era of snake oil salesmen, everyone tries to avoid not airing the not-so-pleasant facts of their service rather than being honest and upfront about it.

Some reading:

http://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/
-Asks the simple questions about privacy and gets simple answers...the ones with the best answers are the payware ones

http://www.vpnsp.com/reviews.html
-Lots of reviews or VPN services.

 

[ekuest]

DMZ stands for Demilitarized Zone for the military and in computing as well.

The theory is that you route all your web traffic in your house through an in-house proxy server that is running the VPN software (and whatever other security software) on your web traffic before leaving your house or coming back into your house before/after hitting your ISP...rather than having standalone clients. Thus securing all your devices in your house and all your traffic. All your web traffic goes through it. The DMZ has everything locked down that doesn't absolutely not need locked down so spare ports etc are not open etc etc.

In simpler terms it is the same thing in idea as using your wifi router to run VPN and be a firewall...just taken to the logical next step in supplying with adequate computing power, having a fancier name...and providing more options. Strictly speaking a router doesn't count as a DMZ, as they implement a DMZ simply through additional firewall rules...whereas a true DMZ has incoming traffic hit the DMZ computer first before reaching the firewall.


As far as Privitize, it is connected to Pirate Bay they don't actually run it as it is a 3rd party that runs it and TPB gets the ad revenue...last I knew you had no choice but to install adware like a search bar to install their client. In general for clearly explained services of high quality and all the desired features, expect to pay between $40-$80 or $100 USD per year. Lots of VPNs are VERY wishy-washy about what they do with the privacy of your data, and those are generally the not-well-thought-of ones...and with VPNs the entire point is privacy-if they don't explicitly state something on their website presume they do NOT have it. In our era of snake oil salesmen, everyone tries to avoid not airing the not-so-pleasant facts of their service rather than being honest and upfront about it.

Some reading:

http://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/
-Asks the simple questions about privacy and gets simple answers...the ones with the best answers are the payware ones

http://www.vpnsp.com/reviews.html
-Lots of reviews or VPN services.

So can I build a dedicated box to act as a DMZ and route all my data through it and be protected on all my computers? It seems like since the traffic is still coming in through my ISP's connection unprotected it wouldn't help at all. I could see it helping to filter out viruses and adware or something if i run my connection through a screen, but i don't understand how this would keep my activity private since the screen is after it comes from the ISP. And thanks for the links, I will start researching VPNs. I do like what you've told me about privitize though.

 

[Skripka]

So can I build a dedicated box to act as a DMZ and route all my data through it and be protected on all my computers? It seems like since the traffic is still coming in through my ISP's connection unprotected it wouldn't help at all. I could see it helping to filter out viruses and adware or something if i run my connection through a screen, but i don't understand how this would keep my activity private since the screen is after it comes from the ISP. And thanks for the links, I will start researching VPNs. I do like what you've told me about privitize though.

It helps because the DMZ would handle all the VPN tunneling duties. Thus all your traffic on your LAN would be VPN'd before it left your house. VPN by definition is a good start at keeping you private, remember when VPN tunneling your data, people receiving your data do not see your actual IRL physical IP-at first glance they only see the VPN IP address which can be anywhere in the world....and most of the time, unless a court warrant or subpoena is issued no one is taking a closer look than a first glance. Google might ask for a captcha out of you, as your traffic appears anomalous, but then will not care. There are ways for people receiving your data to figure out where you actually are, if you don't plug every whole...but again, no one is going to take those unless they have sirens going off in an admin office.

Earlier in the thread I posted my Speedtest which reads me as being located in the old New York Port Authority Building....you think I'm actually physically located there? That is where the VPN tunnel server I presently use is. I can get those same results either VPNing on my immediate computer or going up the hierarchy of my LAN, VPNing on my wifi router, or VPNing on a DMZ. SpeedTest just takes a first look at the IP # on the request and presumes it is accurate. I could just as easily tunnel to another server in Canada or the European Union or China....but URLs are no longer universal (I.e. Amazon page varies from country to country), and if I tunnel outside the US I can get shafted by copyright law and be locked out of content I use that is USA specific.

There are other steps you can take to reduce your digital footprint like Tor and Privoxy etc. Because when browsing lots of crap about who you are gets dumped into cookies and HTTP headers I believe....with a DMZ you could run Privoxy and Tor on the network traffic as well to sanitize all that stuff.

The downside of a whole-network VPN approach above all the LAN devices is that if your LAN is wireless b/g/n, people can still packet sniff your data OTA over your WiFi...whereas if each wifi computer is VPN tunneling to start with by themselves they'd have a hell of a time breaking into your traffic. It depends on how many devices you have on your LAN that you do not have direct control over whether a DMZ is worth the effort. Computers by nature love to call each other with open ports to ask how they're doing, and unless you close them, are a security nightmare. I have a thread going on down the hall in the Network forum about cheaply setting up a whole-network VPN device.

 

[Cerulean]

Stop downloading Linux ISOs. Download Windows ISOs instead.

 

[Skripka]

Stop downloading Linux ISOs. Download Windows ISOs instead.

Ah, Cerulean. Just who we were thinking of over in MenGay. We need you for a social experiment.

 

[Cerulean]

Ah, Cerulean. Just who we were thinking of over in MenGay. We need you for a social experiment.

GayMen has a negative impact on my health. I'm very much liking and enjoying not having access to that forum; was a good decision.

 

[goodcooper]

GayMen has a negative impact on my health. I'm very much liking and enjoying not having access to that forum; was a good decision.

probably for everyone

 

[ekuest]

It helps because the DMZ would handle all the VPN tunneling duties. Thus all your traffic on your LAN would be VPN'd before it left your house. VPN by definition is a good start at keeping you private, remember when VPN tunneling your data, people receiving your data do not see your actual IRL physical IP-at first glance they only see the VPN IP address which can be anywhere in the world....and most of the time, unless a court warrant or subpoena is issued no one is taking a closer look than a first glance. Google might ask for a captcha out of you, as your traffic appears anomalous, but then will not care. There are ways for people receiving your data to figure out where you actually are, if you don't plug every whole...but again, no one is going to take those unless they have sirens going off in an admin office.

Earlier in the thread I posted my Speedtest which reads me as being located in the old New York Port Authority Building....you think I'm actually physically located there? That is where the VPN tunnel server I presently use is. I can get those same results either VPNing on my immediate computer or going up the hierarchy of my LAN, VPNing on my wifi router, or VPNing on a DMZ. SpeedTest just takes a first look at the IP # on the request and presumes it is accurate. I could just as easily tunnel to another server in Canada or the European Union or China....but URLs are no longer universal (I.e. Amazon page varies from country to country), and if I tunnel outside the US I can get shafted by copyright law and be locked out of content I use that is USA specific.

There are other steps you can take to reduce your digital footprint like Tor and Privoxy etc. Because when browsing lots of crap about who you are gets dumped into cookies and HTTP headers I believe....with a DMZ you could run Privoxy and Tor on the network traffic as well to sanitize all that stuff.

The downside of a whole-network VPN approach above all the LAN devices is that if your LAN is wireless b/g/n, people can still packet sniff your data OTA over your WiFi...whereas if each wifi computer is VPN tunneling to start with by themselves they'd have a hell of a time breaking into your traffic. It depends on how many devices you have on your LAN that you do not have direct control over whether a DMZ is worth the effort. Computers by nature love to call each other with open ports to ask how they're doing, and unless you close them, are a security nightmare. I have a thread going on down the hall in the Network forum about cheaply setting up a whole-network VPN device.

so youre saying that even if i set up a DMZ, i still have to have some VPN service. its just that the DMZ is on a VPN somewhere, and all my computers go through the DMZ and never see the dangerous outside world for themselves. that right? i may go down that route sometime in the future but for now i think it's probably not worth it. the main thing i want is to hide my bittorrent traffic, and honestly id rather do my online banking and shopping etc via secure https sites that i trust and have been using forever without a VPN than introduce a third party to all that traffic. so i guess what i want is probably just to set up a VPN service that i can run utorrent and occasionally maybe some other programs through to keep myself safe from snooping RIAA and MPAA. $40/yr from Private Internet Access seems pretty reasonable for this, but i'll check out all the other options as well.

Stop downloading Linux ISOs. Download Windows ISOs instead.

i actually downloaded my first linux distro a week or two ago! downloaded mint, but i didnt use utorrent. :/

GayMen has a negative impact on my health. I'm very much liking and enjoying not having access to that forum; was a good decision.

o_0 haha ive never signed up for genmay. i know i would waste even more time than i already do on this site, which is a lot.

 

[Godmachine]

Some important things to keep in mind with VPN services and Proxy services.

1. Many of them keep logs of what you are doing unless they DIRECTLY state that they do not. If they don't state either always ALWAYS assume they are keeping logs of what you are doing and don't bother using them. Make sure they state exactly how they treat your overall connection before paying for a service.

2. If you rent a monthly VPN and then connect to a VPN server in the states then you've completely gone about it the wrong way. The best way for VPN's to function is outside of the US , especially if you are concerned with true privacy. This may come off paranoid but its actually fact , our government heavily monitors just about what every citizen is doing on the net day to day. Now the vast majority of monitoring for us is pretty minimal but IP's are logged , keywords are logged and anytime you connect to an IP in any country that the government considers to be harbourer of any kind of unfriendly-to-the-US groups or government or military then your activity is monitored as well.

The simple truth is even with a VPN + TOR if you want real anonymity then connect to a country that isn't heavily engaged like ours. There are many that do not heavily or at all monitor its citizens and has stronger privacy laws than ours does. The Six Strikes law was forced on ISP's however and I doubt they will heavily enforce it. Many refuse anything other sending emails and veiled threats but they will not be sacking customers to make the RIAA/MPAA happy. So keep that in mind.

3. You will take a heavy performance hit for the pleasure of real anonymity. No matter what VPN you use , once you leave the US and start connecting to a server outside and across the sea then you will probably see 20-25 percent of your normal speed without a VPN and sometimes even less than that.


I do not recommend setting up anything at home in a contained fashion. There can be outside factors that you haven't considered that could compromise your internal network and unless you can run OpenVPN on your router , its often more secure to run OpenVPN per computer or mobile device (that supports it) making it harder for anyone or anything interested in gaining access or proof with a slipped IP. Also I recommend against using IPsec , OpenVPN is heavily scrutinized with each release by security experts and is widely considered the most secure form of VPN.