Virtual Private Network (VPN) Service Recommendations?

Use ipset on your virtual host.
There are at least 150 countries which you are not going to connect from. e.g. syria. :slight_smile:
So block ingress from those countries.
And then block some more.
ipset is so efficient (hash-based iptables) that there is no throughput degradation with many, many filtered netblocks.

Thu Oct 12 21:39:30 EDT 2017
 21:39:30 up 17 days,  2:07,  5 users,  load average: 0.05, 0.07, 0.08
Linux ziva 4.4.0-96-generic #119~14.04.1-Ubuntu SMP Wed Sep 13 08:40:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

-----------------

IPTABLES summary:
    0     0 REJECT     udp   match-set block-by-ip src reject-with icmp-port-unreachable
   46  2320 REJECT     tcp   match-set block-by-ip src reject-with tcp-reset
    4  2669 REJECT     udp   match-set block-by-country src reject-with icmp-port-unreachable
 3809  195K REJECT     tcp   match-set block-by-country src reject-with tcp-reset

-----------------

Block-by-IP filter set

TOP 25 COUNTRIES in IP BLOCKS since Wed Oct 11 00:21:50 EDT 2017:
PACKETS  ORIGIN
     36  US United States
      4  NL Netherlands
      3  FR France
      1  ES Spain
      1  CA Canada
      1  BE Belgium

TOP 25 IP ADDRESSES (of 27 total) in IP BLOCKS since Wed Oct 11 00:21:50 EDT 2017:
PACKETS  IP ADDRESS       ORIGIN
     12  104.131.127.75   US United States            New Jersey, Clifton, (Digital Ocean, Inc.)
      6  107.150.58.196   US United States            Missouri, Kansas City, (DataShack, LC)
      3  64.187.217.234   US United States            California, Los Angeles, (U.S. COLO, LLC)
      2  104.131.30.247   US United States            New Jersey, Clifton, (Digital Ocean, Inc.)
      1  98.160.119.44    US United States            Oklahoma, Bixby, 74008, (Cox Communications Inc.)
      1  94.142.242.84    NL Netherlands              N/A, N/A, N/A, (Netwerkvereniging Coloclue)
      1  85.150.101.113   NL Netherlands              N/A, N/A, N/A, (Euronet Communications B.V.)
      1  78.224.195.41    FR France                   Provence-Alpes-Cote d'Azur, Peyrolles-en-provence, (Free SAS)
      1  78.212.228.175   FR France                   Aquitaine, Vieux-boucau-les-bains, 40480, (Free SAS)
      1  76.104.47.239    US United States            Virginia, Glen Allen, (Comcast Cable Communications, LLC)
      1  75.118.6.103     US United States            Ohio, Hilliard, 43026, (WideOpenWest Finance LLC)
      1  72.52.75.27      US United States            California, Fremont, 94539, (Hurricane Electric, Inc.)
      1  71.6.146.186     US United States            California, San Diego, (CariNet, Inc.)
      1  66.35.51.195     US United States            Colorado, Denver, 80216, (FORTRUST)
      1  66.180.193.219   US United States            California, Los Angeles, (Cyberverse, Inc.)
      1  65.19.167.131    US United States            California, Fremont, 94539, (Hurricane Electric, Inc.)
      1  51.15.63.229     NL Netherlands              Noord-Holland, Haarlem, 2034, (Online S.a.s.)
      1  51.15.53.83      NL Netherlands              Noord-Holland, Haarlem, 2034, (Online S.a.s.)
      1  24.4.60.180      US United States            California, San Jose, (Comcast Cable Communications, LLC)
      1  24.119.126.64    US United States            Idaho, Caldwell, 83607, (Cable One, Inc.)
      1  23.16.101.236    CA Canada                   N/A, N/A, N/A, (TELUS Communications Inc.)
      1  2.139.78.32      ES Spain                    Canarias, Puerto De (Telefonica De Espana)
      1  208.100.26.232   US United States            Illinois, Chicago, 60607, (Steadfast)
      1  192.74.226.140   US United States            California, San Jose, (PEG TECH INC)
      1  178.116.138.143  BE Belgium                  West-Vlaanderen, Wilskerke, 8431, (Telenet BVBA)

BLOCKLIST EFFECTIVENESS (50550 IPs total, 48956 IPs after deduplication, 13607 IPs after country-culling, 27 IPs blocked)
     14 block-by-ip-blocklist.txt (40226)
     11 block-by-ip-rutgers.txt (2964)
      9 block-by-ip-torproject.txt (3768)
      7 block-by-ip-tordanlist.txt (753)
      3 block-by-ip-emergingthreats.txt (1381)
      3 block-by-ip-badips.txt (3260)

-----------------

Block-by-Country filter set

TOP 50 COUNTRIES (of 150 configured) in COUNTRY BLOCKS since Sat Oct  7 10:06:24 EDT 2017:
PACKETS  ORIGIN
    707  CN China
    648  UA Ukraine
    384  RU Russian Federation
    224  MX Mexico
    189  TT Trinidad and Tobago
    150  BG Bulgaria
    140  CL Chile
    118  ZA South Africa
    118  VN Vietnam
     95  US United States
     89  ID Indonesia
     75  HR Croatia
     72  PL Poland
     72  JP Japan
     70  PH Philippines
     68  BR Brazil
     58  AR Argentina
     57  RS Serbia
     43  MD Moldova, Republic of
     39  TN Tunisia
     32  TW Taiwan
     31  IN India
     31  CR Costa Rica
     24  KR Korea, Republic of
     24  HK Hong Kong
     24  DO Dominican Republic
     23  NL Netherlands
     23  HU Hungary
     23  DZ Algeria
     14  TH Thailand
     14  IR Iran, Islamic Republic of
     13  MY Malaysia
     12  LV Latvia
     12  CZ Czech Republic
     11  AZ Azerbaijan
      9  KW Kuwait
      8  SC Seychelles
      7  SG Singapore
      7  PE Peru
      7  IQ Iraq
      7  EC Ecuador
      5  JO Jordan
      4  IL Israel
      3  TR Turkey
      3  NG Nigeria
      3  KZ Kazakhstan
      3  EG Egypt
      3  BD Bangladesh
      2  UY Uruguay
      2  QA Qatar

TOP 50 CIDRs (of 347 total) in COUNTRY BLOCKS since Sat Oct  7 10:06:24 EDT 2017:
PACKETS  CIDR             ORIGIN
    251  60.160.0.0/11    CN China                    Yunnan, Kunming, N/A, (No.31,Jin-rong Street)
    189  46.0.0.0/16      RU Russian Federation       Samara, Samara, 404146, (JSC ER-Telecom Holding)
    189  190.58.0.0/15    TT Trinidad and Tobago      N/A, N/A, N/A, (Telecommunication Services of Trinidad and Tobago)
    144  213.169.32.0/19  BG Bulgaria                 N/A, N/A, N/A, (Mobiltel Ead)
    140  37.115.0.0/16    UA Ukraine                  Dnipropetrovs'ka Oblast', Dnepropetrovsk, (Kyivstar PJSC)
    127  187.128.0.0/11   MX Mexico                   N/A, N/A, N/A, (Address not found)
    123  77.91.128.0/18   UA Ukraine                  N/A, N/A, N/A, (Telesystems of Ukraine LLC)
    108  186.156.0.0/16   CL Chile                    Atacama, Copiapo, N/A, (VTR BANDA ANCHA S.A.)
     98  113.56.0.0/15    CN China                    Hubei, Wuhan, N/A, (CHINA UNICOM China169 Backbone)
     91  58.240.0.0/12    CN China                    Jiangsu, Nanjing, N/A, (CHINA UNICOM China169 Backbone)
     90  189.224.0.0/11   MX Mexico                   Nuevo Leon, Monterrey, (Uninet S.A. de C.V.)
     88  196.52.0.0/14    US United States            New Jersey, Edison, (IO Capital Princess, LLC)
     83  188.163.0.0/16   UA Ukraine                  Kyyiv, Kiev, N/A, (Kyivstar PJSC)
     72  46.118.0.0/15    UA Ukraine                  Dnipropetrovs'ka Oblast', Dneprodzerzhinsk, (Kyivstar PJSC)
     66  93.136.0.0/13    HR Croatia                  Grad Zagreb, Zagreb, (Hrvatski Telekom d.d.)
     61  195.211.216.0/21 RU Russian Federation       Saint Petersburg City, (OOO Sestroretskoe Cable Television)
     57  93.72.0.0/13     UA Ukraine                  Kyyiv, Kiev, N/A, (Volia)
     57  24.135.0.0/16    RS Serbia                   N/A, N/A, N/A, (Serbia BroadBand-Srpske Kablovske mreze d.o.o.)
     57  114.56.0.0/14    ID Indonesia                Jawa Tengah, N/A, (INDOSATM2 ASN)
     51  91.200.0.0/20    UA Ukraine                  Kyyiv, Kiev, N/A, (Orion City LLC)
     51  78.111.176.0/20  UA Ukraine                  N/A, N/A, N/A, (Intertelecom Ltd)
     51  169.0.0.0/15     ZA South Africa             Western Cape, Cape (Afrihost)
     50  188.162.0.0/16   RU Russian Federation       Novosibirsk, N/A, N/A, (PJSC MegaFon)
     39  197.0.0.0/11     TN Tunisia                  Tunis, Kram, N/A, (TOPNET)
     38  196.250.216.0/21 ZA South Africa             not found (Neotel Pty Ltd)
     36  178.136.0.0/15   UA Ukraine                  Kyyiv, Kiev, N/A, (Private Joint-stock Company farlep-invest)
     35  180.76.0.0/14    CN China                    Beijing, Beijing, N/A, (Beijing Baidu Netcom Science and Technology Co., Ltd.)
     33  95.65.0.0/17     MD Moldova, Republic of     Chisinau, Chisinau, N/A, (Starnet Servicii SRL)
     29  186.26.112.0/20  CR Costa Rica               N/A, N/A, N/A, (Telgua)
     27  58.192.0.0/11    CN China                    Jiangsu, Lianyungang, N/A, (China Education and Research Network Center)
     27  157.104.0.0/13   JP Japan                    N/A, N/A, N/A, (Address not found)
     25  196.208.0.0/13   ZA South Africa             Gauteng, Johannesburg, 2000, (IS)
     25  113.160.0.0/11   VN Vietnam                  Ha Noi, Hanoi, (VNPT Corp)
     24  186.150.0.0/16   DO Dominican Republic       Distrito Nacional, Santo (TRICOM)
     24  185.13.232.0/22  PL Poland                   Podlaskie, Bialystok, 15-019, (KOBA Sp. z o.o.)
     23  185.203.240.0/21 NL Netherlands              not found (NovoServe B.V.)
     23  105.96.0.0/12    DZ Algeria                  N/A, N/A, N/A, (Telecom Algeria)
     21  103.79.140.0/22  VN Vietnam                  Ha Noi, Hanoi, (VNPT Corp)
     18  95.160.0.0/16    PL Poland                   Mazowieckie, Warsaw, 02-523, (Vectra S.A.)
     18  201.32.0.0/13    BR Brazil                   Rio de Janeiro, (Telemar Norte Leste S.A.)
     18  182.18.192.0/18  PH Philippines              Manila, Pasig City, (SKYBroadband SKYCable Corporation)
     16  114.32.0.0/12    TW Taiwan                   T'ai-pei, Taipei, N/A, (Data Communication Business Group)
     15  47.29.0.0/16     IN India                    Bihar, Nadghat, 800007, (Reliance Jio Infocomm Limited)
     15  190.44.0.0/14    CL Chile                    Araucania, Temuco, N/A, (VTR BANDA ANCHA S.A.)
     15  190.192.0.0/14   AR Argentina                Buenos Aires, Chacabuco, (Prima S.A.)
     15  181.41.192.0/19  CL Chile                    N/A, N/A, N/A, (Digital Energy Technologies Chile SpA)
     15  130.105.0.0/16   PH Philippines              N/A, Acacia, 1474, (SKYBroadband SKYCable Corporation)
     15  124.104.0.0/14   PH Philippines              Manila, Makati, 1214, (Philippine Long Distance Telephone Company)
     15  121.101.128.0/21 ID Indonesia                Jawa Tengah, Magelang, (PT SELARAS CITRA TERABIT)
     14  81.16.192.0/20   HU Hungary                  Gyor-Moson-Sopron, Sopron, 9400, (ZNET Telekom Zrt.)

-----------------

fail2ban filter set

LAST 10 IPs BLOCKS VIA FAIL2BAN (currently 5 active rules):
PACKETS  IP ADDRESS       ORIGIN                      BANTIME               REASON
      0  195.154.236.242  FR France                   2017-10-09 19:20:39   [ssh]      N/A, N/A, N/A, (Online S.a.s.)
      0  185.190.58.244   US United States            2017-10-10 01:06:14   [ssh]      New Jersey, Piscataway, (Hostkey B.v.)
      0  195.154.56.164   FR France                   2017-10-10 17:05:12   [ssh]      N/A, N/A, N/A, (Online S.a.s.)
      0  93.39.252.194    IT Italy                    2017-10-10 17:38:29   [ssh]      Lombardia, Cormano, 20032, (Fastweb)
      0  206.124.17.40    US United States            2017-10-10 21:22:14   [ssh]      Colorado, Denver, 80228, (privateI, LLC)
     21  66.223.173.179   US United States            2017-10-11 10:12:25   [ssh]      Alaska, Anchorage, 99517, (GENERAL COMMUNICATION, INC.)
      3  52.172.218.109   IN India                    2017-10-11 11:03:05   [ssh]      Maharashtra, Pune, 411001, (Microsoft Corporation)
     13  212.129.23.95    FR France                   2017-10-11 17:16:49   [ssh]      N/A, N/A, N/A, (Online S.a.s.)
      7  203.221.67.59    AU Australia                2017-10-12 00:32:04   [ssh]      New South Wales, (TPG Telecom Limited)
    108  173.212.226.28   DE Germany                  2017-10-12 18:44:30   [ssh]      N/A, N/A, N/A, (Contabo GmbH)
(*) a zero in the packets column indicates that a) the entry has recently expired or b) no packets have arrived since the filter was added.

-----------------

Name: block-by-ip
Type: hash:ip
Revision: 2
Header: family inet hashsize 8192 maxelem 65536 counters
Size in memory: 873920
References: 2
Entries: 13607

Name: block-by-country
Type: hash:net
Revision: 4
Header: family inet hashsize 16384 maxelem 65536 counters
Size in memory: 2449536
References: 2
Entries: 55983


------------------------------------------------------------------------------------------
methodology:

three packet filter stages are implemented:
1. Block-by-IP (static)
2. Block-by-Country (static)
3. fail2ban (dynamic)

1. the IP addresses in the Block-by-IP list are the union of seven different public lists of IPs,
from geographically different areas and using differing criteria for IP address inclusion.
the merged list is sorted, and duplicate IP addresses culled.
http://report.rutgers.edu/DROP/attackers
https://rules.emergingthreats.net/blockrules/compromised-ips.txt
http://www.openbl.org/lists/base.txt
https://lists.blocklist.de/lists/all.txt
https://www.badips.com/get/list/any/3?age=2w
https://www.dan.me.uk/torlist/?exit
https://check.torproject.org/exit-addresses

2. the netblock addesses in the Block-by-Country list are from public IANA assignments, however
some geographic opaqueness can be expected as service providers in many instances assign portions
of IP address netblocks across national boundaries.
http://www.ipdeny.com/ipblocks/data/countries

notes:
in order to prevent double-checking of incoming packets during operation, each IP address in
the Block-by-IP list is checked against presence within a netblock in the Block-by-Country
list, and if a match is found the IP address is discarded from the Block-by-IP list.  as a
result, incoming packets are checked against the Block-by-IP list and Block-by-Country list
sequentially, and match/no-match determination is independent of order of check.  by extension,
however, the apparent effectiveness of the public lists of IP's is reduced, as a fair number
(typ. ~65%) of IP addresses are discarded by the comparison-check process.

both the Block-by-IP and Block-by-Country lists are implemented at the packet filter layer via ipset;
ipset is a tool for creating and utlizing hash data structures for extemely fast address comparison.
using ipset results in a very small number of actual iptables rules (which are linearly evaluated)
referencing ipsets (each of which are hash-evaluated).  ipsets can contain many tens of thousands of
IP addresses or CIDR netblocks with no appreciable network throughput degredation.
http://ipset.netfilter.org/index.html

example:
# iptables -L -v -n | grep set
    1   848 REJECT  udp  --  *  *  0.0.0.0/0  0.0.0.0/0  match-set block-by-ip src reject-with icmp-port-unreachable
 1018 52696 REJECT  tcp  --  *  *  0.0.0.0/0  0.0.0.0/0  match-set block-by-ip src reject-with tcp-reset
    7   886 REJECT  udp  --  *  *  0.0.0.0/0  0.0.0.0/0  match-set block-by-country src reject-with icmp-port-unreachable
 5402  286K REJECT  tcp  --  *  *  0.0.0.0/0  0.0.0.0/0  match-set block-by-country src reject-with tcp-reset


3. fail2ban is employed to backstop the above static filtering; fail2ban automatically introduces
new packet filter rules in response to repeated unauthorized login attempts or similar unwanted
behavior.  these filter rules expire after a user-defined period.

------------------------------------------------------------------------------------------
2 Likes

I use NordVPN. Happy with their service and speed, and their android app.

I also second that one privacy guide site. Used that when shopping around. Went back to nord and signed up for 2 years. Like fir coupons online.

1 Like

Thanks for sharing @Scrouds!

Does that still work for BBC? Have they not shut down access via all VPN UK access nodes, even of the smaller VPN providers which used to work up to about a year ago?

Havenā€™t tried it recently.

Anyone have any views on Proton? They have offered privacy focused email service for a long time, and have started up their own vpn service along similar lines. Supposedly the paid servers are pretty good, while the free ones are slow.

This review of Proton isnā€™t very favorable - claims they have some serious flaws

But, with so many review sites out there, there are others saying theyā€™re greatā€¦

My own hunt for the right path forward continuesā€¦

1 Like

TunnelBear

What happened?

My bank & CC sites threw ā€œfraud alertsā€ while using PIA. In fact BOA wonā€™t even load when using PIA.

Yup. BBC doesnā€™t work for about a year and neither does Netflix.

I donā€™t recall all the details, but probably in one of his quests to take down a fraudulent organization, one of the fraudsters requested his account info (probably the IP address) from FW. Iā€™m guessing some kind of John Doe lawsuit with some kind of legal discovery request. Apparently FW fought back and didnā€™t release the info, but they didnā€™t have to fight and other companies probably would have just caved in. Not sure if SIS incurred any expenses, but it was probably an unpleasant experience.

1 Like

In case this wasnā€™t said upthread, the vast majority of VPN reviews are ads. I started my search at ā€œThat One Privacy Siteā€, which may be a paid ad, but I canā€™t tell who paid for it, and it seems a fair bit of work went into it.

1 Like

This thread is a couple years old. Is privateinternetaccess.com still legit? Has anyone used ExpressVPN? Any other recommendations? I will not be using it for torrents.

Last I researched a few months ago, PIA and NordVPN were top choices.

2 Likes

Express is good due to having a giant list of countries, but itā€™s also a lot more expensive.

1 Like

I use Windscribe (purchased the lifetime subscription when it was on sale a year or two ago) and it works pretty well.

Regardless of which one you choose, make sure that there are no DNS leaks. You can confirm using one of the following two sites:

https://www.doileak.com
https://www.dnsleaktest.com

2 Likes

Iā€™m still with Azire. Iā€™ve found them very reliable, and the speed has been more than acceptable for me, but I donā€™t do audio, video, or torrents.

Just be aware that if you need a static IP, the cost is significantly more ā€¦ at least it is with Azire.

1 Like

Worth a mention: the latest Opera browser includes free unlimited VPN. Not a true VPN as itā€™s only for the browser, but very usable as long as you stay within Opera (e.g. online banking). Also works in Opera mobile browser.

2 Likes

Some other forum discussion here with various options and commentary.

https://www.bogleheads.org/forum/viewtopic.php?p=4814188#p4814188

1 Like