As someone who runs most of my Internet traffic through VPNs, it has been interesting to watch roll-your-own VPN efforts start to gain traction.
Google recently released its open source Outline VPN which is designed to help news organizations easily set up VPNs. Although the product originates from Google, it is designed to allow end users to set up a VPN on their own servers so there aren’t concerns about Google logging or snooping on the traffic. And since the software is open source and from Google, it will likely receive a good amount of scrutiny that will likely discover and flaws.
The one caveat, however, is that unlike most commercial VPNs out there, Outline is using the Shadowsocks protocol rather than something like OpenVPN. Techcrunch does a good job of summarizing the advantages and disadvantages of this approach,
And yet, a socks5 proxy looks like normal internet traffic. Shadowsocks is taking advantage of that and combining the advantage of a proxy with traffic encryption. It’s supposed to work great in China for instance.
But you can’t guarantee that all internet traffic goes through a proxy server — it depends on each app. A proxy adds a level of granularity that can be convenient but also a security issue. For instance, the Outline client doesn’t redirect all your Windows traffic to the Outline server right now.
So Outline can be the perfect tool if you want to access censored websites with your web browser. But you won’t disappear from the network with an Outline connection.
Another popular roll-your-own VPN service is Algo. Like Outline, Algo is designed to make it easy set up a VPN on cloud-based servers that the end user(s) have control over. What separates Algo from something like Outline is that Algo allows users to spin up a VPN on, say, AWS or Digital Cloud, use it for an hour or so, and then delete it and create another VPN.
We wanted Algo to be easy to set up. That way, you start it when you need it, and tear it down before anyone can figure out the service you’re routing your traffic through.
Both of these are interesting, but supporters of both have tended to a lot of pointless rhetoric about the supposed inherent problems with commercial VPNs or traditional solutions such as OpenVPN.
But that really misses the point–all of these have their uses depending on what your threat model is.
Algo and Outline are good for preserving confidentiality–making certain that third parties can’t intercept and read the plaintext of your Internet communications–but they are not designed to preserve anonymity.
Something like a commercial VPN is frequently designed to preserve anonymity but at the risk that Internet communications could be intercepted by a bad actor at the VPN (or someone who has penetrated the VPN’s servers).
Which tradeoff is best for you largely depends on who it is you are trying to keep your communications a secret from. My experience has been, for example, that commercial VPNs are very good at preserving the anonymity of my BitTorrent traffic. My main concern is preventing the local network node from monitoring my traffic and preserving anonymity at the exit node, so commercial VPNs are ideal.
If I were a journalist communicating with a human rights activist in a dictatorship, I would probably choose different tradeoffs. But it is extremely important that users conceptualize who it is they’re trying to prevent eavesdropping on their conversation in order to choose the most appropriate solution for ensuring that.