VPN originally meant something quite different from the commercial consumer VPN product that mullvad represents, and was more like the encrypted overlay network provided by Tailscale. These are coming together again in this revolution of the wheel of reinvention. Not using "reinvention" in any negative way here, this is is good, I think.
For history and how some people (John Gilmore[1]) thought uniquitous interoperable VPN tech (using the IETF standardized IPSec) be used to end-to-end secure internet traffic generally, see eg this FreeS/WAN rationale from the 90s: http://web.archive.org/web/20210125023625/https://www.freesw...
Then in between then and now were the VPN dark ages where it was mostly only used as a tech to accesss old timey corporate "internal networks".
Don't forget that historically, a "half-measure" a lot of people used to use to get around regional blocking was "web proxies" like those linked to by proxy.org. I used to operate one as a young teen and I will say they are a security nightmare -- nothing stopping a web proxy operator from sniffing all user credentials passing through them, and modifying PHPRoxy to do this is trivial.
Personally I used to run a domain parking service (back when I was a teen in the early 00s) that used the domains as web proxies and replaced all adsense blocks it could find in the content with my adsense code, and did a 50/50 split between my code and the domain owner's code. Google eventually became wise to this and banned that sort of thing but it was pretty cool while it lasted, and honestly I think it was super fair considering we didn't even add any ad blocks just re-used the existing ones already in the content.
With practically-ubiquitous HTTPS, these days proxy use is mainly a privacy risk since for HTTPS, they usually can only support transparent byte relaying anyway.
> for HTTPS, they usually can only support transparent byte relaying anyway.
On my LAN I run Squid on a Raspberry Pi, and have my personal laptop configured to use that as a HTTP and HTTPS proxy.
All TLS HTTP connections going through the Squid proxy are intercepted.
This only requires that my laptop trusts a self-signed TLS certificate that Squid uses.
Someone could easily run the same kind of thing on the internet, providing free proxy service and telling their users to trust a certificate signed by them, without properly explaining the consequences of that. And a lot of novice users would likely use that proxy service. Gleefully unaware that even the “encrypted” traffic is completely visible to the proxy.
In fact, I would be extremely surprised if there aren’t a whole gazillion of services out there doing exactly that.
But in many jurisdictions running a service like that would likely be cybercrime. And even if it wasn’t illegal, it’s still not nice. So, you know, don’t go and actually create a service like that.
Not really. I do the same thing, but I do not use squid. Learning how to operate a localhost proxy is not particularly difficult compared to, say, learning programming languages. The later is a topic people on HN discuss ad nauseum. No one questions when someone lists the computer languages they know and claims they can learn a new language in X minutes or a weekend or whatever.
Just because someone does not know how to do something does not mean it is difficult. It just means they did not try to learn how to do it. This is very common comment on HN. It's quite silly.
Learning how to set up a localhost proxy on a laptop is far easier than learning a programming language. But it is not something that many people on HN want to learn, cf., e.g., programming languages.
>Just because someone does not know how to do something does not mean it is difficult. It just means they did not try to learn how to do it. This is very common comment on HN. It's quite silly.
Honestly, whats even more common and more silly are these kinds of comments:
"blah blah blah its easy, i did it blah blah i don't understand the problem"
Ever consider that other people are somehow different than you? Have different strengths, weaknesses and abilities? Have different needs from software? It's like, why do we even make software, you could just learn binary duh.
Every user is different. But software developers commenting on HN like to assume one size fits all. Perhaps this makes sense if they are getting paid from advertising. If every user is doing something different instead of all looking at the same website, using the same app, watching the same video, repeating the same meme, using the same few browsers on the same few operating systems, etc., then advertisers are less interested in throwing money away on "advertising services" from so-called "tech" companies.
I'm not talking about how difficult it is to set up a proxy. I meant that getting someone else's computer to accept a rogue root CA is a big deal, so saying an attack "only" needs that to happen is misleading.
> getting someone else's computer to accept a rogue root CA is a big deal
IMO not necessarily. See this part of what I said:
> telling their users to trust a certificate signed by them, without properly explaining the consequences of that. And a lot of novice users would likely use that proxy service. Gleefully unaware that even the “encrypted” traffic is completely visible to the proxy.
But in addition to that, note that where I was using the word “only” was specifically in the part of my comment where I was talking about how I set up Squid for myself using my own Raspberry Pi and my own personal computer.
Yeah, I've thought about having a CA for my home LAN services, and then have my phone and laptop trust that CA, but I'm terrified of the possibility that my CA could be compromised, and then someone could intercept my traffic to my bank or whatever.
So I just put up with clicking through the TLS cert errors every now and then.
That's a neat idea! I looked into name constraints many years ago, and at the time, no common browser or TLS library supported it; glad to see that that has changed.
With ubiquitous support, I hope that one day we'll be able to routinely get "subdomain CA certificates" issued by something like Letsencrypt, just like it's already possible to get wildcard certificates.
Parent commenter is talking about having a sub CA that is restricted to issuing certs for a specific domain.
For example let’s say that I am hosting a website at somewhere.example.com
Today I would be able to get a Let’s Encrypt TLS cert for somewhere.example.com and if I control the DNS for somewhere.example.com I can get a wild card cert for *.somewhere.example.com
But from what parent is saying, with name constraints it would be possible for Let’s Encrypt to give me a cert that would allow me to act as CA for anything under my somewhere.example.com
Meaning that I could for example issue a TLS cert for treehouse.internal.somewhere.example.com using the restricted CA certificate that was given to me.
A DIY CA is pretty easy to airgap: keep it on hardware that isn't your daily driver and only has a minimal/secure OS with no network connectivity. Anything you have lying around can do it: like an outdated laptop or SBC.
Even just using a VM for the CA would likely be sufficient. Only fire it up for signing, then keep its storage encrypted. I do this on my Proxmox server.
This, to me, is worth it for local stuff. The trusted self CA certs are better than blindly trusting an invalid cert, and some browsers require trusted certs to autofills passwords.
I used to do the same, but these days, getting TLS certificates for local services is actually not that hard anymore.
If you have local DNS, you can e.g. request a wildcard subdomain Letsencrypt certificate and then distribute the corresponding key and certificate to your LAN hosts.
>Someone could easily run the same kind of thing on the internet, providing free proxy service and telling their users to trust a certificate signed by them, without properly explaining the consequences of that.
Somebody already did do this, except as a paid service, and had their special 'client' simulate user clicks to install the self-signed root CA cert in your OS' cert store for you.
Interesting, it would have to be a pretty invasive client to do that. Usually installing a cert is accompanied by a lot of very loud warnings on modern OSes. So the end user would have to first give this software the permission to click around on their desktop for them without fully understanding the implications. Which does seem plausible
Adding trusted certificates in Firefox directly, instead of at the OS level, is very straightforward. Requires few clicks and does not shout too much.
I prefer using Firefox on my laptop so I didn’t check to see what the process is like for Chrome-based browsers to add trusted certificates (or if Chrome-based browsers only use OS-level certs).
But at least with Firefox, the user doesn’t have to go fiddling with OS level stuff.
no. you put it public, get public domain > valid cert from a trusted list of CA that google and mozzila treat as trustworthy, look et em. there are more problematic then unproblemtic
web proxies completely bypass any protection offered by HTTPS as they act as a true man-in-the-middle and place requests on behalf of the user. Unlike traditional proxies, web proxies are entirely web based and use a web interface so literally all the data flows through the server side code of the web proxy.
Not really. In my view, VPNs (at least the type discussed here) and proxies are complementary:
VPNs are good at encrypting/redirecting all of your device's traffic, since they're per-computer by default. They're accordingly good at preventing metadata leaks (e.g. visited sites or used apps) on untrusted networks.
Proxies are opt-in, but can accordingly be much more fine-grained. For example, Firefox supports per-domain (via various extensions) or per-tab (via the built-in "containers" feature) proxies – VPNs usually can't do that.
I am not 100% sure but Firefox VPN is an actual VPN based on mullvad. On the main product page[1], it says it is built with Wireguard which is a VPN software.
VPNs can, if they can be routed into via SOCKS or Http Connect gateways, for example. Generally, VPNs (L2/L3) can stoop to the level of proxies (L4) but not vice versa (at least not as cleanly).
Sure, you can bridge in either direction (using e.g. this [1] excellent Wireguard-to-SOCKS adapter), but in my view, if you have bytestream semantics, you're often better off using a bytestream-oriented proxying protocol (like SOCKS, SSH or HTTP) and vice versa.
These bridges/adapters do have their applications though – I have a home router that supports Wireguard natively, but not any of the higher-level protocols; this lets me use my per-tab approach with it.
I don't really get the value proposition of wireproxy. Especially since it seems not to be complete yet.
It is trivial to run a socks proxy on one of the peers and have your browser point to that. Both chrome and firefox can do this on demand and for the sites you select.
I have a docker based proxy running on a vm. (I've tried a bunch of them. They all work fine. None of them are hugely better at the bandwidth levels available to me - around 50-70mbps) The proxy is only listening on the wireguard IP. I have my clients connect to that wireguard peer and use the wireguard IP as the proxy. You can't install a proxy on the remote side? It should be possible seeing that you have to install something anyway. I am not sure about not needing root but it should not be a requirement for a proxy server since all it does is make http requests on your behalf.
Yes, "work" VPNs, site-to-site and many other topologies don't change the default route, but "privacy" VPNs like Mullvad usually do – there is no group of hosts to route traffic for other than simply "the entire internet".
That said, I'm aware of at least one that tries to support an "exempt/excluded hosts" feature, but it does this via some hack using its local DNS resolver and modifying the routing table on the fly, which does not work reliably.
Interesting! Is that actually the letter of the specification, or a common/industry-standard interpretation? I hate VPN setups like that; it often makes videoconferencing, browsing of non-corp sites etc. unnecessarily slow.
It's the letter of the specification, unfortunately:
> 3.13.7 Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
> DISCUSSION
> Split tunneling might be desirable by remote users to communicate with local system resources such as printers or file servers. However, split tunneling allows unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. This requirement is implemented in remote devices (e.g., notebook computers, smart phones, and tablets) through configuration settings to disable split tunneling in those devices, and by preventing configuration settings from being readily configurable by users. This requirement is implemented in the system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling.
And yep, it does indeed cause all of the problems you describe.
no, that's why you tunnel through seven proxies, each being used with different sets of credentials/encryption keys, all disposable. The last tunnel is not the main data channel, but the channel you use to coordinate command and control, and then you use a botnet to distribute pieces of your real communications.
web proxies aren't traditional proxies. They have a web interface and issue requests on behalf of the user server side, so all of the user's data flows through the user interface and the server side in plain text (though protected by the HTTPS of the web proxy itself). This is fine if you 100% trust the web proxy, but a malicious web proxy operator could easily look at all your data.
I used to pay a small fee for a shell account by some UK provider so I could setup a SOCKS proxy over a SSH tunnel. I suppose they could have captured my egress traffic but I trusted them not to that. I was just using it to watch BBC iPlayer/Channel 4 from the US anyways. :)
The first VPNs I encountered were for bridging branch offices onto the corporate network.
It was only later when they made 'consumer' vpns where they became point-to-multipoint affairs, for bridging a single computer onto the network. I'm not really sure how that confusion happened. In that era they were glorified SSH tunnels.
Well they generally call the first type Site to Site VPN tunnels and the second client tunnels. Lots of different marketing from various companies makes it confusing since it's basically all the same oss under the hood.
What is with this tendency to want to gatekeep the term "VPN" away from consumer-oriented providers? The general term "VPN" means exactly the same thing now as it did 20 years ago.
Virtual means it doesn't correspond to a physical network interface. Private means it involves encryption, as opposed to a basic tunnel like ipip or 6in4. And they've always been network interfaces showing up on some node, regardless of whether that node might have been a vendor's proprietary black box.
Decades ago there were fewer uses/topologies, dedicated "routers" were more important, and people naively trusted infrastructure. Those are the differences that have evolved with time. Quick searches say OpenVPN was released in 2001, and tinc in 1998.
> Private means it involves encryption, as opposed to a basic tunnel like ipip or 6in4.
The common-sense meaning of "private network" was, and is, a network that is private. I had one with a bunch of my university friends - we ran our own network services that we wouldn't trust to the wider world, like we had back when we lived together and really did have our own private network.
A point-to-point line to the provider's router that then bridges you onto the public internet is a "private network" only in the most degenerate sense.
> A point-to-point line to the provider's router that then bridges you onto the public internet is a "private network" only in the most degenerate sense.
You can make an analogous argument about the traditional corporate site to site VPN, which is a point to point link between routers that bridges two non-virtual networks. By your standard, calling that a virtual network is only true in the degenerate sense.
I see your point about the possible meaning of "private", but I don't think that quibbling over the semantics is useful for much besides gatekeeping. There were plenty of corporate VPN links piping Internet-reachable IP addresses, just as there were plenty of VPN links with broken or nonexistent crypto.
> You can make an analogous argument about the traditional corporate site to site VPN, which is a point to point link between routers that bridges two non-virtual networks. By your standard, calling that a virtual network is only true in the degenerate sense.
Disagree. "The network", in the sense that my PC, and Bob's PC in the next town, and the server in our colo space, are all on "the network", is virtual, in a pretty essential sense. Even if 68 of the links in the network are physical wires and only 2 of them are virtual, their existence changes the character of the whole. In the same way that we have an "international network", that would be important to think of and treat as international, even though it only has one cross-border cable.
What is the point of just quibbling over definitions? If you were using this framing as in support of a larger idea, it would be plausible to entertain. But without that I don't really see much point, because it's just as easy to declare things the opposite of your assertion - eg the term "VPN" doesn't apply to an entire corporate network (as it would per your extension argument), rather just the virtual link part of it. Of course asserting this is similarly pointless without some larger point.
I love tailscale's technology and their contributions to the security ecosystem, but I can't help but take a contrarian angle to many of the comments here...
This feels like a bad idea, and perhaps it signals defeat in the enterprise space (where the tech would provide the most value, imo). Tailscale raised $100M last year, surely based on a theory of growth upmarket. While this partnership surely provides value to personal consumers, it feels, at best, a distraction from the larger opportunity and, at worst, counterproductive to achieving it.
I'm skeptical of the obvious counterpoint that this assists a flywheel of greater b2c satisfaction leading to b2b success...
> I'm skeptical of the obvious counterpoint that this assists a flywheel of greater b2c satisfaction leading to b2b success...
Okay. But it does? Our stats continue to show that making nerds happy (we're also nerds) leads to more corporate sales. (https://tailscale.com/blog/free-plan/ etc)
So if we can make something that we want ourselves and our friends and fellow nerds also like, and that also then leads to more corporate sales... why not?
Anecdata: It directly lead us (Instacart) to try and then adopt Tailscale. Many of us had used it at home and were happy nerds. This gave it a huge initial leg up vs other "enterprisey" VPNs when we were in the evaluation stage.
Tailscale sold itself after that. The docs were excellent and it really is simple to use and run. I was able to do a full PoC in day and prove that I could join all of our environments and clouds into one VPN and have DNS resolving correctly everywhere.
I appreciate the response - great blog post. I don't doubt this works for certain companies and components of the ecosystem; it worked for Dropbox (at least for a long time).
Tailscale is clearly a superior product to it's competitors and I have regularly recommended colleagues and clients to evaluate whether it fits their needs. However, unfortunately, that is frequently not enough to "win" in the crowded and bureaucratic enterprise software space.
I would love to be proved wrong here and wish you the greatest success!
Say you were a county social services department. You wish to use Tailscale to microsegment federal tax data (subject to IRS 1075 safeguards requirements) relating to your child support unit from other traffic (say Medicaid enrollment) which does not have that requirement.
I’m pretty confident that you would draw an audit finding for that reason with a pure tailscale solution. (I also think that’s bullshit.)
1075 does not appear to require that access VPNs use FIPS cryptography. Arguably, it would if you were relying exclusively on WireGuard for data protection, but it's uncommon for people to do that (we're WireGuard true believers and we do in places depend on WireGuard authentication and encryption for our security model, but it's a weird enough thing to do that we notice it when we do it).
At the time we looked at it for a client, in an audit, certain aspects would be at the discretion of the auditor. They are typically pragmatic about this stuff.
That said my original statement was too broad. It’s not an “enterprise” issue, more use case dependent in regulated scenarios.
A lot of B2C VPNs position themselves as kinda sketchy and anti-corporate.
If the cops or the MPAA come calling, we'll tell them to go to hell. Netflix blocks our servers? We'll set up new ones. Accused of torrenting? We didn't see anything, and we don't know who you are either. We're incorporated in a jurisdiction that makes us almost impossible to sue. We've got 4 employees, and not a single clothes iron between us.
B2B VPN products often have the opposite market positioning - straight-laced, trustworthy stuff. Absolutely not claiming to be difficult to sue. We've got 50+ employees, all of them wear shirts and some even wear ties. And suppliers like cloudflare are more than happy to help you MITM all your employees' https traffic, in the name of "security".
These just seem like positions in the market that are very hard to reconcile.
Cloudflare is on a somewhat interesting position. They are known for negative about banning copyright violation or controversial contents (than competitors), but also provides enterprise solutions.
> They are known for negative about banning copyright violation or controversial contents (than competitors)
They're required to do the former (and Switter) by American laws, and for the latter: they banned the Daily Stormer, 8chan after a terrorist incident, and Kiwi Farms after their members called for open violence. It's not hard to see why these three got banned, inciting violence is not covered by "free speech".
A lot of the people making purchasing decisions to acquire products like Tailscale are in security departments and have a very low opinion of Mullvad (VPN of choice for all kinds of abusive/fraud/hacking traffic).
I have a high opinion of them, one of the few VPN services I would trust not to give in even to governmental pressure. I firmly believe they would shut down their service before the compromised user privacy. That is very commendable
Are you a CISO or otherwise have that purchasing power? I’ve found that CISO types hold opinions that are not usually met by ground floor or even middle management folks.
Why would this affect the security of someone adopting Tailscale? It's not like partnering with Mullvad makes it easier for hackers/fraudsters/etc to attack a Tailscale user. Maybe I'm an idiot, but I would assume that 'hackers/fraudsters trust it' probably means that they do a decent job of respecting privacy?
What is the VPN service you think people (people on HN, say, not YouTube) have a high opinion of?
Mozilla is rebadged Mullvad. Proton might be ok. Everything else (Nord, Avast, Express, ...) is YouTube sponsor trash, Mullvad's the gold standard afaik.
Cloudflare Warp, WindScribe, and iVPN are decent. But given the ubiquity of DoH and the roll out of HTTP3/QUIC + Encrypted Client Hello, no VPN might serve just fine, too.
>(VPN of choice for all kinds of abusive/fraud/hacking traffic).
This is a pretty bad take. With your logic anything pro-privacy like Signal/Matrix etc would also be "x of choice for abuse/fraud/hacking etc" and thus shouldn't be used.
tailscale has many employees, adding a small patch to wireguard client programming and strapping in mullvad account provisioning seems like a very small amount of effort for a pretty cool feature that also earns some recurring money from the hitherto freeloading nerd customers.
Point well taken. My comment was primarily based on two other factors:
a) the strategic signal it sends re developer resource allocation and
b) the market signal it sends, selling a security solution while partnering with a company (not a knock - I've been a mullvad customer!) that provides solutions which are frequently used to bypass compliance/regulatory controls.
I think Tailscale going after 3 wildly different market segments (hobbyists, smb/teams, enterprises) [0] is why we're likely to see more such features, not less.
It doesn't sound like that's a big distraction for Mullvad as it seems most of the actual changes are done on the Tailscale side, enabling users to use Mullvad proxied through their setup.
Partnering with similarly aligned organizations like Tailscale and Tor seems like a good way of increasing the userbase without engaging in sketchy business models like the rest of the VPN competition.
> I'm skeptical of the obvious counterpoint that this assists a flywheel of greater b2c satisfaction leading to b2b success...
This past summer I quit my job as Engr #3 of a startup. While there, I desperately tried to convince 1+2 that we should use tailscale instead of rolling our own VPN with wire guard and EC2. Couldn’t do it. The product was too magical and everyone was suspicious. I use it at home and tried very hard to make the case.
This feels more like a long term investment in breaking the “mesh” basis for their product. IMO it’s part of the magic and partially a problem. I couldn’t explain the security model for the mesh (as an outsider), and according to some comments it seems like it causes battery issues on mobile devices.
They've been, over the past year, putting a significant amount of work into fixing the battery life issues. It is largely resolved for me, and it seems according to a recent article the vast majority of their users.
This also has to be a nightmare for speed. Making two separate tunnels, then browsing the internet through them? Streaming or using virtually anything other than static HTML pages would be a pain.
Mullvad servers are fast enough. On some occasions, I can only connect to Mullvad through 3 hops. Me -> Chinese VPS -> DigitalOcean VPS -> Mullvad. I can still stream YouTube just fine (1MiB/s)
Context: during government meetings in a particular region, their network policies would become more restrictive so that it’s only possible to connect to Chinese IPs. Chinese VPSs are exempt but cannot connect to Mullvad directly due to a Fortinet rule. Connections are done with a mix of Trojan-gfw, xray, and WireGuard
Mullvad has been doing a lot recently and I'm really loving it. It kinda seems like they are building a decentralized open source ecosystem through partnerships with other companies that are seeking similar things. Which really seems like the "hacker"'s dream (people liking security, not crackers). I wonder if we'll see Matrix next or Signal? (highly doubt Signal, but one can dream that the ecosystem is moving speech will actually mean something). I'd love to see a world of open source open protocol products working all in harmony. I just never really expected to see that until we got relatively close to a post-scarce society.
Tailscaled runs as root. Is there a way to confine it, without losing functionality?
As it connects many devices in my network, a vulnerability in Tailscale will have a significant impact (they had recently a nearly 10 CVE). That’s not the case with the standard client server approach (clients can run user space Wireguard).
Even though I don’t open ports with Tailscale (more precisely, I outsource them to Tailscale), I still can’t sleep well at night!
Running Tailscale without privileges is a challenge because tailscaled needs to be able to configure your network, and if you enable Tailscale SSH it also needs to be able to create sessions for configured users. For people who dont need SSH and accept this challenge + maintenance burden, it is possible: https://tailscale.com/kb/1279/security-node-hardening/
On its face, this is really cool and being a user of both tailscale and mullvad this is awesome.
My primary concern though: will this lead to potential privacy leaks? Can a government agency shakedown Tailscale now to trace your Mullvad ID/connection to your Tailscale account?
That doesn't really answer my question at all, at least not thoroughly in plain english.
The question is: if a government agency goes to tailscale and says: "we're looking for Mullvad user 912830193276163872" - does tailscale log that, can they provide it, will they provide it?
Tailscale needs to know information about your Mullvad license in order to authenticate you with the exit nodes. So it's theoretically possible for a government to ask Tailscale to correlate the data they've collected about you (like a client IP) with an authorized Mullvad license. Which, of course, they'd need to know represents your traffic from talking to Mullvad, which means you're not really placing any extra trust in Tailscale.
I would assume that Headscale could also support this functionality in the future if you trusted Mullvad but not Tailscale.
> Tailscale needs to know information about your Mullvad license in order to authenticate you with the exit nodes.
That doesn't sound strictly true.
Mullvad and Tailscale need to settle their costs between each other, and Tailscale needs to settle with you.
What Tailscale needs to know about "your" Mullvad license is that x of y devices are using a Mullvad exit node, so they can charge you for y.
What Mullvad needs to know is a high water mark usage (data transfer, throughput, connections, whatever) for Tailscale (not you) so they can charge Tailscale some carrier grade rate.
There's little reason Tailscale couldn't do a iCloud Private Relay style Apple<->CloudFlare privacy preserving handoff.
Ah! This could have been great for me, except that Tailscale recently cut off access to Cuban nationals to their service (they have their reasons, I guess.) Still, I think that the service they're building, step by step, is fine actually.
While I don’t work for Tailscale and don’t know their specific reasons, I do know that US export controls and sanctions with respect to Cuba are quite complicated and are designed more due to historical & continuing political pressures than sensible policy.
I used to be involved in leading a US charitable nonprofit that, during the Obama years, once wanted to pay for someone to attend a technical conference in Cuba (or maybe it was to pay for a Cuban to attend a technical conference elsewhere - I forget). We did actually make it happen, but it involved consulting with lawyers, comparing the details of the situation against the applicable rules, and getting people to promise to stay within those rules.
My guess is that either Tailscale or one of the providers they depend on is cutting off Cubans as an attempt to comply with these Cuba-specific US legal obligations, or at least to reduce their risk of falling into non-compliance.
At the very least, GitHub has found ways to legally make most (not all) of their offerings available to Cubans / in Cuba despite the sanctions, except for more narrowly banned individuals and groups. So if you can obtain the open source code for Tailscale (client) and Headscale (server), you can at least use that to benefit from Tailscale’s software.
I believe Tailscale re-incorporated from a Canadian company into a US company for various compliance things being easier, but a consequence is that now they have to follow certain US obligations WRT Cuba, amongst others.
Dear US government, please open VPN access to everyone in the world. If you want citizens of an authoritative nation to be able to escape their local firewall, then these systems need to be available. You have a history of making these products and even funding them through things like Radio Free Asia. Though for some reason you also attack these systems too and cut their legs off. Get your fucking act together. Both citizens of our own country need encryption to avoid spying on from foreign nations as well as citizens of authoritarian nations need encryption to avoid spying from their own governments. They'll never rise up against their governments if they can't secretly communicate. Preventing encryption in our own country means you fear this too, which is not a great thing to tell your citizens.
America's Cuba policy is a failure and continues to be a failure. Do you not think if America opened up to Cuba that wouldn't over time drastically lesson their dependency on Russia?
Cuba really doesn't have much of a choice, they have to trade with "friendly" nations of which America refuses to be.
Fun fact, when we (Canadians) go to Cuba they typically won't stamp our passports because they know it causes us issues when trying to enter the US.
You would think we'd want the contrapositive: to enrich them with global influx of capitalist market consumer demand, enough that they gain an independently self-stable economy, and stop feeling the need to rely on the support of Russia and China so much.
(Or, at least, offer subsidies to their government if they stop supporting Russian and Chinese spies with their numbers stations et al.)
This is a very naive way to look at the world. Even if theoretically they would be happy with such "self-stable economy" [they naturally won't—nothing prevents human desires to ask for more and try to build win-win friendships,] Russia and China are not sitting around; they would go and meddle with their affairs.
Mind you, I am not saying there is an existential possibility of a better policy, but the calculus would be nowhere as trivial as this.
> Russia and China are not sitting around; they would go and meddle with their affairs.
I mean, certainly, but it's like having a club on your car's steering wheel: it's not about creating perfect protection, it's about ensuring your car isn't the softest target for theft in the parking lot.
If Cuba had fewer reasons to talk to Russia and China, then Russia and China would have fewer reasons to talk to Cuba in particular, vs. other Caribbean and Central American nations. Which would, potentially, spread their resources thinner and decrease covert-ops ROI, as they'd be having to engage with several nations who only weakly want them there, instead of one nation that desperately wants them there.
(And yes, I do realize that these powers do already engage with other nations in the area, e.g. Nicaragua. But not in the same way / not for the same reasons.)
Given how badly that idea failed with China, I don’t see it happening any time soon with Cuba, a mere 90 miles from the US mainland. That proximity is a main reason why Cuba gets such special attention.
I mean, China has all the base resources to be a superpower — and has been a continent-spanning, colonizing empire many times in its past — so it's unclear what the US was expecting to happen there. (Probably something to do with short-term realpolitik "rock and a hard place" leverage.) Cuba has never and will never be a threat to the US, except insofar as they provide projection of strength for some other ally. A Cuba that sees itself as a sovereign nation would be a good thing, in the same way that ex-USSR satellites that see themselves as sovereign nations are a good thing.
Also, if you want to talk about countries that the US actually gives "special attention" to, I'd more compare/contrast to the relationship between the US and Panama.
> in the same way that ex-USSR satellites that see themselves as sovereign nations are a good thing.
Cuba would have do what those other ex-USSR satellites did and discard communism and authoritarianism in favor of democracy. Then, yes, seeing themselves as a sovereign state would be a good thing.
It doesn't even have to discard the communism. Look it Vietnam: we fought a war against them in living memory, and we invite their people to go through our military training schools now so they can see how we do things.
Yeah that's an interesting comparison, though it's mainly b/c Vietnam sees China as its main adversary and threat, along with an opportunity to steal parts of the Asian manufacturing supply chain from China. The shared enemy and shared economic interests b/t US and Vietnam are pretty strongly aligned.
But I'm not sure if such an alignment could be created between the US and Cuba while Cuba remains a communist authoritarian hereditary dictatorship, since there's no shared enemy nearby and no strong shared economic incentive. Seems like the only real alignment would be Cuba becoming a democracy.
Exactly. I do believe that certain individuals and organizations might/should be excluded from service here; however, it seems like the only technical solution to regulations enforcement is to wholesale block a whole country.
The NK state is more than capable of arranging their own VPNs.
I think the West gains a lot more by having generally available VPN access in adversary states than it loses from their ability to purchase technical services that they still will have difficulty getting access to currency to pay for and they still will have difficulty actually shipping anything to NK.
Yes? Making it easier for North Korean citizens, or even just leadership, to communicate privately with each other and with people outside makes it easier for them to negotiate or even defect, and would help de-escalation efforts.
> What might the reasons be on the "no" side?
I guess one could argue that the North Korean government doesn't have access to secure VPN systems for government use (pretty implausible IMO) and that increasing their costs is inherently worth it? Realistically most of the opposition would come from those who benefit from the status quo (e.g. arms suppliers) and don't want to see that de-escalation, and I guess the extremely risk averse who would rather keep kicking the can indefinitely and hoping the blowup doesn't come until after they're dead, than risk actually trying to help North Korea's people.
The vast majority of north koreans only have access to the nationwide intranet. Those that do have outside connection are few trusted elites who are there to do business. And no matter who you are (this also applies to foreigners in the country), your device and connection is heavily monitored by the state. Merely posessing a non-state sanctioned device as a north korean is considered a serious criminal offense. At that point the only use case of a VPN for someone with a north korean IP is for cybercrime and not dissidents.
Bad comparison. NK is a nuclear state with nuclear weapons that is constantly threatening its neighbors. Cuba flirted with the idea but they didn't really materialize any nuclear or military capabilities. This was also a long time ago.
If you're already a Mullvad customer, is there some way to integrate this into your account?
Right now, when I want to use Mullvad via my tailnet, I set the exit node to be a linux box at my house that is set to automatically send all traffic via Mullvad. That's free for me, since I already pay for Mullvad on that linux box at home.
Wouldn't it be more "efficient" networking if I could sometimes just use the mullvad app instead of tailscale > mullvad?
Either way it would be good to at least have the option to use an existing account. Maybe tailscale is taking a cut since mullvad dropped recurring sub support natively.
The root problem this all came from is that users can't really run two VPN clients at a time. It rarely works due to them fighting over the same resources in various OSes. So we need to either add Mullvad support to Tailscale's client or Tailscale support to Mullvad's client. The former is tons easier.
> Wouldn't it be more "efficient" networking if I could sometimes just use the mullvad app instead of tailscale > mullvad?
no, why do you think that's the case? presumably the mullvad client does the exact same thing as the tailscale client will do - configure a wireguard tunnel.
edit: it will be interesting to see how much effort Tailscale put into preventing dns/route leaks vs the mullvad client
Well, if you want to use Mullvad outside of Tailscale, then it does matter: https://mastodon.online/@mullvadnet/111024772652906757 Seems like you won't be able to use your Mullvad account created via Tailscale for anything outside of Tailscale...
I pay for a year at a time for ease of use since they wouldn't save payment info when using port forwarding. And now since I last bought a years worth in May they turned off port forwarding and now make me drop the next 8 months of prepaid time if I'd want to use this feature (that I've been waiting for for years).
Can someone help me understand why VPN use seems to have exploded in recent years? I mean, I'm aware of the typical use-cases of corporate devices and such, but I doubt that's the major contributor here as those use-cases have existed for decades now. What's the impetus for what seems to be massive growth over the past 3+ years?
There's a fair amount of FUD tossed around in sponsored ad reads of a lot of independent creator content these days, so much now that the colloquial use of "VPN" these days for the masses is not "allow me to gain access to a network I control from anywhere" but "help me route my traffic to a specific geolocation".
Half truths are spouted about "securing your connection" and "preventing tracking" are provided, without the supplementary information that device and browser fingerprinting do more to identify you as a user than geolocation does. With HTTPS, traffic is already encrypted, and any DNS-over-HTTPS or TLS provider will also mask where you were headed to, leaving much of the supposed benefits to be mostly snake oil.
If, however, you want to use it to access geofenced content, or you employ an obscurity-in-depth strategy to anonymize your identity, then sure, go ham. But as to why usage has exploded by the masses, a healthy dose of paranoia and influencer marketing.
99.999% of airport wifi users don't know that their traffic is bridged. So unless WIFI-6 introduced some network segmentation features that I'm not aware of, it's still a good idea for Grandma and Grandpa Jo.
The reason it's ubiquitous on YouTube is because they are gouging the hell out of consumers. Honestly it should be provided by your ISP as a bundled service. Although then it's just Comcast gouging you instead...
Can confirm, it seems like every single YouTube channel I've watched in the past 2-3 years has had an ad for 3 or 4 VPN services. Plus, the internet is getting more segmented, when I send links to some US sites to my friends overseas they need a VPN to access it, which wasn't the case like 6-7 years ago.
there's still ISP domain level blocks (based on SNI) to contend with, even if they can't modify any content. Things such as court banned sites (pirating?), age restricted content, etc.
SNI isn't encrypted. They can see plaintext domain name of your https requests. Obviously, they can also see the IP you're connecting to. Maybe ECH will be rolled out at some point, and we can stop using SNI.
The VPN market has had considerable growth year-to-year since at least 2009. It's just that in the last few years that growth has added up to big absolute numbers.
Here's how I think about customer segments:
* Those interested in online privacy
* Those interested in circumventing censorship
* Those interested in a secure network channel from their machine to "The Internet", by which I mean secure from their local ISP eavesdropping on them.
* Those interested in circumventing geographical restrictions.
Due to the nature of the Internet and how its most important protocol (IP) works, changing your IP address is a necessary, but not necessarily sufficient, step in protecting your privacy online. This fact says something about the long term relevance of VPNs, Tor, and similar technologies.
Source: I'm one of the co-founders of Mullvad VPN.
In the age of wifi the man in the middle included someone sitting in the same coffee shop as you. ISPs turning into jerks came on the heels of that. Depending on where you got your news, it might have seemed like you heard about ISPs and hackers around the same time, but from my perspective the ISPs learned how to be bad from security experts explaining how much mischief a person could get up to and deciding that sounded like a swell idea.
> ISPs turning into jerks came on the heels of that.
> ISPs learned how to be bad from security experts explaining how much mischief a person could get up to and deciding that sounded like a swell idea
Telecommunications companies have played a central role in government surveillance schemes for at least 50 years, well before the advent of WiFi. ECHELON was fairly extensively reported on in the late 90's.
> it might have seemed like you heard about ISPs and hackers around the same time
I connected to the Internet around 1993, but my interest in computer security didn't start until around 1996. I'm not sure if that qualifies.
Yeah I wasn't talking about surveillance, I was talking about adulterating internet traffic.
From the surveillance standpoint, we now have devices we take with us and leave unattended. We are all waiting for a proverbial woodpecker to destroy civilization.
VPNs of the Mullvad type (not them specifically): Mostly marketing to the ignorant, but also people in police states and people who are getting annoying letters about their torrenting.
VPNs of the Tailscale type: Mostly people who self host apps and want them to be available across their devices without opening them up to the internet, or be able to access their NAS from Starbucks.
For me, at least when it comes to Tailscale, it was Tailscale SSH and MagicDNS. I haven't had to touch `sshd` at all, and I get automatic HTTPS certificates for machines connected to my tailnet. Also, it's free.
I don't do anything sketchy online, but I use a VPN for the same reason I use HTTPS rather than HTTP, ssh rather than telnet, BTC/XMR rather than my credit card (when possible), and LUKS FDE rather than nothing. I value my privacy, and I want to fight the false perception that privacy-enhancing tools are only for shady usage by shady people.
Use a VPN for the same reason you close the stall door in a public restroom.
(I'm not necessarily agreeing with your premise that VPN usage has recently grown; I don't know that to be the case.)
Honestly my ISP is to incompetent to run anything, DNS, billing, provisioning, you name it. I know because because we used to do consulting for them. I am confident that there is no way that they'd be able to monitor my traffic, they can't even tell if an entire town lose connectivity.
Incompetence finds a way when money is involved. Notice how parking violations are performed with zeal but police can not be bothered for anything else short of an armed robbery.
There're shady companies selling privay and others like mullvad. They don't take your name on sign up and allow for paying with cash or BTC and even Monero.
Even if they'd log your IP and traffic (which they say they don't) they'd know way less about who you are then your ISP.
what does "VPN use seems to have exploded in recent years" mean? I mean, what have you observed? "VPN" means lots of different things.
VPN to company is much more popular with businesses because of WFH and Covid.
consumer VPNs to random providers that advertise on podcasts are way up because of different countries having different video streaming service catalogs and because in the US consumer ISPs are increasingly privacy- and reliability-hostile. there's also a big marketing buzz because scaring people over these things was good for signups, so consumer VPN providers chose to advertise a lot.
Tailscale on the other hand is a way to re-create an actually flatly routable Internet, for myself, but with 2023 security levels.
Mostly because geofencing is getting much more widespread for various legit reasons (security, anti spam, licensing restrictions, etc) and very annoying for end users.
"Security" is not a legitimate application of geofencing, in my view.
Any attacker can trivially use a VPN to defeat it, yet legitimate users are massively inconvenienced by it. I've had too many accounts (bank and otherwise) locked for the crime of trying to access them while traveling internationally.
Generally it's to guard against ISP spying. In the case of your personal devices that you walk around with at work, the "ISP" is "your employer". Employer IT pride themselves on being far more nosy than your run-of-the-mill ISP.
Just my 2cents that I wrote about here[0]. It boils down to:
1. Ease of use for non technical folks (my dad in the post)
2. The dangers of having an exposed ssh port (even on non standard ports)
I just don't have the time or compute to constantly tweak my security settings for a publicly exposed port, so the easiest way to solve the problem is to not have the port publicly exposed
It feels like you may be solved a problem that didn't need solving? If you fully disabled password authentication, there's nothing to tweak; you can just ignore the log spam and not block the IP addresses and ignore it and it'll be fine.
It is not fully disabled, my dads account has a password for sftp.
Its covered more in part 1 (linked at the start of the blog post) but the repeated attempts at ssh'ing into my server actually killed sshd (which is how I found out about it).
The other problem is that this "server" is hosted on a residential connection in my computer room. This is just something I don't want to deal with and using a VPN fixes that since I do not need to deal with it, and its easy enough for my dad to use
I use a VPN anytime I leave my house (although it's not a commercial "service"), because network-based telemetry is on the rise and companies that offer free WiFi as well as our telcos are basically out to get us. See https://www.wired.com/story/verizon-user-privacy-settings/ as one example.
I don't want to "opt-out" and hope companies actually follow their policies, or assume their policies are sufficient when I "opt-out". So I ensure all of my network traffic is routed through my home no matter where I'm at or which device I'm using, and then from my home I ensure all my network traffic is routed through a business-grade connection that is offered under standard contract terms that preclude the type of fuckery that every ISP in America seems to think is acceptable to do to consumers.
That's why I use a VPN, and I'm pretty sure a lot of people who use a commercial VPN service do it for very similar reasons and don't have the technical know-how or wherewithal to set something like I have up for themselves.
For VPN in the Corporate network sense, it's for easy access to your computers. You don't want to have to open ports on your router or hope that whatever world-accessible service you throw out there is secure - instead, Tailscale handles authentication, authorization (if you'd like to set up ACLs), and it handles NAT traversal without any open ports.
I think a primary reason is "more privacy" (Mainstream VPNs actually reduce privacy) closely followed by bypassing regional restrictions (like blackouts during sports games, using Pornhub in Utah or Alabama, or looking up clinics that perform abortions in Texas) followed by bypassing ISP restrictions.
For me the fact is there are really easy to use user interfaces for VPNs now. They are very performant and low latency as well, so they're practical for everyday browsing on the modern web and even for gaming and streaming.
Also, geographical blocks on content such as Netflix and BBC etc
Aside from "Privacy VPN" usage, there are other reasons to have VPN server (including tailscaled) at home. Some home network connection doesn't offer public IPv4. People want to avoid exposing any port to the internet.
I can't speak for everyone, but technologies like WireGuard, Tailscale, and Nebula are not merely VPN solutions. They're SDN solutions that incorporate VPN capabilities, WireGuard (and thus Tailscale... in most cases) being unique that they're incorporated at the kernel level. Having a single overlay network for my cloud host, home servers, cell phone, and personal computers allows me to construct my own private cloud of sorts.
Mh interesting, I've wrote a while ago a script to start on connection in order to have mullvad coexist with tailscale, if anyone is interested, I also have one for NVPN
DOMAINS=(login controlplane log derp1-all derp2-all derp3-all derp4-all derp5-all derp6-all derp7-all derp8-all derp9-all derp10-all derp11-all derp12-all derp13-all derp14-all derp15-all derp16-all derp17-all derp18-all derp19-all derp20-all derp21-all derp22-all derp23-all derp24-all)
FWMARK=$(wg show $1 fwmark)
for d in ${DOMAINS[@]}; do
IPS=$(dig +answer -4 $d.tailscale.com +short)
for IP in ${IPS[@]}; do
iptables -I INPUT --in-interface tailscale0 -j MARK --set-mark $FWMARK
iptables -I OUTPUT --out-interface tailscale0 -j MARK --set-mark $FWMARK
iptables -I INPUT -d $IP/32 -j MARK --set-mark $FWMARK
iptables -I INPUT -s $IP/32 -j MARK --set-mark $FWMARK
iptables -I OUTPUT -d $IP/32 -j MARK --set-mark $FWMARK
done;
done;
iptables -I OUTPUT -d 100.100.100.100/32 -j MARK --set-mark $FWMARK
iptables -I OUTPUT -s 100.100.100.100/32 -j MARK --set-mark $FWMARK
iptables -I INPUT -d 100.100.100.100/32 -j MARK --set-mark $FWMARK
iptables -I INPUT -s 100.100.100.100/32 -j MARK --set-mark $FWMARK
Excellent, I'm finally able to retire the NixOS module I wrote to replace Tailscale to fix this exact problem [1]. It was certainly imperfect and overengineered, but it has worked for my use cases pretty well.
I'm still not sure if I like the login situation for Tailscale (allowing only 3rd party auth) but I understand why they do it.
EDIT: Turns out I can't use it yet since you have to buy Mullvad through Tailscale. I bought a year of Mullvad in May (they can't save payment info for port forwarding) and in the 4 months since they've removed port forwarding[2] and won't let me use my remaining credit for this integration.
So it’s $5 for 5 devices? I was expecting to see an option for existing mullvad customers to enter their credentials instead of buying a new subscription but may not be the same thing
As someone that already has a subscription to a VPN service (not mullvad), I’m wondering what this would get me for end devices, vs just using my vpn provider as I’m already doing
Oohh, this is exactly why you can't. I just commented similarly, but yours made me realise - this must be an agreement between the companies, Mullvad doesn't want you to fairly easily have all devices on the same tailnet, single exit node using 1/5 keys on Mullvad. Without Tailscale, if you configured them all separately, it'd use as many keys as you had devices.
You can similarly bypass it without Tailscale, the same way you had to do it in Tailscale before this announcement, with everything egressing via a server which is the single Mullvad client. But it makes sense with the built-in solution (with probably better latency etc.) that they wouldn't want that.
I recently (just earlier this week in fact) had to spend a few days on fast-but-restricted "guest" WiFi and was struggling with this very thing: I needed to use a tailnet to access my servers for vscode remote development, but also needed a VPN since the WiFi was blocking harmless stuff like duckduckgo.com
In the end I was able to do a split-vpn config to allow VScode to bypass the VPN and leave the browser to use the VPN. Having tailscale just handle it would have been handy, and reading the docs today I found out that I could have just used a machine on my home network as the exitnode as well, which would have worked great too I expect.
Have to say though that this was the first time I had used tailscale "in anger" for any serious period of time away from my home network. It was superb and (apart from the VPN issue) just worked exactly as advertised and I was able to access all the stuff on my NATed home network as if I was in my home office. Brilliant product - thanks to all the tailscale folks ("tailers"?) on here for the product!
This tailscale press release claims you can forward nonstandard ports with this configuration. Who knows what that means or even if the copy was just approved six months ago or what.
Yeah, thanks for the suggestion; i do have an intel nuc hidden away somewhere that runs an exit node. I'm looking for the reverse basically, having my entire home network use another exit node somewhere else, to access regionally restricted content...
Why would I use Tailscale over OpenVPN, for example? OpenVPN is supported by my router OOTB and the config was incredibly straightforward. It sounds like Mullvad adds a layer of privacy into a Tailscale network if I’m understanding it correctly. But Mullvad aside, I don’t get what separates Tailscale from something like OpenVPN.
Huh. Well in my case I flipped the feature on in my Asus router, installed the OpenVPN client on my iPhone and imported the config file my router generated for me and that was it. Took like 2 minutes to do.
You cannot hide from governments. If they want you badly enough they can track you anywhere. So, don't do anything illegal and expect any VPN to protect you because paid in cash! Remember, all governments have secret national security laws to surveil all data all the time and almost all governments' (even supposed enemies) secret national security agencies cooperate if they badly want to catch someone.
You cannot hide from advertisers if you use a smartphone with apps. App developers who put ads within their app control the apps behavior completely and hence they can fingerprint your device and track you very well without using IP addresses. And within browsers, they can fingerprint you through many javascript features of the browser. Hiding your source IP does very little for your privacy.
Almost all traffic (apps and websites) are encrypted via TLS (https, for example). So, even if you are on an insecure network, unless your OS's TLS certificate store is compromised, your communications are encrypted and protected against snooping from that insecure network.
Also, even on open wifi networks, today, it is very unlikely that the wifi is running without at least WPA2 encryption. Most modern airports run secure wifi. (But they also monitor all traffic metadata for illegal activities).
So, using a VPN as an exit node is just privacy theatre. VPN exit nodes in faraway countries are useful for bypassing content censorship in your own country, but it works only if the content streaming service cooperates with you.
Remember, all ISPs are heavily regulated by governments and can be asked to mirror specific customer's traffic for analysis. I would be very surprised if they don't proactively do it for all VPN operator nodes by default.
Plenty of people have and I would rather they have to spend a Tor 0day amount of cash to do it than to do it trivially.
> You cannot hide from advertisers if you use a smartphone with apps. App developers who put ads within their app control the apps behavior completely and hence they can fingerprint your device and track you very well without using IP addresses. And within browsers, they can fingerprint you through many javascript features of the browser. Hiding your source IP does very little for your privacy.
Sure, if you have sketchy apps, but Apple has both legal enforcement and approval of apps.
> So, using a VPN as an exit node is just privacy theatre. VPN exit nodes in faraway countries are useful for bypassing content censorship in your own country, but it works only if the content streaming service cooperates with you.
...? They can't trace where your requests came from....
Are there browser plugins that can "fake" your browser fingerprint somewhat? Like, e.g., only showing OS default fonts installed, or fixing screen dimension info, etc? Or would this require forking a browser's code?
No it just requires the company wanting to do it due to a government order.
The “compromise” is coming from inside the house. Might as well claim no one knows the admin passwords because they are written in a notebook that the management keeps in their home safe.
That said, I don't know if Mullvad is good or evil, but one of the ways you can evaluate companies is to recognize when they're making sketchy, not-relevant claims to create an air of legitimacy.
This "our servers have no disks" thing is kind of thing is marketing. It is meant to imply something that it doesn't actually demonstrate. Who cares if there are local disks? It doesn't change the threat model at all, it's mostly to convince people who don't know very much about claims which are basically impossible to prove. It's the higher-tier version of "we use military grade encryption."
Lawful Intercept on the public internet does not rely on local hard drives on any node in the network and has not since the 90s, as a specific example of how meaningless this is.
I disagree - while it does not prove they aren't doing something nefarious, I think it is easier to demonstrate that you aren't logging to network calls than it is that you are accidentally spilling something to disk.
In Sweden, physical search of the drives is a real concern. The Swedish national police attempted to search Mullvad once, but since there was no data to seize they left empty handed.
"just needed" is a simplification. Very few organizations outside the US federal 3-letter agencies have the resources to spend on volatile data recovery in practice. Even the FBI isn't going to bother unless they're confident some extremely valuable evidence is involved.
"The HotPlug's patented technology keeps power flowing to the computer while transferring the computer's power input from one A/C source (such as a wall outlet or power strip) to another (a portable UPS) and back again."
Realistically, what prevents police from just sticking in a USB device and doing a memory dump? I'm not sure I buy this story since police with a sufficiently strong warrant can always just take over a firm's premises and bring in their own forensic people until they find what they want.
no they haven't built an impregnable system, neither has anyone else in the history of the world.
they have raised the bar very fucking high, though.
normal vpn company: oh yes, Officer, here's their credit card details and a list of all IPs they've ever connected from, and DNS logs from our internal servers
mullvad: OK, I guess you have the corrupted partial contents of memory of one machine that you managed to dump after dawn raiding us with guns and using liquid nitrogen to freeze the DRAM for a cold boot attack where you now have 90 minutes before entropy claims another victim.
one company tried a lot harder and made things a lot better. dumb equivalence arguments are dumb.
It's not a position, it's a simple question. Given that I can get a lot of information out of a computer to which I have physical access with only middling forensic skills, I'm inclined to think that the police can do at least as well if they're sufficiently motivated.
Unless you automate this process to flush all memory periodically, this seems like a good way to get charged for interfering with an investigation or have your assets seized and thrown into legal limbo. Police aren't complete morons, in the real world goofing around like this has consequences.
> one of the ways you can evaluate companies is to recognize when they're making sketchy, not-relevant claims to create an air of legitimacy.
This is an excellent heuristic. Personally I like to evaluate trustworthiness in terms of integrity and competence - can I trust their values and can I trust that they know what they are doing? Words are cheap of course. Consistent action across several years is much harder to fake. It also overlaps with another heuristic I use to model and predict the behaviour of a company; a company's behaviour will converge on the shareholders' goals over time.
> This "our servers have no disks" thing is kind of thing is marketing.
You are correct that we considered that aspect while writing the blog post, but please read the content before passing judgement. See the section titled "To recap about “no disks in use”" in particular.
On the topic of "air of legitimacy" I'll just leave these here:
* Our apps have been open-source since we launched in 2009
The blog post you commented on also talks extensively about how it was one of our first steps in making our infrastructure transparent. Here are just two things we've done as part of that project:
* "This is the first time a modern off-the-shelf server platform gains coreboot support, and it is an integral part of realizing our vision of transparent and independently auditable VPN servers." - https://mullvad.net/en/blog/2019/8/7/open-source-firmware-fu...
And finally, we've spent 2-3 years designing a transparency log with distributed trust assumptions. One of many critical parts necessary to achieve our vision of transparent server infrastructure. I'll wager that there's no transparency log with a stronger threat model than ours. https://www.sigsum.org
We're certainly not without fault, but hopefully this helps inform your opinion of Mullvad.
Best regards,
Fredrik Stromberg (co-founder of Mullvad VPN, Tillitis, Glasklar Teknik)
They practice what they preach. The recently stopped selling recurring subscriptions, and most likely threw away a big chunk of money, because there was no way to support them in an anonymous way.
they take privacy extremely seriously, by trying to reduce the amount of data they even have that can get subpoenaed (no logs, no accounts, accept payment by cash) and appear to have not yet fucked up.
So tailscale makes it super simple to create your little network, sorta like hamachi used to, but what's the point of mullvad in this equation - can someone explain it to me a little more clearly like im 5 (ELI5)?
Actually you cannot use your present Mullvad account to do so. Instead, Mullvad provided exclusive API for tailscale as partner account to do so, which you can only get from Tailsacle if you choose their service. Mullvad only allows those data to go through its server.
Given that Tailscale is a ridiculous company that advertises on privacy while force user to login via SSO by tech giants or OIDC which is shit in privacy, I will stick to my current origin Mullvad account and keep away from this service.
In the most literal sense, they are still a "send me cash in a snail-mail envelope and we'll let you in" provider, see https://mullvad.net/en/pricing
> Can I really pay with cash?
> You bet, and please! Stay anonymous all the way. Just put your cash and payment token (randomly generated on our website) in an envelope and send it to us. We accept the following currencies: EUR, USD, GBP, SEK, DKK, NOK, CHF, CAD, AUD, NZD.
Nice! Presently maintaining this hackily myself with an exit node running in Fly.io that reaches the internet via Mullvad, I'll be glad to simplify it and maintain less.
I'm a bit confused about the payment section though - I have to pay for Mullvad via Tailscale now? Can't I just use the peer keys I've registered in my own account?
Can anyone comment on whether it's possible to use something like NextDNS in conjunction with Tailscale and Mullvad?
Edit: to clarify, I'm aware of the existing NextDNS integration with Tailscale - I was wondering if this (or other third party DNS) works specifically with these new Mullvad exit nodes...
first result on google for "tailscale nextdns" explains how to - for some reason - leak all your dns queries to some random company you don't pay money to: https://tailscale.com/kb/1218/nextdns/
Are you talking about the metadata collection by nextdns itself ? It's not some random company and again you can disable it pretty easily. Afaik the metadata is mainly used to classify requests per device and show some stats
I've never used Tailscale or Mullvad, I do use a VPS and Wireguard that I configured and run. I'm wondering if people working at Tailscale or Mullvad could snoop on the traffic passing through their servers?
Can I connect a device which is not capable of running custom software, i. e. the router my ISP gives me, but which is able to connect to WireGuard, be used to connect into an existing tailnet?
Mullvad is impressive; however, the issue with Mullvad ID persists. The proposed solution is a Zero-Knowledge Proof Authentication system. With this approach, Mullvad will retain your public key but will not possess information regarding the association of specific sessions with individual Mullvad IDs.
if you're going to go to some random thread and post about your slightly related hobbyhorse, at least provide a link to some information about whatever you're upset about.
It sounds great. But their banner is showing that my ip address is from Mumbai, whereas I’m actually in Bengaluru, India. That’s not really re-assuring. Maybe it’s just apple relay on my device that’s obfuscating my details.
edit: my bad, hit me bit late that it’s the intended behaviour.
Headscale is a FOSS replacement for Tailscale's closed source coordination server. It is compatible with Tailscale's client apps, which are FOSS for Linux and Android, and partially closed source for macOS and Windows (https://tailscale.com/opensource/).
This partnership makes me want to remove tailscale from my stack and instead use wireguard directly. Leaves a bad impression. Fighting against my instinct and telling myself I'm irrational. Tailscale is one of the first things I install on every machine. It's so good. But this partnership erodes trust, doesn't build it.
mullvad has one of the best reputations in the entire consumer vpn space. they were one of if not the very first businesses to accept bitcoin back in 2010 when no one knew what bitcoin was and before the word crytpo existed or anyone was in it to make money. they were one of the early funders and supporters of wireguard itself before it was merged into linux(and before anyone cared about it). they are working in cooperation with firefox to run their vpn system. they require no email address or personally identifiable information at all to use them. they don't do scammy sponsorships on podcasts or youtube channels to mislead people into thinking that their service or vpns in general solve problems they don't actually solve.
and at the end of the day if you think consumer vpns are stupid you can always just not use it. i don't think that them teaming up with mullvad implies anything bad or suspect about either of them. this type of a service is something that is really important and useful to a certain subset of users, and if they were going to wind up teaming up with a consumer vpn provider this is probably the least shady and most principled one they could have done it with.
I personally think all of the VPN providers are essentially selling snake oil. In addition, I think there are better tools for the job. If you want anonymity, use Tor. If you want to bypass geo-restricted content, use Bittorrent.
From a strategy standpoint, I am not sure how this helps Tailscale at all. It changes how I view them and not in a good way.
There are not only two reasons to use a consumer VPN. It is entirely reasonable to shift trust from an opaque, investor-owned corporation that has no profit incentive or regulatory reasons to protect their customers personal information and network footprint (in fact they have incentive to sell as much data about their customers as possible) to a much more transparent company that does have the incentive to protect their customers' data.
Mullvad has been at the forefront of not just VPN companies, but of any company, in their transparency, focus on their technology and pushing for further improvements in protecting data, raising the bar for trust and integrity and being more open.
Consumer VPNs are not a panacea (and Mullvad does not market themselves to be one). It is unfortunate that almost every single VPN company is actually snake oil, but Mullvad is a welcome counter-example.
> If you want to bypass geo-restricted content, use Bittorrent.
I mean, if I just want to watch some geo-restricted show on a streaming service, it's a lot nicer of an experience just to use a VPN rather than having to torrent the show and run Plex or something else to provide a half-decent content browsing experience for your TV. Also, you don't have to worry about some copyright holder suing you (or more likely, extorting you) because you seeded 30s of video. Yeah, the VPN might sell your routing logs to some content company, but (1) that's unlikely and (2) is it even illegal to stream copyrighted content (pretty sure it's only illegal to provide it)?
Also out of curiosity, how adequate is Tor for bittorrenting? I would guess it constrains bandwidth pretty severely?
>Also out of curiosity, how adequate is Tor for bittorrenting? I would guess it constrains bandwidth pretty severely?
I've never done it, but it will have some problems: no UDP support (cannot connect to UDP trackers or use uTP with peers), no port forwarding (cannot connect to peers with closed ports), and some exit nodes might block outgoing activity towards the well-known ports (6881) though most peers don't use this port and instead use random ports.
> I personally think all of the VPN providers are essentially selling snake oil.
this is incorrect.
nearly all the consumer VPN providers are indeed selling snake oil, and are only useful for obscuring your traffic from ISPs snooping. they keep logs, they have lax security, they sell aggregate whatever to data brokers, they don't give a shit about stopping leaks, etc.
Mullvad isn't, though, and spent loads of effort on ensuring even they can't usefully spy on their users.
> In addition, I think there are better tools for the job. If you want anonymity, use Tor. If you want to bypass geo-restricted content, use Bittorrent.
"I want to play on multiplayer game servers in regions other than the one I live in" is a use case of VPNs that is not covered by your alternate methods.
The privacy benefits are massively oversold, I agree with you there.
For history and how some people (John Gilmore[1]) thought uniquitous interoperable VPN tech (using the IETF standardized IPSec) be used to end-to-end secure internet traffic generally, see eg this FreeS/WAN rationale from the 90s: http://web.archive.org/web/20210125023625/https://www.freesw...
Then in between then and now were the VPN dark ages where it was mostly only used as a tech to accesss old timey corporate "internal networks".
[1] https://en.wikipedia.org/wiki/John_Gilmore_(activist)