I've generally considered an SSH tunnel as a poor man's VPN.
If you're going to the effort to spinup a machine, and use SSH anyway, i find it much easier to use `ssh user@server.com -D 4444` then I can set my browser's proxy settings to use localhost:4444 as a SOCKS5 proxy.
For those apps that don't have native proxy support, I use proxychains to force them over a proxy connection.
Ofcourse this is only useful for a single user, and for devices that can use ssh and proxies.
Just be careful with -D, as it is relatively easy to accidentally make it possible for other computers to use your computer as a proxy too. By default, GatewayPorts in the sshd config is set to 'no', which will prevent this from happening. However, you or someone else may have set this to 'yes' at some point for some purpose. To be safe even in that case, you may want to use 'ssh -D127.0.0.1:4444' instead of just '-D4444'.
I have accidentally opened an internal network to the public this way. (Nothing bad happened.)
Haha I came here to say just that. Using NAT and routing you can setup the machine initiating the client ssh connection to act as an internet gateway for the clients that have its IP set as their gateway. Did this with a raspberry pi before.
Easiest option in the book. The only downside I face with this is frequent captcha requests as the IP range (Hetzner/IPv6) is marked suspicious. Probably because it is flagged as a server range vs domestic.
This is what I've always done should I face some blocking or whatever - spin up the lowest tier vm on gcp in whichever region suits me, do my business, kill and bury the vm.
Agreed. You're already setting up SSH and deleting it soon so why bother setting up the IPs, adding your public key, getting the server's public key, configuring iptables, and configuring wireguard locally when you could just SSH?
Only benefit I'd see is wireguard would be easier to use on a mobile device, but the setup requires the ability to run ansible and do ssh already so... that's not really practical.
Yes! Last time I used sshuttle (bypassing content blocks in India by tunneling to a server in the US), my bandwidth dropped from 10mbps to 1mbps. Back then wireguard didn’t exist, but IPSEC could easily saturate the 10mbps link. I suspect it’s a combination of TCP-over-TCP and a horrible default buffer size that makes sshuttle unusably slow.
You don't need VPNs to bypass censorship blocks in India. Well, at least in my experience.
Apps that manipulate TCP packets locally to break fingerprinting [0] like GoodbyeDPI (Windows) [1], GreenTunnel (cross platform CLI) [2], Intra (Android) [3] have been adequate.
Pretty sure sshuttle doesn't suffer from TCP over TCP, similar to how normal SSH tunnels don't because they operate at layer 4 and copy the bytes manually onto the multiplexed connection. Layer 2-3 tunnels is typically where you run into issues.
I assume you’re talking about tunneling TCP over DNS queries. Does that really work on airplanes? A link to the code would be appreciated.
I thought captive portals force you to use their DNS servers by grabbing all UDP packets with the DNS port (regardless of destination IP) and those servers respond with the webserver’s IP regardless of what you query.
It does TXT record lookups or equivalent. Those get resolved correctly without any interference from the captive portal. Here is something similar in technical nature to what I have used in the past (free DNS VPN apps on ios) https://github.com/JadenGeller/Burrow-Client
sshutle's page is terrible at explaining what it does. It mentions a common problem ("I have that, yes please!") and then just says "get sshuttle" and ends there.
Is that out of favor nowadays, given new technologies like Wireguard have become mainstream? Would I be better off using this, or the Algo scripts that another commenter mentioned? (https://github.com/trailofbits/algo)
Tailscale is just great! It's so easy to use, I have it running on all my devices and servers, so I can connect to them from wherever I want, and with the "Exit Node" feature you can also select a system to route all traffic through (and switch easily between them, at least on mobile).
Tailscale still takes some rather drastic measures to make itself work magically which have occasionally broken other things.
For instance, I can't connect to a work VPN (vpnc) properly while tailscaled is running because Tailscale hijacked my resolver entirely. It does that even on resolved.
Concurring with Tailscale's ease of use, though for mobile clients I found it was more reliable to have a wireguard accessible tailscale peer rather than rely on Tailscale's app.
Thank you for pointing out Tailscale. It seems like it's exactly what I was looking for, with free tier being completely sufficient. I set up smarthome network (zigbee2mqtt running on orangePi) and also endpoint in neighbouring country.
I use Tailscale to run pihole in the cloud on gcp as my DNS server.
Pennies a day - $0.38 in January so far. This would definitely be free-tier level stuff, but for some reason they are charging me for it and it’s not worth my time to figure out why given the low cost.
I’m not using it as an exit node (haven’t gone down the hole of traffic scanning or anything like that), but that would make it more expensive.
It is nice - I can set up all my devices for pihole and block distractions, and have Tailscale on my wife’s computer to switch on when I’m using it. She doesn’t get frustrated I’ve broken the internet when she uses it and I flip Tailscale off.
I’ve also got a desktop that I can Connect into from my iPad on the road. Setting up a dev environment in a cloud platform and adding it with Tailscale would be trivial.
I followed a guide and made my own using OpenVPN on AWS Lightsail not (Digital Ocean). But once my AWS Lightsail trial was over the cost crept up and was quickly getting out of hand. I had to stop it and even delete everything since I was still being charged for a powered off VM!
It is an interesting project and it looks good on your resume if you're just starting out in IT.
`ssh -qND localhost:8080 user@ip` sets up a SOCKS proxy at localhost:8080. In your browser connection settings (at least in Firefox) you can set it up to route your traffic through the connection. It's not as good as a proper VPN for prolonged use, but for a quick one-off, it'll do the job.
Indeed. From the title I imagined a setup that launched an EC2 machine and then shut it down after disconnection. That’s the only way to pay cents per month assuming you’re not connected to a VPN 24/7
Managing your own server at 5$/month does not make sense from any perspective other than “privacy” if you believe that.
you can get a performant 4 core arm64 vps from oracle for free, had no speed impediment with wireguard on it. It's free 24/7... the affordability of arm...
It's getting to the point where anything other than a censored, throttled, traffic shaped, surveilled, overpriced, residential ISP IP is a second class citizen. It's a real bummer.
I use a router behind my router at home that runs 100% of my traffic over a VPN before it leaves the building. Any services that don't work, I simply don't use them. Someone else will take my money.
I used to use a very cheap NAT VPS as an OpenVPN server but after it got terminated I found CyberGhost. It is a lot more flexible and usable across multiple devices with the downside of not being able to open incoming ports.
Your commercial VPN provider may collect data about you (and make larger profit from it, not from your fee). I don't mean using commercial VPN is bad, just keeping this in mind.
If you're spending $5 on a VPS, aren't there actual VPN services that cost $5 or less that you don't have to manually set up and destroy?
If you're just doing it for fun (kinda like "hosting your own mail") I recommend setting up an IKEv2 IPSec VPN. It might be the hardest VPN to set up? But you learn a good deal about VPNs and networking. Most OSes ship with a native IPSec VPN implementation, and most "enterprise" VPNs are some variation of IPSec. Mobile devices, internal firewalls, internet gateways, enterprise AWS tunnels, etc. You can keep getting fancier by adding VLANs, GRE, BGP, certificates, RADIUS.
Heh, right now i use WireGuard for exposing some of my homelab servers to the internet and to work around my ISPs NAT setup, WireGuard is really pleasant to use and simple to set up!
I recall using OpenVPN a few years ago for a similar use case in my university dorm, it was comparatively way worse - the configuration parameters were unclear, some of the documentation was out of date and even when using the faster (but less secure) methods of encryption, i found myself having a VPS that was overwhelmed and had almost 100% CPU usage (on its single core, since VPSes are generally expensive) whereas the client couldn't get much past 10 - 20 Mbps when the connection speed itself was closer to 100 Mbps.
Nowadays, for a VPN, i just use Time4VPS https://www.time4vps.com/virtual-private-network/?affid=5294 (affiliate link so i get discounts for signups, i also use them for most of my VPS hosting) because they're affordable and have more locations than i can get VPSes in those locations for comparable amounts of money. It seems like their offering is OpenVPN based which is surprising, since it works pretty well - makes me think that either i royally screwed up my own config back in the day (though default config should never hit 100% CPU usage like that, which happened to me), something was wrong with the system packages, or they just have beefier servers behind it, despite many users.
While it does not yet exist as an end to end solution, BlindTLS[0] is a technique which perfectly fits the description of a "poor man's vpn". You pay the vpn provider for a tiny fraction of the traffic, and you can safely route the rest directly through your own ISP. This should work around most censorship techniques or geographic blocking. It doesn't promise privacy though.
OP mentions DigitalOcean as a compute provider. Is there much info on which compute providers will ban you for, say, P2P or BitTorrent activity? Presumably this is against the ToS for most providers.
I'm suprised no one has mentioned Outline (https://getoutline.org/) which provides full capability to setup a VPN easily on any major cloud providers with 1-click. It also provides mobile apps to use as well.
Looks like it was a cool project, but the last commit was 2 years ago. I’d suggest looking at Algo (https://github.com/trailofbits/algo), which is similar, but actively maintained.
Could this be turned into a bash script without loss of functionality? I'm not trying to denigrate the work or Ansible as a tool in more complex scenarios.
The author's use for this is to circumvent geographical jurisdictional restrictions. If that is the aim (rather than privacy), then I don't understand how a $5 (per month) VPS along with all of the config and steps required (read: non-negligble time cost) is the "Poor man's" solution. Surely using any of the free forever unlimited VPNs would do the job at near zero cost?
it depends what your use case is, but if you are trying to mask you public IP, I'd been using Squid Proxy [0] for decades and even have production networks using it for scraping activity in a load balanced way
This is the tricky part. SSH gets blocked in some LANs, so then you would have no way to spontaneously deploy your VPN server. So better deploy it ahead of time.
> Motivation: Lately due to GDPR many websites are blocking access in the EU. For me, I cannot order medicines back home via netmeds.com
Blaming GDPR for this is a bit like blaming a lead mine for getting shot. Yes, it's involved but it's not the reason. It only seems to be certain large US websites that carte-blanch refuse to serve EU visitors over GDPR, mostly those with large, tendril-filled advertising networks that have no "easy opt-out". Some sites (healthcare ones that tended to be SEO'd to the max when I searched for drug names as well as more mainstream ones like, iirc, the Washington Post) carte-blanch refuse to let you browse them without accepting unnecessary cookies; this is a direct breach of the legislation and yet they still want your traffic.
If someone won't sell you something because of GDPR -- legislation that protects your privacy, and in particular considers medical information as especially sensitive -- then you perhaps have to think rather carefully about if you wish to do business with them.
(For what it's worth, from a Danish IP, the site listed in the github repo works perfectly on my home network which admittedly contains a pihole-provided dns-level adblocking. It blocks tor and I don't have an easy way of testing it otherwise).
Well, this reminded me of the situation right here in the US. The other day I couldn't place an online order at CVS because it was repeatedly "having technical difficulties". Turns out I had to unblock half a dozen (!) advertising domains in my Pihole (incl. the ones I've never heard of) to finally place an order. I don't know how to treat it as "I have a choice whether to do business with them" ;-)
I guess the only way to protect my privacy in this case is to risk going to the physical store with other sick people atm.
> I guess the only way to protect my privacy in this case is to risk going to the physical store
Never give them your phone number. They suckered me, and it took multiple calls to a very slow call center to get the text messages to stop. And I couldn't get them to just delete it - it had to be done as a number change. So my number is now 415.555.1212.
It works way more often than you'd think, and if no one has yet made a store loyalty account with the number, you can be the first and add to the movement :). Use this trick whenever you need a loyalty card to get a store discount.
I've just compulsively been doing it any time I get anything from a store with a loyalty card, which is all of them now, and not once out of a dozen different local stores did I need to create the account--someone always already had :). This I think is a great way to protest against retail surveillance.
Oh don't get me started on that! I already gave, and regretted it ever since. There's no way to stop those messages now.
I even called them and they stopped for a while, and are now back in full force, right after my recent order.
Incidentally, I've even discovered what seems to be one of (probably many) security issues on it (one where you could see other person's order details without authentication, in this case for myself), but I'm not gonna report it because they likely don't even have a bounty program and it was likely a "feature" implemented intentionally.
I handle this pragmatically by using different VMs with assorted browsers, browser configs, and exit addresses. For the context of buying from CVS (realworld nym, heavy surveillance), I'm running NoScript and slowly enable domains until the site works. Doing this for some sites actually speeds them up considerably (eg Home Depot).
The problem is in this case, no amount of blocking will work, because the site was completely broken without those, at least for me :-) Though I can reduce the amount of divulged info for sure, but the very fact they're using them means my order details likely go to third-parties, and it's impossible to prevent that because it relies on that reporting in the chain of logic (i.e. order won't proceed until a successful response from the advertising APIs).
The only technical way around that I can think of is to implement Signal's and other's API proxies and let it return back fake info to the site. But I'm not that obsessed about this issue :-)
Another over-the-top way is to place the order directly against CVS APIs, using their cookies etc. Again, not worth spending time on..
Why not just avoid CVS and use another pharmacy (online ordering). I use valisure because they also test the medications they sell for impurities, but there are plenty of others… like even supermarket pharmacies have online ordering now with home delivery or pickup.
Some medical insurances require using CVS. One might be surprised by how shitty that is, but if so one has forgotten how shitty it is to live in a jurisdiction where medical insurance is a thing that is necessary.
If a non-EU site finds itself subject to GDPR because of Article 3(2), they need to then worry about whether or not Article 27(2) applies to excuse them from Article 27(1). If not then they have to deal with the hassle and expense of hiring a representative in the Union.
If they are indifferent to EU visitors but happen to get enough of them that 27(2) won't excuse them from 27(1), then it may be worth blocking EU visitors to try to reduce the chances that 3(2) applies. Article 3(2) is somewhat objecting, relying on whether you intended or not to offer goods or services to people in the Union so blocking is a way to make your intent clear.
IP addresses are considered to be personal data under GDPR, so a site that is doing nothing other than serving content with no advertising or targeting but that has the default Apache logging enabled could end up with an Article 27 obligation.
Just reading this comment makes me inclined to block visitors from the EU from my hobby sites. (Work is compliant; hobby/personal stuff isn’t worth the bother of even reading what Article 3(2) is.)
> 2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
> (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
> (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
Recital 23 includes an elaboration on (a):
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
The silver lining of my aversion to collecting user data is that it aligns nicely with my beliefs about privacy and minimalism (ie. coming up with ideas for web applications that don't even need a backend).
Rule #437: don’t take legal advice from random internet dudes.
GDPR has been out for some years now and we can see the enforcement personnel do not go after companies worth under $100 million, let alone hobby sites. After all, enforcement personnel only have so much capacity.l just like the FDA, USDA, BLM, and countless other agencies burdened with enforcement.
> perhaps have to think rather carefully about if you wish to do business with them
This seems to be precisely what happened--and the thinking involved invention--a way of circumventing what prevented acquiring the needed medication. (I assume that alternatives were considered, and found wanting for one reason or another).
Business and people will take the path of least resistance.
If only a small part of my traffic / business comes from the EU yet I am going to incur huge costs, and have to fundamentally change the way my business runs to comply with GDPR guess what, the EU is getting blocked, as make not sense to do it.
My current company does not really collect user info, does no business at all in the EU or is even consumer facing in the US but looking at our internal processes it would be almost impossible to comply with GDPR with out changing MASSIVE amounts of internal processes and procedures.
And circumventing that block violates the CCFA (at least here in the US) so instead of the GDPR turning me into a criminal, SO users who visit my site are the ones violating the law.
On the other side of this, depending on the breadth of your data, it can be non trivial to run pipelines to redact someones information. It takes man hours to verify, and processing time ($$). Plus, what if they don't have that process in place? They will need to do it manually, and take up more time from someone. Plus you need to communicate with the requestee and verify their identity as well as give them updates when they ask.
This is fine if not abused. But if a mountain of redactions came in, I could see a company just deciding it wasn't worth it to serve the EU. Not to mention the fact that there are a non-zero amount of people that will make GDPR redaction requests and hound the company down in hopes of suing them if they don't follow the law to the letter and/or can't process the redaction in time. If a company doesn't already have that process in place, it could be a momentous task to initially process.
I'm 100% for user privacy. But it can be tricky with the way the GDPR law works, so I understand why companies outside of the EU don't bother with it.
I think in CVS's case likely yes, they probably hired underpaid folks to implement their site, and now those folks are probably long gone so no one would even know how to remove all those advertising domains without which the site doesn't work.
1. Don't create surveillance files on people in the first place. It's not like the lack of privacy legislation means there are legitimate reasons to be performing surveillance. It's just that the illegitimate ones have not yet been made illegal.
2. US states should start adopting the GDPR verbatim (with no corpocratic handouts), so there is only one law to follow.
Is there a study on comparing number of people actually selecting cookies on the pop ups vs. number of users who already had Adblock? Because unless you have that info, GDPR cannot be claimed to protect any privacy. How many people who never had Adblock are selecting which cookies they want on these pop ups?
And it’s not only the US websites, the website OP mentioned is one of the three largest medicine websites in India. There is no reason for them to comply. And EU laws are incredibly confusing. Follow GDPR and respect privacy, while saving customer IP address for years when EU needs VAT.
Ofcourse this is only useful for a single user, and for devices that can use ssh and proxies.