DEV Community

Cover image for VPN Service? Not as secure as they sound
Liptan Biswas
Liptan Biswas

Posted on • Edited on

VPN Service? Not as secure as they sound

I have seen people using public VPN or Virtual Private Network service thinking that it will solve all their privacy issues. By public VPN, I mean those VPN service provider which charges you some money and you download their app, tap connect and start using internet thinking that it's safe and secure. Some popular examples are ExpressVPN, NordVPN, etc.

Since I have fairly well knowledge of VPN, I always had some concerns related to using public VPN services. Personally, I have always been a fan of deploying my own VPN server using OpenVPN.

Also, the VPN was not originally made for hiding your identity or blocking websites. It is made to securely access two machines on the internet as if they were part of a private network.

So here's what it means in terms of our concerns.

Protecting your Online Privacy?

Public VPN services can only hide your IP address. Use Google services even when connected to VPN and your privacy becomes a myth. So along with using a VPN, you will also need to use incognito mode in browser. You will also need to make sure you do not login. I fail to see how can you use the internet without logging into web applications. Almost all web apps now days ask you to login in order to use their services.

Secure access of internet in public wifis like in coffee-shops etc.

Yes, VPN encrypts your traffic before sending it to the destination server. But, do we need it?

Google Chrome is now showing a not secure icon on websites that do not have SSL installed. So If a website has SSL installed, the communication is already encrypted. So, there is no need of a VPN to securely access the sites that has an SSL certificate installed.

Some might argue that what if some site does not have SSL and I want to make a purchase. One can think it's safe to add his credit card info on a website that does not have SSL after connecting to VPN. Let me tell you, it's NOT.

Let's understand how.

When you are connected to a VPN, you connect to the VPN server using something called tunneling. When you try to open a website, It does not directly send the request to the destination website, but your request gets encrypted and sent to the VPN server. Now, the VPN server decrypts the data and forwards your request to the destination server.

You see, the destination server thinks that it's the VPN server who is trying to access the website, so it logs the VPN server's IP address, not yours. Now, the server sends a response back to the VPN server. VPN Server now encrypts the response and sends it back to you. You can visualize it using the diagram below.

VPN Communication

Now, here comes the problem. You are sending your credit card to a non-SSL website through the VPN. See the image above, part 1 of the connection is encrypted, thanks to VPN. But part 2 is not. When the VPN server sends your credit card to the destination server, it's in plain text. This data may travel through a lot of routers and computers before it reaches the destination server. Anyone snooping traffic in these locations will have your card details.

So better look for SSL secured sites only. Other protocols such as SSH, SFTP(Not plain FTP) are secured as well and do not need VPN.

Bypassing Censorship

Yeah, unarguably this is the best use case of public VPNs. You just need to make sure you are connected to a server location in a country that does not have many restrictions.

Improving Performance

Hmmm! It can improve internet speed if your ISP is throttling certain websites. VPN will make sure none of the websites are throttled as your ISP will not have any idea which website you are trying to access.

But there is a cost to this. VPN definitely slows down your internet because every request has to go through the VPN server. If a lot of people are using a single VPN server, which is true for all public VPN providers, it will slow down your speed.

Now, let's talk about one serious problem. This is a deal-breaker for me.

Security Concerns when using VPN

Some basics first. There are two types of networks.

A private network, which is a home network and is considered secure. An example would your wifi router. Your laptop and mobile device, when connected to same wifi, are assigned private IP addresses from the same network. They are allowed to communicate with each other without any restrictions, unless there is a firewall in play.

Public network, which is basically the "internet". It is considered unsecured and you might want to watch out when communicating with others through the internet.

When you connect to VPN, VPN provides you a private IP address using which you connect to the VPN server. So even though you are talking to the VPN server over the public internet, data is encrypted and sent through a tunnel making it secure. So, from the perspective of your laptop, it is connected to a VPN server over private secure internet. Sounds okay. But it's not.

Other people who are also using the same shared VPN server which you are using, are also connected to the same private network. So as per your laptop's perspective, these other people are safe to talk to without any restrictions.

So, if I have an SSH server, VNC, or even Windows remote desktop access running on my laptop and it does not have a password assigned. Anyone connected to the same VPN server, hundreds in case of public VPN, can directly access my laptop, all files, literally everything. I sometimes run unsecured FTP/HTTP servers on my laptop to test something. These are also directly accessible to anyone connected to that VPN server.

There may be some network policies configured by VPN providers to stop this communication. But are you certain that they are in place? You are just blindly trusting these VPN providers.

So what should we do??

Personally, I run my own VPN server. To run your own VPN server, you need a VPS(Virtual Private Server) with an external IP. Once you have the VPS up and running, you can use https://github.com/angristan/openvpn-install for easily install and configure the OpenVPN server.

I had been running it on AWS, which provides one 1GB RAM virtual machine free for a year. I have now migrated it to the Oracle cloud. They are providing two 1GB virtual machine for free forever.

There are chances that If I do a crime using a VPN, it will be traced back to me using the IP address of the VPN server. Authorities can just ask the Oracle cloud folks, whom did you assigned this IP address at this time. But it's the same with a public VPN provider as well. Some claim to keep no logs, but again you are blindly trusting them.

Let me know what are your thoughts on this.

Top comments (2)

Collapse
 
aminulsujon profile image
Aminul Sujon • Edited

Its really nice blog, we can not secure us at all in internet browsing. But we can be safe from most of the cases by using VPN. To keep our data safe on internet we personally recommand popular VPN services paid or free.
Popular VPN list:

Popular VPN Services ExpressVPN, NordVPN, Surfshark, Musk VPN

Free VPN Download link: muskvpn.com/download/
Free VPN for mobile: play.google.com/store/apps/details...

Collapse
 
scorpil profile image
Scorpil • Edited

VPN is beneficial to avoid putting all you eggs data in the same basket. Your nosy ISP knows your name and address and is local (at least operates in the same country). VPN would know your name (even that not necessarily), and operates under the jurisdiction of another country, so you are less likely to get in trouble for whatever you are doing online.

That said, there is lots of marketing speach in VPN industry...