Do you know if it's supported using OS-native VPN client implementations as well (i.e. Wirecard, IKEv2, or maybe OpenVPN), or only using their official client?
$5/month vs eg $2/month with a long running sub with e.g. PIA (Chinese owners) though... I wish mullvad provided long running subs with better prices then what they currently provide.
You are correct:
"Kape Technologies is a United Kingdom-based cybersecurity software company. Kape owns VPN services and cybersecurity tools, including CyberGhost, Private Internet Access (PIA), ZenMate, ExpressVPN, and Intego."
I just built the same thing using `systemd-nspawn --directory=/ -b`. The nice part about using nspawn is that you have access to all of the normal network configuration tools like systemd-networkd to configure the devices and networks, rather than using a python script. It also provides a nice place for running services inside of the container, since process management is also included.
Hi, I'm the author of the blog post and just wanted to say thanks for the discussion.
I agree that relying solely on desktop VPN clients (especially closed-source ones) is risky... The network namespaces approach is new to me, but it looks like a solid way to isolate traffic and avoid these kinds of leaks entirely. Thanks for the suggestions.
They are one of the few VPN providers that give out public IPv4 addresses, and you can even get a static one. So, if you are using them for having a public IP, not for privacy, please continue doing so.
Interesting, do you know if they actually assign them to the VPN interface (rather than just passing through inbound connections to a public IP to the private IP of the VPN interface)?
That could come in handy for hosting things behind double NAT.
They assign it directly to the interface, and letting others connect to stuff behind CGNAT is indeed my use case.
Two other VPNs working for this purpose are OVPN (+1 for them using WireGuard, but their Singapore node is slow) and SwissVPN (limited to only 30 Mbps by contract, but they do provide these contracted 30 Mbps).
I'm not surprised, given that I received 140% cashback(!) on their 2 year plan a while ago. Unless the hope is that most users forget to cancel before it renews, I'm assuming that I'm paying with my personal information.
It still does the trick for accessing bank and other websites from abroad (that somehow consider a VPN IP more trustworthy than a residential ISP in a Western European country, but that's a different story), but I wouldn't use it for anything sensitive.
I also definitely wouldn't run their client locally, and their Wireguard configurations are annoyingly only valid for 15 minutes after creation. (Weirdly, there doesn't seem to be any limitation on IKEv2.)
There are many VPNs on TopCashback offering 100%+ cashback. I assumed most of them were trying to build up user numbers in order to sell or get acquired, since I can't logically understand why a VPN would pay so much for an affiliate bonus.
I strongly suggest that you use something like Network Namespaces through Vopono[0] or Gluetun[1] if you use a commercial VPN for "privacy" or "security" aka torrenting and shitposting. Relying on these clients is always a gamble and if your software (Browser, Torrentclient, etc.) cannot know you public IP only the internal IP of the VPN you are also safe against some exploits and misconfigurations a desktop client won't protect you against.
In the case of PureVPN, the only way of preventing leaks is by switching to a different provider. There is definitive proof that they keep logs despite their claims to the contrary. I have linked to a federal criminal complaint where the FBI requested logs after the offense and was given them by PureVPN. The relevant portion is on page 22.
IPv6 allows for more direct connections for services like VoIP or Tailscale, since UDP hole punching between two firewalled public IPv6 addresses usually just works, but doesn't between two clients both behind a "port-restricted cone" or "symmetric" NAT.
As a result, connections have to be relayed, which increases latency and is just outright infeasible for some non-profit services that don't have a budget for relaying everyone's traffic.
Anecdotally, I've also heard that you can get better routing via IPv6 on IPv4-via-NAT-only providers these days, as the provider's CG-NAT might be topologically farther away than the IPv6 server you're connecting to.
That's not really true anymore. I've used a connection with both IPv4 and 6 for the past two years. There's a number of times where my stuff magically works, whiles others have issues, because my traffic is mostly over IPv6. Not once have I had an issue because my setup is dual stacked.
And before you say "change the ISP": Globe is the only one that does not refuse to provide services to foreigners and does not lock you up into a 24-month non-cancellable contract, which is longer than any available non-resident visa.
Unfortunately this is not true, loads of cool techy stuff (Sentry, GitHub) etc still don't work properly on IPv6, less techy stuff really didn't care at all.
You can use nat64 to talk to legacy networks. Ipv6-only networks (with nat64 or 464xlat etc) are becoming increasingly popular. There is also this new concept called "ipv6-mostly network" that is getting rolled out: https://www.ietf.org/archive/id/draft-ietf-v6ops-6mops-02.ht...
Lots of things will break if you disable ipv4, including my work provided zscaler windows laptop (and not break in the good way where it fails open when you block traffic to zscaler nodes on your router)
Given their need to advertise with pretty much any YouTube channel willing to take their money, I'd be inclined to question the quality the likes of NordVPN and SurfShark.
It boggles me how one can see them as anything but sus after tops 30 minutes of looking into it. You get that all those "top 5 vpn" sites and youtube recs are sponsored, right?
I donwt know any single VPN provider apart from Mullvad with proper v6 implementation.
Do you know if it's supported using OS-native VPN client implementations as well (i.e. Wirecard, IKEv2, or maybe OpenVPN), or only using their official client?
You could run wireguard thru CLI directly instead of jumping through the mullvad app itself
You can download the WireGuard/OpenVPN config files all at once in their web interface.
I've seen that, but I just wasn't sure if that also works for IPv6.
According to their own docs, it seems to work for at least OpenVPN:
> Those not using the Mullvad client program can just add the directive "tun-ipv6" to their OpenVPN configuration file.
Yas. When you download the config files you can choose between IPv4 and IPv6
Solid dev + OSS ecosystem + Flat rates
I'm satisfied!
$5/month vs eg $2/month with a long running sub with e.g. PIA (Chinese owners) though... I wish mullvad provided long running subs with better prices then what they currently provide.
"sub" as in subsidized by your data eh?
Would love a source for Chinese owners of PIA. Last I knew, it was Israeli owners.
-source, former employee.
You are correct: "Kape Technologies is a United Kingdom-based cybersecurity software company. Kape owns VPN services and cybersecurity tools, including CyberGhost, Private Internet Access (PIA), ZenMate, ExpressVPN, and Intego."
https://en.m.wikipedia.org/wiki/Teddy_Sagi#Kape_Technologies
Yes, I missremembered. It was bought by Isreali after all. I dont think my point is affected by this however.
And I feel quite illiterate right now. I somehow managed to misread both your comments twice
SwissVPN provides a /64.
network namespaces provide a clean host/vpn split.
https://blog.thea.codes/nordvpn-wireguard-namespaces/
I just built the same thing using `systemd-nspawn --directory=/ -b`. The nice part about using nspawn is that you have access to all of the normal network configuration tools like systemd-networkd to configure the devices and networks, rather than using a python script. It also provides a nice place for running services inside of the container, since process management is also included.
Hi, I'm the author of the blog post and just wanted to say thanks for the discussion.
I agree that relying solely on desktop VPN clients (especially closed-source ones) is risky... The network namespaces approach is new to me, but it looks like a solid way to isolate traffic and avoid these kinds of leaks entirely. Thanks for the suggestions.
For the love of God, don't use PureVPN! They have been proven in court to log traffic, despite claiming not to.[1]
[1] https://cyberinsider.com/vpn-logs-lies/
They are one of the few VPN providers that give out public IPv4 addresses, and you can even get a static one. So, if you are using them for having a public IP, not for privacy, please continue doing so.
Interesting, do you know if they actually assign them to the VPN interface (rather than just passing through inbound connections to a public IP to the private IP of the VPN interface)?
That could come in handy for hosting things behind double NAT.
They assign it directly to the interface, and letting others connect to stuff behind CGNAT is indeed my use case.
Two other VPNs working for this purpose are OVPN (+1 for them using WireGuard, but their Singapore node is slow) and SwissVPN (limited to only 30 Mbps by contract, but they do provide these contracted 30 Mbps).
Separately, PureVPN is one of the providers you can’t trust [1].
[1] https://www.makeuseof.com/worst-vpns-you-shouldnt-trust/
I'm not surprised, given that I received 140% cashback(!) on their 2 year plan a while ago. Unless the hope is that most users forget to cancel before it renews, I'm assuming that I'm paying with my personal information.
It still does the trick for accessing bank and other websites from abroad (that somehow consider a VPN IP more trustworthy than a residential ISP in a Western European country, but that's a different story), but I wouldn't use it for anything sensitive.
I also definitely wouldn't run their client locally, and their Wireguard configurations are annoyingly only valid for 15 minutes after creation. (Weirdly, there doesn't seem to be any limitation on IKEv2.)
There are many VPNs on TopCashback offering 100%+ cashback. I assumed most of them were trying to build up user numbers in order to sell or get acquired, since I can't logically understand why a VPN would pay so much for an affiliate bonus.
Given what you said about not using it for anything sensitive, I'm assuming you're not actually logging into your bank... right?
Everything is TLS-encrypted anyway these days, so the primary concern is metadata privacy.
When it comes to that, I trust VPN providers about as much as ISPs (i.e. absolutely not).
VP.NET doesn't require any trust at all [1][2].
[1] https://vp.net/l/en-US/blog/Don%27t-Trust-Verify
[2] I work for VP.NET and can answer any questions regarding the technology as well!
Interesting! But "no trust required" is a strong statement; don't I need to trust at least Intel? :)
My advice is never to trust bad intel ;).
I strongly suggest that you use something like Network Namespaces through Vopono[0] or Gluetun[1] if you use a commercial VPN for "privacy" or "security" aka torrenting and shitposting. Relying on these clients is always a gamble and if your software (Browser, Torrentclient, etc.) cannot know you public IP only the internal IP of the VPN you are also safe against some exploits and misconfigurations a desktop client won't protect you against.
[0] https://github.com/jamesmcm/vopono [1] https://github.com/qdm12/gluetun
Wouldn't blocking IPv6 and using a kill-switch prevent leaking?
In the case of PureVPN, the only way of preventing leaks is by switching to a different provider. There is definitive proof that they keep logs despite their claims to the contrary. I have linked to a federal criminal complaint where the FBI requested logs after the offense and was given them by PureVPN. The relevant portion is on page 22.
https://www.justice.gov/archives/opa/press-release/file/1001...
Block IPv4 as well and you're pretty solid.
No, not in all cases. Imagine your Browser gets 0-dayed and just send all IPs it sees to an endpoint.
I strongly suggest you disable ipv6, as nothing will break by disabling it but many things break with it enabled.
That's not true anymore.
IPv6 allows for more direct connections for services like VoIP or Tailscale, since UDP hole punching between two firewalled public IPv6 addresses usually just works, but doesn't between two clients both behind a "port-restricted cone" or "symmetric" NAT.
As a result, connections have to be relayed, which increases latency and is just outright infeasible for some non-profit services that don't have a budget for relaying everyone's traffic.
Anecdotally, I've also heard that you can get better routing via IPv6 on IPv4-via-NAT-only providers these days, as the provider's CG-NAT might be topologically farther away than the IPv6 server you're connecting to.
That's not really true anymore. I've used a connection with both IPv4 and 6 for the past two years. There's a number of times where my stuff magically works, whiles others have issues, because my traffic is mostly over IPv6. Not once have I had an issue because my setup is dual stacked.
This is still true for ISPs that don't monitor their IPv6 connectivity. I was forced to disable IPv6 recently because of this: https://www.reddit.com/r/ipv6/comments/1nf3ytq/how_do_i_comp...
And before you say "change the ISP": Globe is the only one that does not refuse to provide services to foreigners and does not lock you up into a 24-month non-cancellable contract, which is longer than any available non-resident visa.
Alternatively, disable ipv4. The same statement holds true.
Unfortunately this is not true, loads of cool techy stuff (Sentry, GitHub) etc still don't work properly on IPv6, less techy stuff really didn't care at all.
You can use nat64 to talk to legacy networks. Ipv6-only networks (with nat64 or 464xlat etc) are becoming increasingly popular. There is also this new concept called "ipv6-mostly network" that is getting rolled out: https://www.ietf.org/archive/id/draft-ietf-v6ops-6mops-02.ht...
Lots of things will break if you disable ipv4, including my work provided zscaler windows laptop (and not break in the good way where it fails open when you block traffic to zscaler nodes on your router)
Very little will break if you disable ipv6
Enterprise malware not doing v6 properly hardly counts, it’s a good day for them when they don’t just bsod your entire network.
A lot of stuff breaks when you run Zscaler.
What about NordVPN and ExpressVPN are those somewhat trustworthy?
Trustworthy enough to shitpost behind? Sure.
Trustworthy to break some actual laws behind? Absolutely not.
Given their need to advertise with pretty much any YouTube channel willing to take their money, I'd be inclined to question the quality the likes of NordVPN and SurfShark.
It boggles me how one can see them as anything but sus after tops 30 minutes of looking into it. You get that all those "top 5 vpn" sites and youtube recs are sponsored, right?
Define trustworthy? In my experience, no.
also look up tunnel-crack if u want