Hi, I'm the author of the blog post and just wanted to say thanks for the discussion.
I agree that relying solely on desktop VPN clients (especially closed-source ones) is risky... The network namespaces approach is new to me, but it looks like a solid way to isolate traffic and avoid these kinds of leaks entirely. Thanks for the suggestions.
Do you know if it's supported using OS-native VPN client implementations as well (i.e. Wirecard, IKEv2, or maybe OpenVPN), or only using their official client?
$5/month vs eg $2/month with a long running sub with e.g. PIA (Chinese owners) though... I wish mullvad provided long running subs with better prices then what they currently provide.
You are correct:
"Kape Technologies is a United Kingdom-based cybersecurity software company. Kape owns VPN services and cybersecurity tools, including CyberGhost, Private Internet Access (PIA), ZenMate, ExpressVPN, and Intego."
Buy a year voucher off Amazon, comes to $4.75/mo. Or be lucky like me and buy the 6 month for $29 from them and receive a 12 month voucher instead when they grab the wrong one.
> If you can't see your VPN's source code, you can almost safely assume that they're broken in some way.
This is definitely true insofar that you better be able to see client code. That said, since you cannot see what the server is running, even if they release their code, you will still end up with a trust actor or two (vpn operator or sometimes multiple vpn operators in double hop cases).
That’s exactly the reason we introduced deterministic and verifiable VPN technology on https://VP.NET which allows you to actually see the code the VPN servers are running. Instead of trust in a non deterministic human actor you can now trust deterministic and verifiable code.
I just built the same thing using `systemd-nspawn --directory=/ -b`. The nice part about using nspawn is that you have access to all of the normal network configuration tools like systemd-networkd to configure the devices and networks, rather than using a python script. It also provides a nice place for running services inside of the container, since process management is also included.
I have no idea why it seems to be so hard for VPN providers to get IPv6 right. The technology has been here for ages. Also, unlike physical ISPs, VPN providers have no other way to differentiate from each other but getting this sort of things right, so one could except them to be motivated, but no.
They are one of the few VPN providers that give out public IPv4 addresses, and you can even get a static one. So, if you are using them for having a public IP, not for privacy, please continue doing so.
There are better options for that. One of them: https://njal.la/ (this service was formerly known as IPredator and run by former piratebay/piratebyran people)
Interesting, do you know if they actually assign them to the VPN interface (rather than just passing through inbound connections to a public IP to the private IP of the VPN interface)?
That could come in handy for hosting things behind double NAT.
They assign it directly to the interface, and letting others connect to stuff behind CGNAT is indeed my use case.
Two other VPNs working for this purpose are OVPN (+1 for them using WireGuard, but their Singapore node is slow) and SwissVPN (limited to only 30 Mbps by contract, but they do provide these contracted 30 Mbps).
I'm not surprised, given that I received 140% cashback(!) on their 2 year plan a while ago. Unless the hope is that most users forget to cancel before it renews, I'm assuming that I'm paying with my personal information.
It still does the trick for accessing bank and other websites from abroad (that somehow consider a VPN IP more trustworthy than a residential ISP in a Western European country, but that's a different story), but I wouldn't use it for anything sensitive.
I also definitely wouldn't run their client locally, and their Wireguard configurations are annoyingly only valid for 15 minutes after creation. (Weirdly, there doesn't seem to be any limitation on IKEv2.)
There are many VPNs on TopCashback offering 100%+ cashback. I assumed most of them were trying to build up user numbers in order to sell or get acquired, since I can't logically understand why a VPN would pay so much for an affiliate bonus.
You do need to trust Intel as it relates to deterministic and verifiable SGX hardware. SGX has had issues, but these are fixed pretty quickly [1]. Creating the isolated layer like SGX gives you verification of what is running on VP.NET's servers though, and the code is available to review and compile yourself so you can verify it is the same [2].
From a defense in depth standpoint, the more layered and isolated securities, the better.
I strongly suggest that you use something like Network Namespaces through Vopono[0] or Gluetun[1] if you use a commercial VPN for "privacy" or "security" aka torrenting and shitposting. Relying on these clients is always a gamble and if your software (Browser, Torrentclient, etc.) cannot know you public IP only the internal IP of the VPN you are also safe against some exploits and misconfigurations a desktop client won't protect you against.
In the case of PureVPN, the only way of preventing leaks is by switching to a different provider. There is definitive proof that they keep logs despite their claims to the contrary. I have linked to a federal criminal complaint where the FBI requested logs after the offense and was given them by PureVPN. The relevant portion is on page 22.
IPv6 allows for more direct connections for services like VoIP or Tailscale, since UDP hole punching between two firewalled public IPv6 addresses usually just works, but doesn't between two clients both behind a "port-restricted cone" or "symmetric" NAT.
As a result, connections have to be relayed, which increases latency and is just outright infeasible for some non-profit services that don't have a budget for relaying everyone's traffic.
Anecdotally, I've also heard that you can get better routing via IPv6 on IPv4-via-NAT-only providers these days, as the provider's CG-NAT might be topologically farther away than the IPv6 server you're connecting to.
Unfortunately this is not true, loads of cool techy stuff (Sentry, GitHub) etc still don't work properly on IPv6, less techy stuff really didn't care at all.
You can use nat64 to talk to legacy networks. Ipv6-only networks (with nat64 or 464xlat etc) are becoming increasingly popular. There is also this new concept called "ipv6-mostly network" that is getting rolled out: https://www.ietf.org/archive/id/draft-ietf-v6ops-6mops-02.ht...
Lots of things will break if you disable ipv4, including my work provided zscaler windows laptop (and not break in the good way where it fails open when you block traffic to zscaler nodes on your router)
That's not really true anymore. I've used a connection with both IPv4 and 6 for the past two years. There's a number of times where my stuff magically works, whiles others have issues, because my traffic is mostly over IPv6. Not once have I had an issue because my setup is dual stacked.
And before you say "change the ISP": Globe is the only one that does not refuse to provide services to foreigners and does not lock you up into a 24-month non-cancellable contract, which is longer than any available non-resident visa.
That's not really an IPv6 issue, but an ISP issue. My old ISP didn't monitor anything and relies on customers to call them up and explain that their connection is down. Sometimes tell them that their connection to entire towns are down, because they don't know.
I'm fairly fortunate that my ISP not only offers IPv6, but also knows how to run their network. Denmark has plenty of ISP that doesn't provide IPv6, don't know how to run a network or some many cases both.
I'm surprised at how negative HN as a whole is on VPNs. The argument seems to go that VPNs don't really give you much privacy. I disagree. I don't think they give absolutely privacy but there are benefits.
As soon as you use a service in another country, it greatly complicates anyone trying to pierce that veil. A US shield can be pierced by John Doe warrants, FISA warratns, pen registers and so on. Some of these options are open to average citizens who may want to dox you or simply report your activity to government agencies, which is more relevant now than it has been in many years.
We've seen several websites pop up to dox people who don't show sufficient deference to Charlie Kirk's murder. We have an administration who now seeks to deport people, deny entry to visa holders and deny visas to people who criticize Israel.
For so many people in the US, citizens and otherwise, an extra level of privacy has become essentially mandatory.
The US ISP market is dominated by regional monopolies where you have no other option. ISPs monitor your traffic, not only to sell your data to data brokers but to decide if you're doing anything "inappropraite" like using a file-sharing service. How long before that extends to the content of your speech?
I'm glad people are doing things like xposing IPv6 leaks (as in this post) and other weaknesses. Some here will taken this as further evidence that VPNs are of little or no value. I don't. I want to know who the good providers are.
As surveillance of social media ramps up, either by the government or by angry mobs, they're rapidly growing to be essential to use any unencrypted platform.
It's because the primary function of VPNs isn't privacy, it's to connect to a remote network and treat it as your LAN. Any privacy or security stuff is completely orthogonal.
Given their need to advertise with pretty much any YouTube channel willing to take their money, I'd be inclined to question the quality the likes of NordVPN and SurfShark.
It boggles me how one can see them as anything but sus after tops 30 minutes of looking into it. You get that all those "top 5 vpn" sites and youtube recs are sponsored, right?
Both of them really advertise too much (IMHO) to be trusted. They rely on introductory pricing and hoping people don't realize and get billed at a much higher rate, a model I personally hate.
But ExpressVPN has an additional reason: ties between it, its founder and Israel. There's a BDS argument against right there but additionally, there are accusations that ExpressVPN traffic is or can be monitored by Israeli intelligence.
That last one is a risk of many VPNs, which is why you have to be careful about who the owners are and where the company is incorporated. I personally prefer VPNs that are located in more privacy-focused jurisdictions (eg Iceland, Switzerland).
Mullvad is a popular option on HN. I'm also relatively positive on PrivadoVPN (located in Switzerland). Some Redditors question the quality of the service. So far it's been fine for me.
Hi, I'm the author of the blog post and just wanted to say thanks for the discussion.
I agree that relying solely on desktop VPN clients (especially closed-source ones) is risky... The network namespaces approach is new to me, but it looks like a solid way to isolate traffic and avoid these kinds of leaks entirely. Thanks for the suggestions.
I donwt know any single VPN provider apart from Mullvad with proper v6 implementation.
Pretty sure i've had ipv6 on Proton. How do I check if it's "proper"?
Even Mullvad give out ULA addresses. You can hardly call that a proper implementation :(
mullvad is the only normie vpn worth using. worth every penny
Do you know if it's supported using OS-native VPN client implementations as well (i.e. Wirecard, IKEv2, or maybe OpenVPN), or only using their official client?
You could run wireguard thru CLI directly instead of jumping through the mullvad app itself
You can download the WireGuard/OpenVPN config files all at once in their web interface.
I've seen that, but I just wasn't sure if that also works for IPv6.
According to their own docs, it seems to work for at least OpenVPN:
> Those not using the Mullvad client program can just add the directive "tun-ipv6" to their OpenVPN configuration file.
Yas. When you download the config files you can choose between IPv4 and IPv6
SwissVPN provides a /64.
Do they allow inbound ports?
Yes, all inbound ports are open.
Solid dev + OSS ecosystem + Flat rates
I'm satisfied!
$5/month vs eg $2/month with a long running sub with e.g. PIA (Chinese owners) though... I wish mullvad provided long running subs with better prices then what they currently provide.
Would love a source for Chinese owners of PIA. Last I knew, it was Israeli owners.
-source, former employee.
You are correct: "Kape Technologies is a United Kingdom-based cybersecurity software company. Kape owns VPN services and cybersecurity tools, including CyberGhost, Private Internet Access (PIA), ZenMate, ExpressVPN, and Intego."
https://en.m.wikipedia.org/wiki/Teddy_Sagi#Kape_Technologies
Yes, I missremembered. It was bought by Isreali after all. I dont think my point is affected by this however.
And I feel quite illiterate right now. I somehow managed to misread both your comments twice
Also Kape was formerly known as Crossrider and had alleged ties to shady apps in the past.
https://mronline.org/2024/09/13/exposed-how-israeli-spies-co...
"sub" as in subsidized by your data eh?
Buy a year voucher off Amazon, comes to $4.75/mo. Or be lucky like me and buy the 6 month for $29 from them and receive a 12 month voucher instead when they grab the wrong one.
[dead]
If you can't see your VPN's source code, you can almost safely assume that they're broken in some way.
If you can see it you can also almost safely assume it’s broken in some way.
> If you can't see your VPN's source code, you can almost safely assume that they're broken in some way.
This is definitely true insofar that you better be able to see client code. That said, since you cannot see what the server is running, even if they release their code, you will still end up with a trust actor or two (vpn operator or sometimes multiple vpn operators in double hop cases).
That’s exactly the reason we introduced deterministic and verifiable VPN technology on https://VP.NET which allows you to actually see the code the VPN servers are running. Instead of trust in a non deterministic human actor you can now trust deterministic and verifiable code.
It is the end of privacy theater!
[1] I am a co-founder of VP.NET
network namespaces provide a clean host/vpn split.
https://blog.thea.codes/nordvpn-wireguard-namespaces/
I just built the same thing using `systemd-nspawn --directory=/ -b`. The nice part about using nspawn is that you have access to all of the normal network configuration tools like systemd-networkd to configure the devices and networks, rather than using a python script. It also provides a nice place for running services inside of the container, since process management is also included.
I have no idea why it seems to be so hard for VPN providers to get IPv6 right. The technology has been here for ages. Also, unlike physical ISPs, VPN providers have no other way to differentiate from each other but getting this sort of things right, so one could except them to be motivated, but no.
For the love of God, don't use PureVPN! They have been proven in court to log traffic, despite claiming not to.[1]
[1] https://cyberinsider.com/vpn-logs-lies/
They are one of the few VPN providers that give out public IPv4 addresses, and you can even get a static one. So, if you are using them for having a public IP, not for privacy, please continue doing so.
There are better options for that. One of them: https://njal.la/ (this service was formerly known as IPredator and run by former piratebay/piratebyran people)
Interesting, do you know if they actually assign them to the VPN interface (rather than just passing through inbound connections to a public IP to the private IP of the VPN interface)?
That could come in handy for hosting things behind double NAT.
They assign it directly to the interface, and letting others connect to stuff behind CGNAT is indeed my use case.
Two other VPNs working for this purpose are OVPN (+1 for them using WireGuard, but their Singapore node is slow) and SwissVPN (limited to only 30 Mbps by contract, but they do provide these contracted 30 Mbps).
Separately, PureVPN is one of the providers you can’t trust [1].
[1] https://www.makeuseof.com/worst-vpns-you-shouldnt-trust/
I'm not surprised, given that I received 140% cashback(!) on their 2 year plan a while ago. Unless the hope is that most users forget to cancel before it renews, I'm assuming that I'm paying with my personal information.
It still does the trick for accessing bank and other websites from abroad (that somehow consider a VPN IP more trustworthy than a residential ISP in a Western European country, but that's a different story), but I wouldn't use it for anything sensitive.
I also definitely wouldn't run their client locally, and their Wireguard configurations are annoyingly only valid for 15 minutes after creation. (Weirdly, there doesn't seem to be any limitation on IKEv2.)
There are many VPNs on TopCashback offering 100%+ cashback. I assumed most of them were trying to build up user numbers in order to sell or get acquired, since I can't logically understand why a VPN would pay so much for an affiliate bonus.
Given what you said about not using it for anything sensitive, I'm assuming you're not actually logging into your bank... right?
Everything is TLS-encrypted anyway these days, so the primary concern is metadata privacy.
When it comes to that, I trust VPN providers about as much as ISPs (i.e. absolutely not).
VP.NET doesn't require any trust at all [1][2].
[1] https://vp.net/l/en-US/blog/Don%27t-Trust-Verify
[2] I work for VP.NET and can answer any questions regarding the technology as well!
Interesting! But "no trust required" is a strong statement; don't I need to trust at least Intel? :)
My advice is never to trust bad intel ;).
You do need to trust Intel as it relates to deterministic and verifiable SGX hardware. SGX has had issues, but these are fixed pretty quickly [1]. Creating the isolated layer like SGX gives you verification of what is running on VP.NET's servers though, and the code is available to review and compile yourself so you can verify it is the same [2].
From a defense in depth standpoint, the more layered and isolated securities, the better.
[1] https://sgx.fail
[2] https://github.com/vpdotnet/vpnetd-sgx
I strongly suggest that you use something like Network Namespaces through Vopono[0] or Gluetun[1] if you use a commercial VPN for "privacy" or "security" aka torrenting and shitposting. Relying on these clients is always a gamble and if your software (Browser, Torrentclient, etc.) cannot know you public IP only the internal IP of the VPN you are also safe against some exploits and misconfigurations a desktop client won't protect you against.
[0] https://github.com/jamesmcm/vopono [1] https://github.com/qdm12/gluetun
Wouldn't blocking IPv6 and using a kill-switch prevent leaking?
In the case of PureVPN, the only way of preventing leaks is by switching to a different provider. There is definitive proof that they keep logs despite their claims to the contrary. I have linked to a federal criminal complaint where the FBI requested logs after the offense and was given them by PureVPN. The relevant portion is on page 22.
https://www.justice.gov/archives/opa/press-release/file/1001...
Block IPv4 as well and you're pretty solid.
No, not in all cases. Imagine your Browser gets 0-dayed and just send all IPs it sees to an endpoint.
I strongly suggest you disable ipv6, as nothing will break by disabling it but many things break with it enabled.
That's not true anymore.
IPv6 allows for more direct connections for services like VoIP or Tailscale, since UDP hole punching between two firewalled public IPv6 addresses usually just works, but doesn't between two clients both behind a "port-restricted cone" or "symmetric" NAT.
As a result, connections have to be relayed, which increases latency and is just outright infeasible for some non-profit services that don't have a budget for relaying everyone's traffic.
Anecdotally, I've also heard that you can get better routing via IPv6 on IPv4-via-NAT-only providers these days, as the provider's CG-NAT might be topologically farther away than the IPv6 server you're connecting to.
Alternatively, disable ipv4. The same statement holds true.
Unfortunately this is not true, loads of cool techy stuff (Sentry, GitHub) etc still don't work properly on IPv6, less techy stuff really didn't care at all.
You can use nat64 to talk to legacy networks. Ipv6-only networks (with nat64 or 464xlat etc) are becoming increasingly popular. There is also this new concept called "ipv6-mostly network" that is getting rolled out: https://www.ietf.org/archive/id/draft-ietf-v6ops-6mops-02.ht...
Lots of things will break if you disable ipv4, including my work provided zscaler windows laptop (and not break in the good way where it fails open when you block traffic to zscaler nodes on your router)
Very little will break if you disable ipv6
Enterprise malware not doing v6 properly hardly counts, it’s a good day for them when they don’t just bsod your entire network.
A lot of stuff breaks when you run Zscaler.
Absolutely, yet it's a requirement for many people.
That's not really true anymore. I've used a connection with both IPv4 and 6 for the past two years. There's a number of times where my stuff magically works, whiles others have issues, because my traffic is mostly over IPv6. Not once have I had an issue because my setup is dual stacked.
This is still true for ISPs that don't monitor their IPv6 connectivity. I was forced to disable IPv6 recently because of this: https://www.reddit.com/r/ipv6/comments/1nf3ytq/how_do_i_comp...
And before you say "change the ISP": Globe is the only one that does not refuse to provide services to foreigners and does not lock you up into a 24-month non-cancellable contract, which is longer than any available non-resident visa.
That's not really an IPv6 issue, but an ISP issue. My old ISP didn't monitor anything and relies on customers to call them up and explain that their connection is down. Sometimes tell them that their connection to entire towns are down, because they don't know.
I'm fairly fortunate that my ISP not only offers IPv6, but also knows how to run their network. Denmark has plenty of ISP that doesn't provide IPv6, don't know how to run a network or some many cases both.
I'm surprised at how negative HN as a whole is on VPNs. The argument seems to go that VPNs don't really give you much privacy. I disagree. I don't think they give absolutely privacy but there are benefits.
As soon as you use a service in another country, it greatly complicates anyone trying to pierce that veil. A US shield can be pierced by John Doe warrants, FISA warratns, pen registers and so on. Some of these options are open to average citizens who may want to dox you or simply report your activity to government agencies, which is more relevant now than it has been in many years.
We've seen several websites pop up to dox people who don't show sufficient deference to Charlie Kirk's murder. We have an administration who now seeks to deport people, deny entry to visa holders and deny visas to people who criticize Israel.
For so many people in the US, citizens and otherwise, an extra level of privacy has become essentially mandatory.
The US ISP market is dominated by regional monopolies where you have no other option. ISPs monitor your traffic, not only to sell your data to data brokers but to decide if you're doing anything "inappropraite" like using a file-sharing service. How long before that extends to the content of your speech?
I'm glad people are doing things like xposing IPv6 leaks (as in this post) and other weaknesses. Some here will taken this as further evidence that VPNs are of little or no value. I don't. I want to know who the good providers are.
As surveillance of social media ramps up, either by the government or by angry mobs, they're rapidly growing to be essential to use any unencrypted platform.
It's because the primary function of VPNs isn't privacy, it's to connect to a remote network and treat it as your LAN. Any privacy or security stuff is completely orthogonal.
I encountered this with different VPN provider. Probably many more have this issue.
What about NordVPN and ExpressVPN are those somewhat trustworthy?
Given their need to advertise with pretty much any YouTube channel willing to take their money, I'd be inclined to question the quality the likes of NordVPN and SurfShark.
It boggles me how one can see them as anything but sus after tops 30 minutes of looking into it. You get that all those "top 5 vpn" sites and youtube recs are sponsored, right?
Trustworthy enough to shitpost behind? Sure.
Trustworthy to break some actual laws behind? Absolutely not.
I wouldn't trust either, for different reasons.
Both of them really advertise too much (IMHO) to be trusted. They rely on introductory pricing and hoping people don't realize and get billed at a much higher rate, a model I personally hate.
But ExpressVPN has an additional reason: ties between it, its founder and Israel. There's a BDS argument against right there but additionally, there are accusations that ExpressVPN traffic is or can be monitored by Israeli intelligence.
That last one is a risk of many VPNs, which is why you have to be careful about who the owners are and where the company is incorporated. I personally prefer VPNs that are located in more privacy-focused jurisdictions (eg Iceland, Switzerland).
Mullvad is a popular option on HN. I'm also relatively positive on PrivadoVPN (located in Switzerland). Some Redditors question the quality of the service. So far it's been fine for me.
Define trustworthy? In my experience, no.
also look up tunnel-crack if u want