Looking for VPN services that are not based in the West

I was looking at their primary domain. Neat that they intend to sunset emails on it.

Sorry, I don’t get. Why is it weird to use Amnezia?

I wasn’t talking about using it, but the fact about the jurisdiction of devs and the program they are developing.

They already stopped using Gmail for their email. Stop spreading FUD please.

It is relevant if you read the article, as shown below .

All Chinese companies, public or private, are required to have a member of the CCP on staff to hand down official party edicts. In addition, many companies have an internal CCP committee that comprises part of the governance structure.

I furthermore was using China as an obvious example, but of course Western countries have similar practices.

I completely agreee. My point was NOT to say “oh look, big bad china with bad practices,” since I made it clear in a post. What I’m specifically referring to from that post is:

I linked to active MX records, didn’t I?

Please stop concern trolling.

We don’t know where they have incorporated. Most likely it isn’t Russia?

Amnezia is a DPI-resistant WireGuard, though, it is reported to be blocked by a few firewall vendors now that it is popular (a game of cat-and-mouse) and (by looking at their code) it seems like Amnezia is reliant on Cloak and XRay projects instead of their own tweaked WireGuard.

I prefer (WireGuard) Proton (2nd hop, exit) hopping over Amnezia (1st hop), as Amnezia’s anti-censorship features work on firewalls I encounter. Proton also has anti censorship features but those are not baked into the protocol but rather their own app.

Since they dont use mullvad.net for their email but support@mullvadvpn.net, this is irrelevant. It’s their legacy email that is still on this, but it has been months since they have switched to the new self-hosted one.

GitHub - ProtonVPN/wireguard-go ? (Stealth is based on a customization of WireGuard)

You might want to read how MX records work, the software deprecation process, reading the thread’s previous exchanges, and the general courtesy of assuming good faith.

Kind of? I don’t consider it to be a protocol modification (like Amnezia), as “Stealth” tunnels WireGuard over TCP & TLS (which is just one of their techniques).

I’ve been reading their source to bring over other generic “Stealth” (non-Proton specific) stuff I could to Rethink; and I found those generic things have long been pioneered by other projects, like Tor, Lantern, & Psiphon. Since Proton is über popular, the firewalls I hit are all capable enough to block the half-baked version of “Stealth” I ported over to Rethink. tbf, Proton does have a few more sophisticated tricks but I didn’t bother porting over as hopping over Amnezia solved my current predicament.

i’d like to have a vpn that has destinations in embargoed countries, that way i’m more or less sure that the eye of sauron won’t see that far.

the problem is that most of those countries are dictatorships that already banned VPNs long ago

NordVPN is incorporated in Panama

I understand that Mullvad has deprecated Gmail months ago, yet you claimed otherwise. I am assuming good-faith, but since you regularly criticise Mullvad, Clarification on the Swedish Covert Surveillance Act with high persistance (for what benefits?).

I don’t want to accuse you of anything, and haven’t said you lied. What you said about MX records might be true, but it doesn’t change the fact that Mullvad doesn’t use Gmail anymore.

I am seriously questioning why we allow these kind of posts.

Next post will be “Looking for messenger services not based in the West” because we all know Signal is CIA-funded, leaks IPs, run on AWS and SimpleX must be a PsyOp because it’s so good. (obv /s)

Maybe time to create unprivacyguides.net?

What I’m trying to say has a particularly technical bend to it.^[1] You misinterpret that just you can comment something … anything? If you want to talk about my concerns with Mullvad, this isn’t the topic. Feel free to DM me.

You think? I’ve only ever recommended a few VPNs, and Mullvad is one of them (ex). Though, after looking at 2020:62, I have my reservations. Their use of Google for mail didn’t bother me back then nor does it today, but I mentioned it in the context of OP suggesting “no data exists for [Mullvad] to collect, store & share …”

• Here’s me “criticising” Windscribe: link (or defending them).
• And NextDNS: link (or praising them).
• And Ente: link (or defending them).
• And Proton: link (or advocating for them).

And so on…

Though, the difference is, save for NextDNS, I don’t get attacked as much.

1. “MX records, or Mail Exchange records, are DNS records that direct emails to the correct mail servers for a domain.” ↩︎

There’s a reason we did away with jurisdiction shopping. VPN with one hop must abide by the laws of that country. The ones recommended on Privacy Guides just so happen to be in fairly decent jurisdictions when it comes to law and legal expectation of privacy.

When it comes to intelligence sharing agreements, juristiction shopping is even more useless and you really ought to just be using trustless technology like Tor.

The minimum criteria enforces what PG can recommend which, as of writing, includes clauses requiring “decent laws”?

Legal mandates may render the most stringent of defenses obsolete, sure; but knowing the law of the land isn’t useless, as competent folks building privacy-focused services, like Private Relay/Private Compute Core/Signal/OpenTitan, wouldn’t threat model the way they do. And so, for the providers / services that don’t, it makes sense to avoid buying from their shops.

We’re not going to recommend a VPN in a country that has nothing in the way of privacy legislation or expectations eg a country where it can be forced to do logs on all customers.

Things like those “eyes” agreements really are quite irrelevant in regard to VPNs because if you actually remember PRISM had access to data within certain companies, eg dropbox for example, which would mean it wouldn’t matter what VPN you used if you used a service that was a part of that program. Also reminder here that other countries have similar arrangements eg SORM in Russia. China probably has one too. There is no defeating that by jurisdiction shopping. It’s more about the service you use.

The problem is that a lot of people like OP in this thread frame it as “east” vs “west” without really the a clue about limitations or expectations. If you’re in China using a VPN in China is probably a bad idea. You’ll probably get a better result using one in the US. The same however is not necessarily inversely equal. If you’re in the US, using a VPN in China is not likely to be the best jurisdiction, there I would probably choose something in a European country with strong legislation. The same would apply if you lived in China too, and likely you’d get lower latency depending on where you selected in Europe.

Any more thought about it than that is really pointless, if it truely matters you should be using something like Tor.

The thing is does matter the minute I claim “decent laws” matter (given I don’t merely assume Western countries mostly have “decent laws”, regardless of ground reality).

Like you say, well-engineered services exist (Tor, in your example; Private Relay in my example) that we (as in the PG community) should vouch for and use.

So, I guess, both of us mostly agree with each other (in not using VPNs) except for that jurisdictions don’t matter… they do and indeed why multi-party relays (which better achieve guarantees than public VPNs do, imo), multi-hop relays, anonymizing relays, mixnets etc even exist (and perhaps, be recommended over proxies and public VPNs, like you suggest).

They don’t generally when it comes to things like wiretapping backbones of the internet, because that is done in secrecy anyway. Fortunately with everything being HTTPS nowadays it doesn’t really matter.

Despite what you might think, they aren’t the worst offenders in the world. There are simply countries which have no rules regarding what the government is allowed access to and what they’re not. Or perhaps even no process to re request such data through judicial means. Even in the US if the FBI wants a thing about a particular subscriber they have to prepare paperwork for a court at least for general criminal matters. Not everyone is Snowden and not everything is a matter of “national security”. If that’s your threat model there really is no way around E2EE being the solution.

This is the first I am hearing about this. In fact, I know that some States (ex: Russia & the Arab countries) are actively / openly demanding an International agreement on cross-border traffic monitoring in exchange for keeping the L1/L2 backbones open (or, are threatening to balkanize the Internet).

Countries like Sweden?^[1]

Sweden allows non-residents to complain to SIUN and such cases have been filed. However, non-resident foreigners are likely to receive the same bland information as citizens and resident foreigners: namely, that SIUN has investigated the allegation and found no violation of the law.

…

The FUD applies the principles of necessity (least intrusive means) and proportionality (balancing the degree of interference with the value of the material which can be obtained) in granting a warrant, and may impose conditions on the warrant … No case law has been made public, so it is difficult to know how FUD interprets these principles in practice.

…

(source)

That report is more honest about the potential for abuse of the wide ranging surveillance laws in democratic setups (which look no different as far as tech/services like email/VPN are concerned from other countries we may think are worse):

There are several well-known difficulties and risks in overseeing intelligence agencies:

1. “Capture” of the oversight body is one of these, as the intelligence agency will likely have a monopoly, or near monopoly, of information on methods.
2. An intelligence agency which is under political pressure to produce results is likely to be more willing to “steer close to the wind” and stretch its interpretation of applicable legislation.
3. This is also a risk where legislation is framed in broad, technique-neutral terms, constant technological innovation and development can mean that mean that more can be done within the existing legal framework.
4. Interpretative “primacy” can be conceded to the agency, where there is little prospect of judicial scrutiny.

True. And all around better security posture for the hardware/software that builds atop e2ee. Else, a near guarantee their users get owned.

For instance, in the United States, the annual Title III wiretap reports for interception under the Communications Assistance for Law Enforcement Act reveal that a very small share encounter encryption, and a “majority” of those are eventually decrypted (Lewis et al., 2017). From 2012-2015, out of the 14,500 wiretaps ordered, [only] 0.2% encountered unrecoverable encryption.

1. I have no axe to grind against Sweden, but their 2020:62 Act had me looking up and dong some arm-chair digging into, recently. ↩︎