from Hacker News

Poor man's VPN (pay for only what you need)

by benpiper on 1/12/22, 10:18 PM with 102 comments

  • by gibs0ns on 1/13/22, 2:21 AM

    I've generally considered an SSH tunnel as a poor man's VPN. If you're going to the effort to spinup a machine, and use SSH anyway, i find it much easier to use `ssh user@server.com -D 4444` then I can set my browser's proxy settings to use localhost:4444 as a SOCKS5 proxy. For those apps that don't have native proxy support, I use proxychains to force them over a proxy connection.

    Ofcourse this is only useful for a single user, and for devices that can use ssh and proxies.

  • by jmercouris on 1/13/22, 12:11 AM

    Or you could just use sshuttle with far less steps: https://github.com/sshuttle/sshuttle

  • by j1elo on 1/13/22, 12:53 AM

    Since basically always, I'm still using PiVPN https://www.pivpn.io/

    Is that out of favor nowadays, given new technologies like Wireguard have become mainstream? Would I be better off using this, or the Algo scripts that another commenter mentioned? (https://github.com/trailofbits/algo)

  • by mainwater0803 on 1/13/22, 12:18 AM

    How does this compare to Algo[1]?

    [1] https://github.com/trailofbits/algo

  • by shepherdjerred on 1/13/22, 1:54 AM

    Nothing will ever beat Tailscale (it is by far my favorite piece of software in this space)

  • by dghughes on 1/13/22, 1:53 AM

    I followed a guide and made my own using OpenVPN on AWS Lightsail not (Digital Ocean). But once my AWS Lightsail trial was over the cost crept up and was quickly getting out of hand. I had to stop it and even delete everything since I was still being charged for a powered off VM!

    It is an interesting project and it looks good on your resume if you're just starting out in IT.

  • by bccdee on 1/13/22, 1:08 AM

    `ssh -qND localhost:8080 user@ip` sets up a SOCKS proxy at localhost:8080. In your browser connection settings (at least in Firefox) you can set it up to route your traffic through the connection. It's not as good as a proper VPN for prolonged use, but for a quick one-off, it'll do the job.

  • by julienb_sea on 1/13/22, 1:01 AM

    My cyberghost vpn is under 3$/mo and has unlimited usage. It's hard to imagine any pay-as-you-go scheme coming even close from a cost perspective.

  • by 0xbadcafebee on 1/13/22, 6:07 AM

    If you're spending $5 on a VPS, aren't there actual VPN services that cost $5 or less that you don't have to manually set up and destroy?

    If you're just doing it for fun (kinda like "hosting your own mail") I recommend setting up an IKEv2 IPSec VPN. It might be the hardest VPN to set up? But you learn a good deal about VPNs and networking. Most OSes ship with a native IPSec VPN implementation, and most "enterprise" VPNs are some variation of IPSec. Mobile devices, internal firewalls, internet gateways, enterprise AWS tunnels, etc. You can keep getting fancier by adding VLANs, GRE, BGP, certificates, RADIUS.

  • by KronisLV on 1/13/22, 8:46 AM

    Heh, right now i use WireGuard for exposing some of my homelab servers to the internet and to work around my ISPs NAT setup, WireGuard is really pleasant to use and simple to set up!

    I recall using OpenVPN a few years ago for a similar use case in my university dorm, it was comparatively way worse - the configuration parameters were unclear, some of the documentation was out of date and even when using the faster (but less secure) methods of encryption, i found myself having a VPS that was overwhelmed and had almost 100% CPU usage (on its single core, since VPSes are generally expensive) whereas the client couldn't get much past 10 - 20 Mbps when the connection speed itself was closer to 100 Mbps.

    Nowadays, for a VPN, i just use Time4VPS https://www.time4vps.com/virtual-private-network/?affid=5294 (affiliate link so i get discounts for signups, i also use them for most of my VPS hosting) because they're affordable and have more locations than i can get VPSes in those locations for comparable amounts of money. It seems like their offering is OpenVPN based which is surprising, since it works pretty well - makes me think that either i royally screwed up my own config back in the day (though default config should never hit 100% CPU usage like that, which happened to me), something was wrong with the system packages, or they just have beefier servers behind it, despite many users.

  • by darkryder on 1/13/22, 7:37 AM

    While it does not yet exist as an end to end solution, BlindTLS[0] is a technique which perfectly fits the description of a "poor man's vpn". You pay the vpn provider for a tiny fraction of the traffic, and you can safely route the rest directly through your own ISP. This should work around most censorship techniques or geographic blocking. It doesn't promise privacy though.

    [0] https://dl.acm.org/doi/abs/10.1145/3473604.3474564

  • by linuxandrew on 1/13/22, 6:31 AM

    OP mentions DigitalOcean as a compute provider. Is there much info on which compute providers will ban you for, say, P2P or BitTorrent activity? Presumably this is against the ToS for most providers.

  • by StopHammoTime on 1/13/22, 11:16 PM

    I'm suprised no one has mentioned Outline (https://getoutline.org/) which provides full capability to setup a VPN easily on any major cloud providers with 1-click. It also provides mobile apps to use as well.

    A great experience, and I'd say it just works.

  • by framecowbird on 1/13/22, 11:28 AM

    What's the cheapest and easiest way to set up a VPN that authenticates with G-Suite OAuth? Asking for a friend...

  • by aizatto on 1/13/22, 12:36 AM

    Another cool tool to easily launch a VPN of your choice (WireGuard, OpenVPN, SSH) in a cloud provider.

    I tried it out before just to test it out, it's pretty cool.

    https://github.com/StreisandEffect/streisand

  • by henning on 1/13/22, 5:08 AM

    Could this be turned into a bash script without loss of functionality? I'm not trying to denigrate the work or Ansible as a tool in more complex scenarios.

  • by 12ian34 on 1/13/22, 1:39 PM

    The author's use for this is to circumvent geographical jurisdictional restrictions. If that is the aim (rather than privacy), then I don't understand how a $5 (per month) VPS along with all of the config and steps required (read: non-negligble time cost) is the "Poor man's" solution. Surely using any of the free forever unlimited VPNs would do the job at near zero cost?

  • by jijji on 1/13/22, 4:43 AM

    it depends what your use case is, but if you are trying to mask you public IP, I'd been using Squid Proxy [0] for decades and even have production networks using it for scraping activity in a load balanced way

    [0] https://en.m.wikipedia.org/wiki/Squid_(software)

  • by codethief on 1/13/22, 1:02 PM

    > Make sure you can ssh into the machine […]

    This is the tricky part. SSH gets blocked in some LANs, so then you would have no way to spontaneously deploy your VPN server. So better deploy it ahead of time.

  • by mihcsab on 1/13/22, 10:14 AM

    you can get a 4 core 24gb ram arm64 for free on oracle free tier(not a trial), install wireguard, it's really fast too.

  • by nvr219 on 1/13/22, 2:43 AM

    Use Algo!!! Extremely easy to set up with dummy-proof instructions.

  • by azalemeth on 1/13/22, 12:06 AM

    > Motivation: Lately due to GDPR many websites are blocking access in the EU. For me, I cannot order medicines back home via netmeds.com

    Blaming GDPR for this is a bit like blaming a lead mine for getting shot. Yes, it's involved but it's not the reason. It only seems to be certain large US websites that carte-blanch refuse to serve EU visitors over GDPR, mostly those with large, tendril-filled advertising networks that have no "easy opt-out". Some sites (healthcare ones that tended to be SEO'd to the max when I searched for drug names as well as more mainstream ones like, iirc, the Washington Post) carte-blanch refuse to let you browse them without accepting unnecessary cookies; this is a direct breach of the legislation and yet they still want your traffic.

    If someone won't sell you something because of GDPR -- legislation that protects your privacy, and in particular considers medical information as especially sensitive -- then you perhaps have to think rather carefully about if you wish to do business with them.

    (For what it's worth, from a Danish IP, the site listed in the github repo works perfectly on my home network which admittedly contains a pihole-provided dns-level adblocking. It blocks tor and I don't have an easy way of testing it otherwise).