Back when I was running PIA, they threatened me a significant amount just for pointing these facts out.

Now that I launched a verifiable VPN, they are once again sending legal threats [1].

[1] https://vp.net/l/en-US/blog/Verified-Privacy-vs-Trust

I have a good friend from Lithuania, who has told me so many amazing/wonderful/superlative things about the country he grew up in and loves very dearly, as well as its people. I can't wait to visit someday. Unfortunately, he only has Russian and American citizenship, so he can't purchase real estate there currently, but luckily most of Lithuania's restrictions have been very common-sense (applying only to people who frequently travel between Russia and Lithuania).

From what I can tell, Tesonet seems like a very patriotic group (as much as a corporation can be personified at all), and genuinely puts resources, both human and financial, towards raising up the local communities.

It's interesting to me that Tesonet has concentrated the most popular VPNs under one roof and is involved in so many companies that could be described as "dual-use" (white hat/black hat) such as residential/mobile proxies, ai-powered scraping, etc. It tells me that Tesonet has a very sharp understanding of gray-hat landscapes. It does seem like their portfolio could be leveraged as a valuable asset to any powerful interest, regardless if they are benevolent or malicious or misguided.

I mentioned Tesonet's stance towards Ukraine because Lithuania has a number of wealthy ex-soviet/Russian citizens and business-owners with differing politics, and wanted to clarify that for any readers who might wonder.

Additionally, I've always been very impressed with Estonia's digital infrastructure and Ukrainian software engineering - not just JetBrains but also other vendors that I've worked with personally. Seems like there are a lot of highly skilled people concentrated in your region.

Yes, you can with Obscura. That limitation of Private Relay is just an arbitrary limitation made by Apple.

Makes perfect cover though? "He was only a conscript changing printer cartridges"

If I was running an intelligence agency and was given my choice of conscripts,

I wouldn't hand my intelligence secrets to people who resented being forced to be there; or to mouthy people I thought might blab about it after the end of their service; or to people with an anti-authority streak or at risk of a Snowden-style attack of conscience about civil liberties.

I would select for people with a deep love of their country; and a sense of loyalty that would extend well beyond the end of their service. The rest I'd send elsewhere - plenty of other units need tech folks, that drone/radio/printer isn't going to fix itself.

Unit 8200 is a cyberwarfare and spy unit. They were responsible for the Lebanon pager supply chain terror attack. I definitely want to know if they are involved with any tech I'm using so I can avoid it.

> Does this mean much given that israel has mandatory military service?

Yes. Mandatory military service is still military service. It's still following government orders at an impressionable age in a culture that deliberately inculcates a mentality of following orders even when they go against your every human instinct. It still means working for an organisation that knows its job is killing people, even if you're not the one pulling the trigger yourself. And Israeli military intelligence specifically has a long history of keeping supposedly retired civilians on as sleeper agents who infiltrate supposedly neutral companies.

(Does that mean this guy specifically is definitely one of them? Of course not. But to anyone with reason to be using a VPN at all it's probably too much of a risk)

The second part of your comment seems like a non sequitur

Calling out Israeli conspiracy isn't Jew hating.

This is the whole issue. No one can question what Israel is doing for fear of anti semitimtism.

If everyone is "anti-semitic" then you allow real antisemitism to foster unabated.

I specifically put the OP in the second-chance pool (https://news.ycombinator.com/item?id=26998308), which is why it got re-upped (https://hnrankings.info/45469376/). Rather an odd way to suppress discussion, no?

It’s not Tesonet, Proton is wholly self-owned and managed. Proton VPN was briefly sharing employees with Tesonet during initial app bringup, and that partnership is long over. Naturally due to competition and the huge importance of privacy in this space, people still bring this up, but Proton VPN does not and never will sell or share your data with anyone.

Source: I am a Proton VPN employee.

Proton's response in the thread:

Hi everybody, this is Andy here. I'm one of the original researchers from CERN behind ProtonMail and ProtonVPN. There's some false info out there about ProtonVPN, and these stories were first fabricated by Private Internet Access, a competitor who has been feeling pressure from ProtonVPN lately.

The stories are false, but we have always been very open with the community, so I would like to provide some background anyways. As many of you know, Proton has many partners (Radware, F5 Networks, Equinix, Radix, Farice, LeaseWeb, Dell, Supermicro, etc). Tesonet Lithuania is indeed a partner within our long list of partners, but it's a huge stretch to claim ProtonVPN is run by Tesonet.

We first met Tesonet back in 2015 when they offered to provide us with internet infrastructure (we received many offers after the infamous 2015 DDoS attacks - we never bought infrastructure from Tesonet). During this period, Google was suppressing ProtonMail in search results, and we were financially suffering. To address this challenge, we needed to hire staff outside of Switzerland where costs are lower. This is how our Skopje, Prague, and Vilnius offices got started.

Prague happened because two of ProtonMail's early hires from CERN were Czech. Skopje and Vilnius happened because we knew local partners there (it would not have been possible to source local candidates, handle HR and payroll, understand local regulations, etc, without outside assistance). We worked with Radix (Macedonia) and Tesonet (Lithuania) to accomplish this. Tesonet in particular was selected since they are one of Lithuania's largest tech companies (and we already knew them).

While our early hires in both Vilnius and Skopje were always working fully for Proton, they were formally employed by our local partners because we did not have a local entity that could employ them. In the early days of Proton, this was not an uncommon arrangement since our team is spread across over 10 countries.

In mid-2016, Google finally halted the suppression of ProtonMail in search results and we experienced strong growth. This gave us the resources to create our own corporate entities in Macedonia and Lithuania, and we engaged Radix and Tesonet to do this. We used the same legal address and nominee directors as our local partners because we still did not have our own office yet. For contractual reasons, these moves took some time. For example, ProtonLabs Skopje, our newest entity, only moved in November 2017.

For historical reasons, some connections to our past local partners remain. Some of the IPs we use in ProtonVPN's global network might be acquired or leased from Radix (we have never, and do not currently use IPs from Tesonet - most IPs are from LeaseWeb or are our own IPs). Similarly, the ProtonVPN Android keystore mistakenly lists Tesonet as the organization name, since our Android developer was at that time formally employed through Tesonet. Due to the way the Android Play store works, this keystore can unfortunately never be changed, but it remains under our sole control.

The entities we use today in Skopje and Vilnius are both subsidiaries of our corporate entities in Switzerland. While we no longer employ team members through third parties (except for in the United States where don't do direct employment), we do continue to share expertise and work on projects together with various partners. For example, our two new Swiss datacenters are being built together with Radix in order to share some of the fixed costs.

Going forward, we will need to continue working with partners around the world as we grow (unless you're Google, you can't do everything yourself). This is not the first time one of our partnerships has been inaccurately portrayed (the other incident is so ridiculous I'm not going to mention it here). The truth however, is less interesting than the conspiracy theories might have you believe.

--------

Further comments on the smear campaign against us:

    The false allegations were originally spread by US-based VPN provider, Private Internet Access (PIA), who also happens to be a major competitor. We think it says a lot about them to be engaged in shady marketing tactics.

    ProtonVPN/ProtonMail does not, and has never used any IPs or servers from Tesonet (this can be publicly verified)

    Proton does not share any employees (or company directors) with Tesonet. This is also a verifiable fact.

    Proton has not used Tesonet for HR since 2016.

    There is little actual evidence that Tesonet does data-mining (in any case we have never used infrastructure from them).

    Proton has many suppliers (Dell, Juniper, Radware, etc). If you dig enough, you can find dirt on all of them and create a false narrative. We do business with other tech companies - this is not a secret or abnormal.

We're not surprised to be attacked given how shady the VPN industry is. If anything, it indicates to us that we are doing something right.

thanks, this reddit thread doesn't inspire confidence in proton's story :/ at all

Major issue I faced in this method is the network egress costs the cloud providers charge. I had to remind myself not to accidentally land on YouTube or some other video streaming sites.

Are there any cloud providers who don’t charge for network egress?

I too recently tried to set up OpenVPN on a VPS and it was a huge pain in the @ss, even while following a (very long) tutorial. If I figure out an easier way to do this I'll message you in this thread

VPS's that you can easily spin up for an hour or two tend to charge $$$$ for egress bandwidth, which makes them an unattractive option for streaming video over.

There are very simple options to selfhost a VPN nowadays. For example, Amnezia allows you to just type your server ssh credentials into their mobile app, and it will automatically set up AmneziaWG on your server and add it to the app. You can then create Amnezia or plain WireGuard config files from extra devices right from there.

I am also a relatively happy proton user (now, but wasn't always this way). I second this. Based off the site, it looks like Mullvad passed a real world test too, Proton has not. I haven't tried Mullvad in a couple of years, but they were always reliable and fast. The only issue I had with Mullvad was getting connected to enough peers when torrenting, especially on older torrents where the pool of users is small. Proton's port forwarding feature did noticeably help with that. I do enjoy being able to pay a discounted yearly subscription price with Proton and their user interface is nice. There are some minor problems with split-tunneling in Proton though, sometimes it doesn't work and I haven't figured out why.

Mullvad doesn't support port forwarding [1] for users that need it unlike proton vpn [2].

Although I have never needed it myself, which in that case Mullvad might be better since they require minimal registration details.

[1]: https://mullvad.net/en/blog/removing-the-support-for-forward...

[2]: https://protonvpn.com/support/port-forwarding

I was a Mullvad user but needed forwarded ports so went back to AirVPN.

No issues so far.

> Proton is trying to be Nord

I feel like it's Nord who's trying to be Proton but worse, no? Nord had just the VPN until recently, unlike Proton which was already trying to build an ecosystem (although they did speed up the new product drops significantly in the past few years). And unlike Nord, at least Proton actually has proper zero-access encryption and stuff, and they seem to know what they're talking about rather than just relying on influencer marketing.

If anyone wants some background info on the "idiot" comment:

A Bavarian man captioned an image of Robert Habeck (the vice chancellor of Germany at the time) with "Schwachkopf Professional" - "Professional Idiot". It was styled after the Schwarzkopf ad campaign. For this, Habeck filed a criminal complaint "to stop hate crime" against the man and the man's apartment was searched by the police and a tablet confiscated. Oh, and he was arrested over it as well. [0]

(The man was also accused of posting some nazi imagery earlier in the year, but the order to search his house seems to be related only to the insult. [1])

Imagine if you could be arrested for calling your (vice) president an idiot.

[0] https://www.dw.com/en/germany-greens-habeck-presses-charges-...

[1] https://www.tagesspiegel.de/politik/falschaussage-im-fall-sc... (it's in German)

What idiot signed that bullshit into law?

Interesting that we use the same word to describe both technologies, but semantically and technically they are very different.

Perhaps we use the same word to describe them because initially they did use the same technologies, but they have branched out ever since? Maybe IPSec would be a common tech used. But the algorithms are not the same anymore since they serve different purposes (Personal privacy vs corporate/sysadmin security)

In the corporate world VPNs were usually a lower level abstraction security mechanism or a redundant security mechanism to either complement application layer_security, or to hot-patch modern security unto legacy LAN systems. VPN encryption is usually provided by the local router. Common algorithms are IPSec/IKev2.

In the personal privacy world, we are talking about a proxy that hides identification such as IP addresses, and pools connections to provide privacy. The actual encryption is not the main security mechanism even, as it only covers the transit between consumer to proxy, leaving (a potentially longer transit) between the proxy to the actual destination.

In terms of purpose and architecture it's closer to bitcoin tumblers, or Tor or Freenet, or money laundering placement. The fact that they call it VPNs seems to me more of a marketing scheme or political play to avoid association with all of the above, than an actual technical or academical description. If someone were to analyse these technologies, I'm sure a neutral or critical approach would avoid uncritically calling them VPNs in the same way that research is published not about Viagra, but on Sildenafil.

Wait, I think an ISP cannot inspect the content of packets that are encrypted, say, with HTTPs. In order to inspect TLS encrypted packets you need access to the end-device, controlling the end-router is not sufficient since you would not have access to the device certificates.

If you can prove that an ISP can inspect packets, it would be major news.

"Hacked" will be "left the data on a public S3 bucket until someone noticed" or similar.

CGNAT won't save you in a world where everything is fingerprinted to within an inch of it's life.

With TLS being everywhere, and just few clicks away from having DNS over TLS, I really don't get eavesdropping on public wifi prop value.

Given that most of the web has TLS and you can easily do DNS over TLS - that's very very high level metadata, where I personally just don't see much ROI vs to giving that metadata to random company with no regulations whatsoever.

> but honestly at this point I'd much rather trust my paid VPN provider with my browsing data than my ISP and ultimately the government.

Your ISP will need to comply with local laws and regulations, and you'll have some recourse if broken. A third-party VPN operating in an overseas jurisdiction could be doing anything with your data.

>but there are still metadata that can be collected.

That logic is questionable given how poorly "spying on public wifi users" scales. You either need to put a bunch of eavesdropping radios in a bunch of public places or somehow convince a bunch of small businesses to use your "free wifi" solution. Even if you do have access, it's hard to monetize the data, given that nearly every device does MAC randomization (so you can't track across different SSIDs) and iOS/windows rotates mac addresses for open/public networks. OTOH setting up metadata capture on a commercial VPN service is pretty straightforward, because you control all the servers.

Just because something is called with the same name, doesn't mean it's the same thing. Especially if the naming is done on a product by a company that wants to sell the product, and especially if the name is not a protected trademark.

Express VPN, NordVPN and Surfshark belong to another category of software than the VPNs used by companies.

Some differences are:

1- One is used by consumers, the other is used by businesses.

2- One protects communications to a client-controlled Local area network. The other protects communications with third party services.

3- One provides encryption, the other provides anonymization.

it was one of the UK servers

And what types of data?

HTTPS spills what services you are communicating with, but not the content…

…except approximate content sizes and timing patterns.

They sell metadata. DNS queries, locations, apps using data, device info. Usually anonymized, but both unscrupulous and "better" providers do have access to your account and payment info.

I reckon that if HTTPS was sufficient to hide your online activity, then you wouldn't need a VPN to hide it in the first place.

If HTTPS were for privacy it would be called HTTPP. Security features tend to make things less Private, like how opening apps on a Mac makes it phone home for OCSP check.

Yes, VPNs add encryption only between you and the VPN servers.

This is the way (or Tailscale). Easier to move around between datacenters to find one with an ASN/IP that isn't blocked by the apps/websites you use. If you do want a more off-the-shelf solution, Mullvad is probably the best choice. All of the consumer VPNs (including Mullvad) get blocked by various services - I get degraded/intermittent connection to Google Maps on them. GCC countries block most of the well-known VPNs as well, if you ever travel to the Arabian/Persian Gulf region. My private datacenter VPN gets blocked only very, very rarely.

WireGuard/udp commonly gets blocked on public wifi

or with Tailscale (and configure the server as an exit node).

There was a bumpy ride with CF a while ago but they seem fine now (still plenty of captchas, of course)

Reddit too, I wished they offered residential or dedicated and/or unlisted ips. But most of the time you just have to cycle through different ips to unblock.

OOC what's your current favored provider? AirVPN? Proton?

Yep.

And I was on Proton for 3y, until the CEO were backing Trump and Vance on Reddit and other places. Their port forwarding was also painful as well, but it worked.

Cancelled. PIA does the port forwarding nicely and stabily. No jank scripts to run every 60 seconds.

Now evidently PIA is a bunch of scum capitalists. But in reality, who isn't?

Mullvad? But they killed port forwarding for "abuse".