Best VPN solutions for Linux users

[sincity]

This article was provided to TechRadar by Linux User & Developer, a magazine which is dedicated to passing on the open source knowledge and expertise of grass-roots developers and hackers. Some of the software included may have been updated since the article was first published.

If you use your Linux machine to access the internet, whether it’s at home or particularly on the road, then it’s worth learning about the pros and cons of Virtual Private Networks or VPNs.

A VPN allows you to secure traffic between two locations – the first being your own machine, the other being either a commercial VPN provider or a VPN system that you have deployed yourself, either in the cloud or perhaps at another location of your own, such as in the office.

VPNs are available using a host of different protocols, but their essence is the same – traffic is encrypted at the host end and decrypted at the server end, ensuring that information cannot be snooped on by a middleman on the way to its destination.

When using a VPN, there are a number of different options related to routing. The typical scenario is to route all traffic over the VPN connection, but you can also use the concept of ‘split tunnelling’, where some traffic passes over the VPN connection and some passes over the regular internet connection, based on routing rules.

VPNs are often touted as an essential tool for those worried about persecution for their online activities, but the reality is that their benefits reach much wider, offering peace of mind for anyone who sends data over public networks.

• 5 of the most popular Raspberry Pi distros
• 10 of the best Linux distros for privacy fiends and security buffs
• 5 of the most popular Linux gaming distros
• 10 of the most popular lightweight Linux distros

Why go virtual?

So, let’s take a moment to more thoroughly explore the reasons why you might want to use a VPN. Although privacy and security concerns are the most common reasons for setting up private networks, they are not the only ones.

Whether you’re using a home broadband connection or roaming mobile data in a foreign country, there’s a good chance that you’ll be subject to traffic shaping. Traffic shaping is employed by service providers to limit the speed of certain types of traffic in order to prioritise content across their network.

For example, many of the UK’s service providers use shaping to throttle down music and video streaming services when out of the country, in order to discourage customers from using large amounts of data. Similarly some UK broadband providers will do the same with file downloads at peak hours.

A VPN can help avoid this happening, as it encrypts all traffic going across your internet connection, meaning that your provider won’t be able to see exactly what you are doing. One slight caveat with this is that some providers may detect and throttle VPN traffic itself, although given the wealth of different VPNs and protocols available, this can be avoided by using a less common service (typically, not OpenVPN).

http://cdn.mos.cms.futurecdn.net/xjNmfquUijamrSzUNSzBaa.jpg

Data security

The classic use case of a VPN is with public Wi-Fi hotspots. If you are out and about with your Linux laptop (or your phone, or any other connected device), then you might want to take advantage of some free connectivity provided by your favourite coffee shop.

The problem with this is that you don’t really know what is happening to your data as it travels between your device and the service you want to use. It could be intercepted by other actors on the network or by a compromised Wi-Fi system in the cafe. If you are looking to send any data you care about, be it your social network posts or your online banking, you should really think twice here. Using a VPN will ensure that all traffic going over the public network is safely encrypted.

A very common use of VPNs is to provide external connectivity to office networks. Using this method means that opening machines up to the world completely can be avoided; instead, only a VPN server is configured. When users connect to the VPN, they will be able to browse as if they were actually in the office. Using split tunnelling means that any internet access or local network access will still be possible, but addresses within the office IP range are routed over the VPN.

This concept can also be used in a similar way on your home network. By installing a VPN server at home (or using VPN functionality built into a number of popular routers), it is possible to connect when away from home and access machines on your home network as if you were actually there. This is particularly useful if you have content stored on a NAS, or perhaps want to remotely view IP security cameras without opening them up completely to the world.

Many businesses now choose to deploy their infrastructure in the cloud, using providers such as Amazon Web Services. A common concept in cloud hosting is VPC, or Virtual Private Cloud. This allows companies to have a number of servers located in the cloud, but have them not generally accessible to the internet, instead allowing them only to communicate with each other. A good option is to deploy VPN access inside the VPC, so that again a minimal number of ports are exposed to the outside world, helping to enhance overall security.

Location, location, location

One consideration when using VPNs is their location. If you are based in the UK, but connect to a VPN in another country – the US for example – then this will impact activities such as web browsing, as the destination server will see only your ‘exit IP’, that is the IP of the server from where you are ultimately routing traffic.

This can be a negative thing – if you are using Google and everything comes up in another language, or content is geo-blocked – or a positive thing, if you are out of the country, and you VPN back to the UK in order to access content that is similarly restricted (BBC iPlayer is a great example).

http://cdn.mos.cms.futurecdn.net/CvPcQVY86J6dNDCUkMZKZF.jpg

VPN versus VPS

So that’s the basics of VPN covered, but you may have also heard of a VPS, and wondered what on earth that is. A VPS is a ‘virtual private server’ – a virtual server box in the cloud. Let’s explore the main points of difference between the two.

What’s a VPN?

• It’s typically provided by specialist VPN companies
• Also possible for tech-savvy people to deploy
• Varies widely in price, but start from free
• Typically, you get what you pay for
• If the encryption key is shared amongst users, data could still potentially be compromised
• Often available with ‘POPs’ (points of presence) in a range of countries across the world
• Speeds will often vary based on user location

What’s a VPS?

• Provides a set amount of CPU, RAM, storage and traffic for a monthly fee
• Is generally deployed with a basic OS build the user can then customise
• More commonly available with Linux than any other platform
• Ideal for deploying your own VPN solution

Got all that? Good. On the next page, we’ll move on to consider the best VPN options themselves…

• Also check out our guide on getting started with a VPN in Linux

Here are four of the best tools Linux pros can use to keep their internet connection private and secure. The first three are do-it-yourself affairs, with the final entry in our shortlist being a traditional VPN provider.

http://cdn.mos.cms.futurecdn.net/Sa2A8m4K4iycQ3B4kBBuca.jpg

1. Streisand

There are a number of options when deploying your own VPN server. You can take a bare Linux install and deploy your own individual packages (which, admittedly, does give you the highest level of control), but this is undoubtedly extremely time consuming. The alternative is to use a tool to deploy a VPN server on your behalf. A number of open source tools are available that offer this feature, the first of which is Streisand.

The Streisand script sets up a new server running L2TP/IPsec, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, a Tor bridge, and WireGuard. This provides you with a host of different connection methods you can use to suit your needs across a wide range of platforms.

It is particularly clever in that it also generates custom instructions for all of these services. At the end of the installation script, you are given an HTML file with instructions that can be shared with friends or family members, and the server itself also hosts instructions on how to connect on a website secured with a validated SSL certificate.

The script is designed to run against Ubuntu 16.04 (the current LTS release) and can be used to either provision an existing server via an IP address or alternatively to automatically deploy a new box at one of a number of cloud VPS providers, including Amazon EC2, DigitalOcean, Google Compute Engine, Linode or Rackspace. The Streisand developers plan to add support for Amazon Lightsail in the near future. 

The process is completely automated and only takes about 10 minutes. The great thing about using Streisand is that you can tear down the VPS and redeploy at will, which reduces the risk of compromise and is just plain convenient. As an open source product, Streisand is audited by many independent developers to help assure its safety.

http://cdn.mos.cms.futurecdn.net/C28QTaKVR9g34kmGLpKiVa.jpg

2. Algo

While Streisand is a very popular VPN platform, it is not the only offering of its type. A frequently used alternative is Algo – a set of Ansible scripts (like Streisand) that simplifies the setup of your own IPSEC VPN. It contains the most secure defaults available, again works with common cloud providers, and crucially does not require client software on most devices.

So why would you use Algo over Streisand? Algo is a lot more limited than Streisand, and that is frequently touted as its main benefit. Algo supports only IKEv2 with a single cipher suite – AES-GCM, HMAC-SHA2, and P-256 DH. It does not install Tor, OpenVPN or other servers that some deem as ‘risky’ and with a single widely supported protocol, it doesn’t require client software on most devices. Algo is also much better at handling multiple users than Streisand, providing a script that can be used post-build to update the user list at your convenience.

This core difference aside, many other aspects of Algo are similar to Streisand. It deploys on Ubuntu, can install to DigitalOcean, Amazon EC2, Microsoft Azure or your own server and generate the required config files for connections when complete. Algo also has a few optional install features, such as ad blocking via a local DNS resolver and HTTP proxy, and limited SSH users for traffic tunnelling.

The Algo homepage contains details on how to connect from Apple, Android, Windows and, of course, Linux devices. Linux connectivity is provided using the strongSwan client, which connects extremely quickly and reliably. If you want to connect from another type of client or configure the connection yourself, the appropriate certificate/key files are provided.

As with Streisand, the project is open source and being constantly updated with fixes and improvements.

http://cdn.mos.cms.futurecdn.net/CQyworWWZeBKb3PgLRKkda.jpg

3. WireGuard

A lot of the VPN protocols and solutions used today have been around for a long time and are considered by many to be inefficient. A quick look at discussions about Stresiand and Algo will show you this – there is always a lot of conversation regarding which services and protocols should be included in the product, and the polar opposite approaches of the two most popular deployment solutions above demonstrate that there is by no means a consensus on this issue. Maybe WireGuard is the answer.

WireGuard is an extremely simple yet fast and modern VPN that utilises state-of-the-art cryptography. Its stated aims are to be faster, simpler, leaner, and more useful than IPSec, while avoiding the latter’s painful setup. It is designed to be considerably better performing than the ubiquitous OpenVPN standard.

WireGuard is designed as a general purpose VPN for running on a wide range of platforms for all types of usage. WireGuard was initially released for the Linux kernel, but it plans to be cross-platform and widely deployable.

How good is it? While it is currently undergoing heavy development, it’s already regarded by many as the most secure, easiest to use, and simplest VPN solution in the industry.

The WireGuard website has a guide to installing the product and of course there are two options, either compiling from source or installing from packages. A PPA is provided for Ubuntu and you’re also catered for if you’re on Debian, Arch, Fedora, CentOS, OpenSUSE or a number of other distros. There’s a macOS version too, if you’re that way inclined.

WireGuard is more than just a curio despite its active development – it’s generally worth installing and configuring using the provided quick-start walkthrough. With its clever implementation as a simple network interface, extreme performance and minimal attack surface, it may well be the VPN solution of the future.

http://cdn.mos.cms.futurecdn.net/mQYudy4sDWTHrSpNXHdsWY.jpg

4. VyprVPN

What if, rather than ‘rolling’ your own VPN solution, you’d prefer to simply sign up for a hosted service? You could do a lot worse than use VyprVPN from Golden Frog, touted as ‘the world’s most powerful VPN’. 

What does VyprVPN bring to the table? You’ll get fast VPN speeds, 70+ global locations served by over 700 servers and 200,000 IP addresses, easy to use apps for a huge range of devices, and a clever cloaking technology called Chameleon – the real reason for considering VyprVPN.

What don’t you get? You don’t get an end-to-end open source solution, although Golden Frog asserts that it doesn’t use third-party providers at all, and that it owns and manages 100% of its hardware, software and network so your privacy is protected from end-to-end.

Behind the scenes, VyprVPN is based on Ubuntu servers and a huge open source stack including OpenVPN, strongSwan, Nginx, OpenSSL, Python and much more. The closed source part of the system is mostly what brings it all together – the web interfaces, clients, APIs etc. Golden Frog estimates that just 0.7% of its software stack is closed source software.

VyprVPN’s Chameleon feature is closed source but is also a very compelling argument for using the service. Based on OpenVPN, Chameleon takes the packets that are going to be sent over the network and adds an obfuscation layer which is designed to defeat Deep Packet Inspection (that troublesome tool which enabled provider packet shaping).

And here’s the thing – it works beautifully. Whereas other VPN methods have struggled amongst particularly aggressive providers, Chameleon has performed admirably. If this feature is a key priority for your needs, VyprVPN may well be the best solution for you.

If you want to read up more on the provider, check out our full VyprVPN review. Also note that there’s a free trial for the service, should you want to give it a spin.

• The 10 best VPN services 2017

http://feeds.feedburner.com/~r/techradar/software-news/~4/_QpPfqyTs0c