VPN service / benefits / Downsides

Last one for today :sweat_smile:
In searching for Infos about Proton VPN I read the page here and also found this video:

So now I’m not sure again and just need a list of pro and con VPN’s so I can decide further.
For now I’m using quad9

The knowledge base article is not clear enough for you?


For some.reason I did not get farther than:

But thanks for being so kind to point me in the right direction.

1 Like

@user1 dont be an as*hole!
@FlipSid Benefits of having/using VPN are clear :slight_smile: Freedom of speech is number one of them.


No worries, sometimes things come across harder in messages than really ment.
In these cases I use some sarcasm to loosen things up.
I will go over the article and enjoy the other ones in the knowledge base.
Really for some reasons I missed the whole section :sweat_smile:


So do I :slight_smile:

1 Like

I didn’t mean to be disrespectful as a whole section is already present on the website, I was genuinely wondering if there was something that wasn’t covered there.
I understand sometimes things can be missed, I hope my link was useful.


So if I understand the article correctly and the button “split-tunneling” I would want to use the VPN for my standard surfing, while excluding Amazon/PayPal/banking etc?

That’s correct.

1 Like

The biggest benefits to using a VPN (in my opinion) are:

  1. You prevent your ISP from seeing all websites you go to. While they can’t see what specifically you do on each website thanks to HTTPS, they can still see what sites you visit or connect to, and they typically log it and in some cases even sell it to 3rd parties. This also includes metadata around the sites you visit, such as the times you visit them. There’s no guarantee your VPN provider won’t log or sell your traffic either however, which is why its crucial to use a trustworthy VPN with a good track record, such as the ones PG lists.

  2. It helps prevent cross-site tracking, since instead of using a largely unique IP address that can be traced back to you/your household, you’re using a general one. Your IP address is far from the only tracking vector, there are plenty more obviously, but it is still a prevalent one nonetheless and commonly used for tracking, since it can be a unique identifier, its important to not overlook.

  3. VPNs can also bypass geo-restrictions and hide your general location from people. Geo-restrictions are most prevalent in places like streaming services for instance, where it could block you from accessing content due to your region, and a VPN can usually bypass that. Your IP address can also leak your general location (usually not precise though and it depends on your ISP how accurate it is, but it does happen, I’ve seen cases before where an IP has even tied back to a person’s city), which is also good to avoid.

There are other uses cases for VPNs besides these 3, such as for torrenting and p2p online gaming, where you probably want to hide your IP, but those are probably the largest for most people.

I personally use a VPN all the time, as I don’t really trust my ISP and want to prevent tracking where possible, but it ultimately depends on your threat model and use cases. There’s definitely cases where its less desirable to use a VPN, but I think VPNs are important and measurably improve your privacy in most cases, and I do generally recommend them (as long as the provider is trustworthy, like the ones PG lists).


Why would you want to exclude it for other apps? The only thing I use split-tunneling for is apps that simply do not function well with the VPN on AND I need them daily. For me, that actually only includes the app for my home alarm system. For my personal laptop, I have my VPN turned on 24/7.

1 Like

Using a VPN in cases where you’re using your real-life or well-known identity online is unlikely be useful. Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank’s website.

Quoted from the article that @user1 linked above

@FlipSid mentioned “Amazon/Paypal/banking,” all of which can fall under the umbrella of “real-life or well-known identity”:

A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. […] These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses.*

*I bolded these phrases to highlight the pieces of information that may be used to make transactions using the aforementioned services.


I guess. I’ve never had that experience, and I guess that would prevent you from accessing their service somewhere that isn’t your home IP address?

1 Like

Proton Unlimited it is (for me) :crazy_face:
After reading the terms and conditions of my ISP I was sold

1 Like

I find this site really helpful in figuring out if you need a VPN: https://www.doineedavpn.com/


Would I use split tunneling for security, as to not have my banking app in the VPN, or functionality of the app?
Probably overthinking :crazy_face:
I ask because always on VPN a n d kill switch turns off split tunneling.

We don’t know if your bank cares or not. Mine doesn’t. Others might. As long as they’re not blocking your account access or something like that you can just use it via VPN. Of course, won’t prevent your bank from knowing who you are, but it might even be a good idea if you’re using public Wifi or if you’re travelling a lot in general. When I visit many different countries in a short amount of time and log into my banking from each of them, I figure the chance is higher for their fraud prevention system to step in compared to me always using the same VPN endpoint in my home country.

1 Like

I’m no security expert, but with HTTPS, isnt public wifi not so much of a security concern anymore?

if you do use public Wi-Fi you should:

  • use an always random MAC address
    • my Brace does this by default
    • GrapheneOS and DivestOS do this by default
  • use a generic or blank hostname
    • on Linux localhost will typically result in no hostname being set/advertised
    • GOS/DOS do this by default
    • note most Android systems will reuse previous DHCP states too, GOS/DOS won’t
  • don’t give any information to the captive portal
    • they’ll often accept anything for an email/name if they ask
  • ensure all software is updated
  • use a system wide encrypted DNS
    • encrypted DNS doesn’t help with privacy here, but does provide integrity of the results
    • consider using browser encrypted DNS too for benefit of ECH where supported
      • if ECH is used, then privacy is benefited
  • set your browsers to forced HTTPS mode
    • do not access HTTP content
  • use a proper browser
    • a few forks disable critical security checks like CRLite/OCSP/CT
  • ensure your firewall is set proper:
    • for Windows Public should be ok, someone else can confirm
    • last I used Mac OS X, it had a stealth option
    • for firewalld or ufw set inbound to drop
    • ensure no unnecessary ports are opened
    • ensure any running services have proper authentication/access controls
  • remember anyone on the network can (try to) toy with your traffic
  • remember anyone listening on the radio can observe all past/present/future traffic
    • WPA2/3-EAP and WPA3-PSK largely mitigate this
  • you can use Qubes on a supported machine to isolate the network interface to its own virtual machine
    • otherwise you should at least ensure the networking daemons are sandboxed
      • brace does this for wpa_supplicant

These should largely be done regardless of public/private/friends/etc.

I personally use public Wi-Fi sometimes, but I route everything over Tor and/or a trusted VPN (while still doing the above).

See also: https://media.defense.gov/2021/Jul/29/2002815141/-1/-1/0/CSI_SECURING_WIRELESS_DEVICES_IN_PUBLIC.PDF


Thanks for this, I had almost none of these (except DNS) set :eyes:, whoops. Unfortunately, currently NetworkManager doesn’t have a setting that doesn’t send the hostname globally (No way to set dhcp-send-hostname globally (#584) · Issues · NetworkManager / NetworkManager · GitLab) :confused: