Import more legacy blog posts
@ -40,7 +40,7 @@ collections:
|
||||
permalink: /providers/:path/
|
||||
posts:
|
||||
permalink: /blog/:year/:month/:day/:title/
|
||||
authors:
|
||||
people:
|
||||
permalink: /blog/authors/:path/
|
||||
|
||||
build:
|
||||
|
BIN
assets/img/blog/shadowsocks-outline-1.png
Normal file
After Width: | Height: | Size: 268 KiB |
BIN
assets/img/blog/shadowsocks-outline-2.png
Normal file
After Width: | Height: | Size: 245 KiB |
Before Width: | Height: | Size: 157 KiB |
Before Width: | Height: | Size: 125 KiB |
Before Width: | Height: | Size: 186 KiB |
Before Width: | Height: | Size: 9.2 KiB After Width: | Height: | Size: 9.2 KiB |
Before Width: | Height: | Size: 185 KiB After Width: | Height: | Size: 185 KiB |
Before Width: | Height: | Size: 24 KiB After Width: | Height: | Size: 24 KiB |
BIN
assets/img/people/jonah.png
Normal file
After Width: | Height: | Size: 299 KiB |
8
collections/_people/jonah.md
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
name: Jonah Aragon
|
||||
website: 'https://jonaharagon.com'
|
||||
github: jonaharagon
|
||||
twitter: jonaharagon
|
||||
image: jonah.png
|
||||
---
|
||||
I'm the founder and administrator of Privacy Guides. I'm researching privacy respecting products and services to share with the world.
|
@ -0,0 +1,79 @@
|
||||
---
|
||||
title: 'Self-hosting a Shadowsocks VPN with Outline'
|
||||
author: Jonah Aragon
|
||||
layout: post
|
||||
excerpt: Outline is a suite of open-source software developed for journalists to safely access their network and the internet while traveling in countries where their activities may be monitored or censored...
|
||||
---
|
||||
|
||||
**Outline** is a suite of open-source software developed for journalists to safely access their network and the internet while traveling in countries where their activities may be monitored or censored. Despite this, the Outline platform is ideal for a wide range of users, especially less technical users, and users in censored countries like China who may have little to no knowledge about how VPNs or proxies work. Outline consists of two parts, the **Outline Manager** and **Outline Clients**. The Outline Manager is a tool you can use to easily setup remote Outline Servers on your own machines with very little technical skills. The Outline Clients in turn can connect to Outline Servers you configure, to keep your traffic secured.
|
||||
|
||||
Technically, Outline is not a true VPN. Rather it uses an open-source SOCKS5 proxy called Shadowsocks which is “[designed to protect your Internet traffic](https://shadowsocks.org/en/index.html)”. The Outline client applications however make use of the VPN capabilities of your operating system to send all your traffic through your Outline Server, with no need to configure each application to use the proxy. Thus for most users and most use-cases, there’s no difference in functionality between using a normal VPN and an Outline server.
|
||||
|
||||
Shadowsocks has the benefit of being far more lightweight than OpenVPN, and it is much more optimized for mobile devices, as it does not require any keep-alive connections. It has existed since 2012 and it is widely used in China due to its censorship-resistant functionality: It is very difficult or impossible to detect and block Shadowsocks traffic automatically.
|
||||
|
||||
Please note that **like any VPN**, Outline/Shadowsocks cannot provide nearly the same degree of anonymity as projects like Tor. The primary use-case of Outline and VPNs in general is to keep your traffic hidden from malicious Internet Service Providers and nation-wide mass surveillance. It’s a great solution for protecting your data on public wifi networks, but if you want to stay hidden from attackers targeting _you_, there’s better tools for the job elsewhere.
|
||||
|
||||
Outline is developed by Jigsaw, which is a subsidiary of Alphabet Inc (Google). It is important to note that neither Jigsaw nor Google can see your internet traffic when using Outline, because you will be installing the actual Outline Server on your own machine, not Google’s. Outline is completely open source and was audited in [2017](https://s3.amazonaws.com/outline-vpn/static_downloads/ros-report.pdf) by Radically Open Security and in [2018](https://s3.amazonaws.com/outline-vpn/static_downloads/cure53-report.pdf) by Cure53, and both security firms supported Jigsaw’s security claims. For more information on the data Jigsaw is able to collect when using Outline, see their [article on data collection](https://support.getoutline.org/s/article/Data-collection).
|
||||
|
||||
### Prerequisites
|
||||
|
||||
All you will need to complete this guide is a computer running Windows, macOS, or Linux. You will also need to know some basic commands: [How to SSH](https://www.howtogeek.com/311287/how-to-connect-to-an-ssh-server-from-windows-macos-or-linux/) in to a server you purchase. We will also assume you know how to purchase and set up a Linux server with SSH access, more info in Step 2.
|
||||
|
||||
### Step 1 — Download & Install Outline Manager
|
||||
|
||||
Outline allows you to setup and configure your servers from an easy-to-use management console called Outline Manager, which can be downloaded from [getoutline.org](https://getoutline.org/en/home). It has binaries available for Windows, macOS, and Linux.
|
||||
|
||||
Simply download and install the Outline Manager application to your computer.
|
||||
|
||||
![](/assets/img/blog/shadowsocks-outline-1.png){:.img-fluid .w-75 .mx-auto .d-block}
|
||||
|
||||
Note: getoutline.org is blocked in China and likely other countries, however you can download the releases directly from [their GitHub page](https://github.com/Jigsaw-Code/outline-server/releases) as well.
|
||||
|
||||
### Step 2 — Choose a Server Provider
|
||||
|
||||
Outline has the ability to create servers on three different providers automatically: DigitalOcean, Google Cloud, and Amazon Web Services. In some situations, Google Cloud or AWS may be preferable, because they are less likely to be blocked by hostile ISPs/governments and will therefore allow you to more likely circumvent internet censorship. However, keep in mind that the server provider you choose—like any VPN provider—will have the technical ability to read your internet traffic. This is much less likely to happen when using a cloud provider versus a commercial VPN, which is why we recommend self-hosting, but it is still possible. Choose a provider you trust.
|
||||
|
||||
Additionally, keep in mind that many US-based cloud providers block all network traffic to and from [countries sanctioned by the United States](https://en.wikipedia.org/wiki/United_States_sanctions#Countries), including AWS and Google Cloud. Users in or visiting those countries may wish to find a European-based [hosting provider]({% link legacy_pages/providers/hosting.html %}) to run their Outline Server on.
|
||||
|
||||
Another factor to consider is your provider’s network and latency. Choosing a server closer to you (geographically speaking) will give you better latency, and choosing a server with good bandwidth (>1 Gbps) will minimize the performance hit when using the VPN. Both factors are important to keeping a good browsing experience, but keep in mind using _any_ VPN will always be slower than just your plain old internet connection.
|
||||
|
||||
Finally, if you want to go with DigitalOcean you can use my affiliate link to receive a $50 credit: [https://m.do.co/c/fb6730f5bb99](https://m.do.co/c/fb6730f5bb99). That’s 10 months of free VPN hosting, at $5/month/server. Don’t feel obligated to use this link, but you’ll receive free credit, and if you spend $25 with DigitalOcean after using it I will get credited, which will enable me to continue writing guides like this! DigitalOcean has a great performing network in my personal experience, and in the experience of the Outline team it works well in regard to circumventing censorship: Not many IP addresses of theirs are blocked.
|
||||
|
||||
For this guide we are not going to use an automatic provider in Outline Manager, rather we will manually configure a Linux server. We are using Debian 10. Other distros may work as well, but you may need to install Docker manually.
|
||||
|
||||
### Step 3 — Configure Your Server
|
||||
|
||||
First, we need to update our system and install `curl`. Connect to your server via SSH and enter the following commands:
|
||||
|
||||
Next open Outline Manager on your local machine and you should be given 4 options to configure a server. Select the “Set Up” button under the “Advanced, Set up Outline anywhere” option.
|
||||
|
||||
![](/assets/img/blog/shadowsocks-outline-2.png){:.img-fluid .w-100 .mx-auto .d-block}
|
||||
|
||||
Outline will give you a string to paste. More technical users can [view the script](https://raw.githubusercontent.com/Jigsaw-Code/outline-server/master/src/server_manager/install_scripts/install_server.sh) that line runs in a browser to validate exactly what is being run and installed on your server, but we have examined the script and have seen no alarming commands.
|
||||
|
||||
Connect to your server over SSH and paste the code from above in the Outline Manager box into the Terminal. The process will take a minute or two and will ask you a couple questions. You can just press enter to accept the default configuration whenever it asks.
|
||||
|
||||
After it completes, it will give you a long line starting with `{"apiUrl"` (depending on your Terminal’s color support it will appear as green). Copy that line, and paste it in the second box back in Outline Manager. Then, click “Done”.
|
||||
|
||||
### Step 4 — Connect Your Devices
|
||||
|
||||
Download the Outline app on the device you want to connect. Outline has applications for the following operating systems:
|
||||
|
||||
- [Android](https://play.google.com/store/apps/details?id=org.outline.android.client)
|
||||
- [iOS](https://itunes.apple.com/us/app/outline-app/id1356177741)
|
||||
- [Windows](https://raw.githubusercontent.com/Jigsaw-Code/outline-releases/master/client/stable/Outline-Client.exe)
|
||||
- [macOS](https://itunes.apple.com/us/app/outline-app/id1356178125)
|
||||
- [Chrome OS](https://play.google.com/store/apps/details?id=org.outline.android.client)
|
||||
- [Linux](https://raw.githubusercontent.com/Jigsaw-Code/outline-releases/master/client/stable/Outline-Client.AppImage)
|
||||
|
||||
You should also be able to use any [Shadowsocks client](https://shadowsocks.org/en/download/clients.html), including alternative clients for each operating system and a client for OpenWRT routers. And like with the Manager, you can download Outline releases from [their GitHub page](https://github.com/Jigsaw-Code/outline-client/releases) as well.
|
||||
|
||||
Back in Outline Manager, select your server in the sidebar. On the far right side of “My access key” there is an icon of a laptop and phone. Click that icon, and select “Connect This Device” in the popup window. It will give you a string to copy, starting with `ss://`. Simply paste that string into the configuration of any Shadowsocks client to add your server!
|
||||
|
||||
Once you add your server, that’s it! In the Outline clients it’s just a matter of pressing “Connect”, and all your traffic will be proxied through your server! You can use this connection to keep your traffic safe when you’re on public WiFi networks, or just to keep your browsing hidden from your ISP.
|
||||
|
||||
### Conclusion
|
||||
|
||||
That should be all you need to get your very own VPN up and running! **Do not share your access key with anyone**, this is the key starting with `ss://`. If you want to grant other users access to your server, click “Add a new key” in Outline Manager and give them a new, unique key. If you share a key, anyone with knowledge of that key will be able to see all the traffic of anyone else using the key. It should go without saying, but don’t send people keys over unencrypted channels: No Facebook Messenger, no emails. Stick with [Signal, Wire, or Briar]({% link legacy_pages/software/real-time-communication.html %}) if you don’t have a secure app already.
|
||||
|
||||
With Outline, there is no need to worry about the security of your server. Everything is set to automatically update with no intervention required! Another thing to note: The port on your Outline server is randomly generated. This is so the port can’t be easily blocked by nation/ISP level censors, however, this VPN may not function on some networks that only allow access to port 80/443, or on servers that only allow traffic on certain ports. These are edge-cases, but something to keep in mind, and if they apply you may need to look for more technical options.
|
87
collections/_posts/2019-10-30-choosing-a-vpn.md
Normal file
@ -0,0 +1,87 @@
|
||||
---
|
||||
title: Choosing a VPN
|
||||
author: Jonah Aragon
|
||||
layout: post
|
||||
excerpt: Now you know what a VPN is, here's how you choose between them...
|
||||
---
|
||||
|
||||
So [you know what a VPN is]({% link _posts/2019-10-05-understanding-vpns.md %}), but there are so many options to choose from! Well before we dive into this, let's get one thing off the bat:
|
||||
|
||||
## Avoid Free VPNs
|
||||
|
||||
Privacy-respecting VPNs can provide their service because you pay them for it. Free VPNs are **worse** than your ISP when it comes to respecting your privacy, because **selling your data is the only way they can make money**, whereas an ISP is primarily paid for by you.
|
||||
|
||||
> If you’re not paying for it, you’re the product.
|
||||
|
||||
This isn't to say all paid VPNs automatically become trustworthy, far from it. In fact many paid VPN providers have been known to or suspected to have sold their users' data or have done some otherwise shady things with it. Always completely evaluate the VPN provider you choose, rather than just take theirs or anyone else's word for it. The main takeaway here is that it is impossible to provide a service like a VPN — which requires servers, bandwidth, time, and energy to maintain — for free for thousands of users, without having some sort of other monetization model.
|
||||
|
||||
## Choosing a VPN
|
||||
|
||||
Alright, now we can get into it. The first thing we need to decide is _why_ exactly you need a VPN. Most people will fall into the following two camps:
|
||||
|
||||
### 1. Avoiding Geographical Restrictions
|
||||
|
||||
Maybe you want to watch BBC online, possibly avoid creeps at cafés, but don’t really care about your VPN logging your traffic — just like your ISP does.
|
||||
|
||||
**Therefore**: You want a VPN with servers in countries like US, UK — basically where services like Netflix work. (Tip: Netflix is continually banning VPNs, so be sure to use one that isn’t blocked. You might want to look into the [r/NetflixViaVPN](https://www.reddit.com/r/NetflixViaVPN) Subreddit for help with this one).
|
||||
|
||||
### 2. Maximizing Your Privacy Online
|
||||
|
||||
Being **Privacy** Guides, this is the big one for us. If you really care about your privacy, you'll want to look for a provider that at the very least does the following:
|
||||
|
||||
- Supports modern technologies like OpenVPN or WireGuard.
|
||||
- Accepts anonymous payments like cash, gift cards, or cryptocurrencies.
|
||||
- Provides strong, future-proof encryption for their connections.
|
||||
- And, is public about their leadership and ownership.
|
||||
|
||||
These 4 points should always be considered when you're evaluating a VPN provider. Additionally, note what jurisdiction the provider is incorporated in, and where their servers are located. This is probably the most important factor to consider, and also the most time-consuming, as privacy laws in various countries vary wildly.
|
||||
|
||||
Let me explain what these points mean exactly in more detail, so you know what to look for.
|
||||
|
||||
## Modern Technology
|
||||
|
||||
You should be able to connect to your VPN with any **OpenVPN** client. L2TP, PPTP, and IPSec are all insecure technologies that should not be used. A new technology called **WireGuard** looks very promising, but is still in active development and not recommended for use.
|
||||
|
||||
While we're looking at technology, take a look at whether your provider has their own client for you to download and connect with. These applications usually make using your VPN a lot simpler, and sometimes safer. If they do, ask the following questions:
|
||||
|
||||
- **Is this client open-source?** Having an open-source client is important because it allows you or anyone else to audit the code and see exactly what's happening. Closed source clients are essentially a black box you'd be putting all your data into, not the best idea!
|
||||
- **Does the client have a killswitch?** Not many generic OpenVPN clients come with this functionality, but many custom VPN clients will. A killswitch option allows you to completely disable your internet connection when the VPN is disconnected. This will make sure that you don't accidentally connect to the internet with your ISP's connection.
|
||||
|
||||
## Anonymous Payments
|
||||
|
||||
This one's an easy one. Take a look at how you're able to pay for your provider's subscription. Some providers will take cash in the mail as payment, a great way to pay without leaving a digital money trail. Others will allow you to pay with gift cards from major retailers like Amazon, Target, and Wal-Mart (which you can hopefully obtain anonymously with cash, replacing the mail middleman from before). Still others will accept various cryptocurrencies.
|
||||
|
||||
If not leaving a money trail is important, you'll want to make sure you aren't paying with something linked to you financially, like a credit or debit card, or PayPal. If your provider doesn't accept the payment forms above, you aren't entirely out of luck however. You can still use a prepaid debit card to pay for things as anonymously as possible. But consider: If your provider isn't dedicated to making easy, anonymous payment alternatives available to you, how focused are they on your privacy?
|
||||
|
||||
## Strong Security
|
||||
|
||||
Most providers using OpenVPN will also be using strong encryption methods, but still make sure you double-check before choosing a provider. What you'll want to look for from your provider at a minimum is:
|
||||
|
||||
- **RSA-2048 encryption.** Ideally, they should support RSA-4096 connections, for maximum security.
|
||||
- **Perfect Forward Secrecy (PFS).** This technology makes each VPN session use a different key every time, so that if an attacker manages to decrypt one of your connections, they won't also be able to see all your other data.
|
||||
|
||||
In addition, look into whether your provider has ever had their security practices audited by an independent third-party. For example, TunnelBear [publishes](https://cure53.de/summary-report_tunnelbear_2018.pdf) yearly audits of their entire service, or Mullvad, which has [published](https://cure53.de/pentest-report_mullvad_v2.pdf) a comprehensive security audit of their client applications.
|
||||
|
||||
Independent audits are important because, while ultimately the actual security of the service will come down to _trusting_ the providers, a successful security audit demonstrates that the provider at least has the _capability_ to provide you with a secure connection, instead of just taking their claims at face value.
|
||||
|
||||
## Public Trust
|
||||
|
||||
You want to remain private, but your provider shouldn't. If your provider is hiding their ownership information and their leadership from you behind some Panamanian shell company, what other business practices might they be hiding?
|
||||
|
||||
> You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data?
|
||||
|
||||
Find out where your choice is incorporated. Who owns it? What other companies have their executives worked for?
|
||||
|
||||
Frequent transparency reports are a huge plus too. They should publish information related to government requests, so you know what their responses look like. All VPN providers will need to respond to legitimate legal requests, but does your choice reject or counter as many as possible?
|
||||
|
||||
## So what next?
|
||||
|
||||
If you're currently using a commercial VPN, use this information to evaluate their business. Do they seem trustworthy?
|
||||
|
||||
At Privacy Guides we've [evaluated]({% link legacy_pages/providers/vpn.html %}) a huge number of VPN providers along similar criteria to these. In our opinion, as of October 2019, Mullvad leads the pack with respect to all these criteria, with IVPN and ProtonVPN falling just slightly behind but catching up quickly. There are still a huge number of providers out there, however. The way to find the best solution for you, is by researching providers with _your_ criteria in mind.
|
||||
|
||||
Join the discussion on our forum below, and chat with our community about any questions you have or any interesting things you discover.
|
||||
|
||||
----------
|
||||
|
||||
_Please note that we are not affiliated with or receive financial compensation from any commercial VPN providers. A lot of VPN providers engage in questionable affiliate marketing strategies which generates a lot of misinformation on VPNs in general online. At Privacy Guides we are trying to make guides and recommendations based on objective research and criteria._
|