Obscura VPN

In the long run, likely all of these.

However, the very first release of this feature will likely be “pick one of the Mullvad DNS servers”.

Cool, thanks! Looking forward to DoH.

Not sure if this is the right thread, but we have found a bug with Apple’s includeAllNetworks implementation that makes some devices unable to connect to the internet on device wake from sleep.

Nothing is leaked, but it may be very confusing to users.

Reposting our workarounds:

Workaround 1: Turn off “Strict Leak Protection”

1. Disconnect from Obscura VPN
2. Turn off “Strict Leak Protection” from the “Settings” tab
3. Connect again and check for connection leaks here: https://obscura.net/check/

Workaround 2: Force a reconnect when the problem arises

If you see that Obscura is stuck on “Reconnecting” when your devices wakes from sleep:

1. Click “Cancel Connecting”
2. Wait for Obscura to disconnect
3. Connect again

We fully understand that this is not ideal and are working to resolve this issue ASAP (given that a solution is possible with Apple’s includeAllNetworks API). Thanks to the users who reported this issue.

We’ll get to the bottom of this!

Sorry for being kind of nitpicky, but the Obscura website says Obscura’s

the first VPN that can’t log your activity and outsmarts internet censorship

Obscura came out February 11, while the first non-beta Nym release was January 30 to my knowledge

Maybe instead of saying Obscura is the first VPN to do what it does, you could call it the first battle-tested VPN to what it does. Obscura uses Mullvad as an exit node, which has been battle tested and raided by the Swedish police.

Does this service offer any advantage over simply multihopping two different VPN services (eg, proton, mullvad) in the usual manner?

yes, if LE reads both logs, they know who you are.

Also if you connect to domains and site profiles that are essentially yours, they know who you are.

Obscura essentially decoupled browser history and your isp’s internal nat’s IP.

though I would like the mac app to be feature parity with mullavd mac app & wireguard clients (kill switch, auto connect, split tunneling, etc)

also some 2FA would be nice like passkey.

There are no logs collected by either.

I think what Obscura is saying is that even if it wanted to track users it couldn’t (except having metadata on when user use it and how much data, which isn’t insignificant either).

Worth noting that Obscura only uses Datacamp for their entry servers and they also only use Mullvad’s Datacamp servers for their exit servers.

The setting to use the fastest connection seems to always use the exit server in the same city as the entry server. Since both are Datacamp, it might even be the same exact location.

more users use obscura more this is irrelevent.

bandwidth they can’t know

I don’t understand your reply.

I really like what I’ve seen so far. The only pet peeve I have is that Obscura is technically not a VPN. VPN is a technical name with a technical definition. I don’t like that we’re twisting that definition. It can create unnecessary confusion.

Fortunately, Privacy Guides already has a name for these services—Multi-Party Relays (a.k.a MPRs)— and has written an excellent introduction article for them.

If Obscura gets recommended in the future, I suggest the team put it in a new, different section called Multi-Party Relays, which can include other services like Safing. (I don’t know much about Safing and it may be incorrect to call it an MPR, so please correct me if I’m wrong.)

(Really sorry for mixing up Sweden and Switzerland! I had my previous post corrected.)

I have one more suggestion, thank you guys at Obscura for being so involved with the community from the get-go!

So Tor Browser and Mozilla VPN are able to have differing locations/connections per browser tab, and the Safing Privacy Network is able to have differing locations per application. Would Obscura consider having a differing location feature like that? I think that would help with privacy, as one user has more than just one location.

We’ve started including some non-Datapacket servers.

For transparency, we chose Datapacket servers for us and Mullvad exits since they have good IP reputation, reliability, and connectivity. This seemed like a sane default for the best experience for our users.

We’re designing UI now that allows power users to select arbitrary exit servers, stay tuned as we roll this out!

While I do think that what we’ve built is quite an improvement over traditional VPNs, I’d argue that from the viewpoint of most users we serve the same function as a VPN and the MPR-ness is somewhat of a technical distinction. Though of course it’s up to the Privacy Guides community to decide taxonomy! Just my 2 cents.

Yes, I think that’s one major thing we want eventually from a fine-grain split-tunneling solution. We do, however, want to be able to serve users who are not on Firefox and can’t do per-tab routing. Chromium browsers can do per-profile SOCKS proxy settings, so that might be the intermediary solution there. We’ll keep digging and if anyone has insights into the browser APIs we’d love to hear from y’all!

In my opinion, VPN as a term in a consumer setting doesn’t really make sense anymore anyway.

If anything, I would be of opinion that we should start tot talk about SPR (Single party relay eg consumer vpn server) vs MPR’s.

A full signup and WireGuard config generator is now live on obscura.net. If you’re on a non-macOS platform you can use this until we have a native app for you.

Full FAQ: Obscura VPN | Privacy that’s more than a promise

Let me know if y’all run into anything!

It’s great to see Obscura continuously improving!

But I have few questions.

Does Obscura currently support, or plan to support split tunneling? Some websites heavily ban or shadow ban VPN users these days, so it’s quite necessary.

I’m going to compare Obscura with Mullvad for obvious reasons, and as far as I know, Mullvad’s macOS client doesn’t use Apple’s Network Extension framework and instead uses their custom solution. They claim that the Network Extension framework isn’t robust enough for their security standards. While I appreciate Mullvad team’s efforts, and they are one of the most trusted developers in this space, not using the Network Extension framework resulted that they need full disk access permission from user to use split tunneling feature, which is a bit unsettling…

Since it looks like Obscura uses Network Extension framework heavily on macOS client, what are the opinions about Network Extension framework? Do you think they are secure enough for most users? Is there any plan of supporting split tunneling without full disk access permission, via Network Extension framework?

No current support in our apps, but this is definitely something we want to get right. We’re still in the design stages, but we want to make our split-tunneling the best user experience across all platforms.

Would love to know: is your specific use-case for split-tunneling just to exclude certain sites from being routed via the VPN? (e.g. your bank or something)

The Network Extension framework has been quite a mixed bag for us, it had a lot of good intentions, allows us to not have to claim permissions we don’t need (as you mentioned), and even innovations (like includeAllNetworks, which solved the TunnelVision bug).

However, it can also be quite buggy. We have many workarounds in our codebase for Network Extension bugs, and have reported many to Apple. We even had to put this giant warning next to our toggle for includeAllNetworks.

image1180×252 31.9 KB

Nevertheless, even with the bugginess, we don’t consider it insecure at all. It seems to be rigorously enforced at the kernel level with XNU’s NECP, it’s just that some of the higher-level advanced features can sometimes lead to connections being stuck (but never leaking).

It is also the only game in town for iOS, so we try to upstream reports to Apple as much as we can!

(If anyone from Apple is reading this I implore you to read feedback FB18204701. We have a detailed bug reproducer + video + full code)

Hey this isn’t relevant to your comment at all but I just wanted to say I’ve really been enjoying obscura’s wireguard config, I’ve tried it on ios, grapheneos, and linux and I swear I forget I even have it enabled, that’s how smooth it’s been. Zero issues with websites blocking me because I’m using a vpn.

Thanks for the detailed response, really appreciated.

Yes, my current use case of split tunneling is to exclude certain sites from VPN.

Although I would prefer per-website rule, It would be fine if it was per-app based exception, it doesn’t really matter, I can work with both ways.

I will highly consider switching to Obscura when split tunneling is available.

Also, great to see that iOS app is taking shape.