Would love for people to weigh in on this: from both a security and privacy perspective, what’s preferred; “blending in” with CGNAT or using a self-hosted VPN on a cloud provider. Neither ISP nor cloud provider are the would-be adversary.
CGNAT ISP has full KYC, only protection is EU-law that prevents data retention.
Cloud Provider wouldn’t have any KYC, not even a payment trail.
My thoughts are:
(Lawful) intercepts on ISP infrastructure is every-day stuff and easy
Getting intercepts to self-hosted infrastructure is possible but more effort
Using a public VPN like Mullvad is complete non-sense, because it’s almost guaranteed any interested parties have real-time access to network flow data of their servers.
Who is then? If you trust your ISP then this is not a problem. A VPN is useful for people who do not trust their ISP, because it allows them to choose an ISP to trust from a much larger market of ISPs than are available to them locally.
Self-hosting a VPN for use like a commercial VPN is effectively useless for privacy if your threat model includes Mullvad being compromised, as you are the only user connecting to the server. Any party able to see traffic to and from your VPN server has all of your traffic with no anonymity. Same goes for CGNAT, that is only beneficial for hiding your real IP from services, but provides no benefits against an adversary able to deanonymize commercial VPN users.
Journalist with reporting that may be frowned upon by governments. To be clear, the question relates to the baseline of my personal setup, not for a sensitive work environment.
In my opinion, commercial VPN providers are honeypots. While Mullvad themselves might not be storing any logs and delivering on their promises, it’s out of their control when their upstream networks collect flow data. That’s if their upstream networks aren’t straight up giving port-mirrors to “interested parties”.
Self-hosted VPN server means traffic can be 1:1 correlated to me, that’s true. At the advantage of being able to carefully choose a provider where I believe no data is readily available without due legal process.
I would disagree that shopping for datacenter providers is practically any different than shopping for VPN providers at the end of the day, but you could do either one. My own baseline setup is a private VPN to a trusted datacenter, not a commercial VPN, so I would agree it is better than no protection here.
Self-hosting means traffic can be correlated to you by different websites, but it also means devices can be correlated to you by different local ISPs, because you will be the only one connecting to that IP from those ISP’s perspectives.
It’s just something to keep in mind if you are using a mobile device and connecting to multiple/public networks. You might be inadvertently defeating MAC randomization protections in your OS.
If your budget and server specs allow, you could consider running a Tor relay (non-exit) or bridge on that server, which could provide free cover traffic connecting to that server with virtually no risk, unless you are going to connect to it from ISPs that would IP block any Tor service.
CGNAT is garbage and will prevent you from self-hosting anything, which is the best thing you can do to take back control from the “cloud.” Fixed IP + VPN (or Tor browser) any day.