6

Let me try to sum up this question; I want to buy VPS from (vultr - I'm not promoting them), but before that I'm wondering how secure is to run VPN on this kind (or any kind) of VPS in sense that I can endanger myself by choosing wrong company, which can tap/monitor my traffic.

I'm not trying to ask how secure is KVM virtualization, but which infrastructure is the safest for running a VPN, dedicated server, VPS (both are almost same, from my question perspective) or building own server or something else?

user134969
  • 1,298
  • 4
  • 15
  • 24
  • 1
    Can you tell us more about what you want to achieve? If it's privacy, you may want to consider things like what country the VPS is hosted in or where the VPS company is headquartered to determine which jurisdiction's laws apply. If you are just trying to evade monitoring at work or your local ISP you may have a larger selection of options. Likewise, the type of data you want to protect and/or your goals may change the level of security configuration required to achieve your goals. DNS and IPv6 leakage client-side as well as cookie-reuse in your browser may be things you might consider. – Trey Blalock Apr 04 '17 at 00:32
  • fwiw, DigitalOcean doesn't log traffic to VPSs. no affiliation, but i'm very satisfied... – dandavis Apr 04 '17 at 18:14

3 Answers3

12

What is the risk of running VPN on VPS?

The main risk is that all traffic inside the VPN can be passively sniffed by the entity hosting the server.

Basically it is similar to giving someone physical access to a physical server. Actually the risk is a bit higher, because VPS could be passively replicated, so it's more like giving someone an unprotected, unlimited access to a real-time replica of a physical server.

All the secrets required to set up a VPN connection are stored on the VPS itself and the traffic can be easily captured, so whoever has access to the underlying virtualisation platform can utilise them to monitor the communication in real time or afterwards.

By extension, you also open your own (connecting) network to the party hosting the VPS. So if you were targeted, they could utilise this connection to get into your internal network, behind your perimeter defenses.

This of course should be addressed separately, regardless whether you were connecting to a hosted VPS or not, but the risk might be considered higher with VPS in comparison to a VPN on a device which you fully control.

The bottom line is: if you don't trust the company, don't do it. You are storing more vital information with VPN than if you used the VPS for other purposes.

techraf
  • 9,141
  • 11
  • 44
  • 62
0

I'm wondering how secure is to run VPN on this kind (or any kind) of VPS in sense that I can endanger myself by choosing wrong company, which can tap/monitor my traffic.

Take this as a compliment to the accepted answer:

This is something I've worried about before. If a VPN provider were truly malicious, they could use a MiTM attack to monitor unencrypted, and attempt to break encrypted connections as well. The thing is though is that you're significantly reducing your attack vector, because people can ALREADY use these attacks against you anyway.

So if you use this (let's assume to be malicious, free VPN, whose providers have been known to practice these crimes) I'd argue you're still safer then you would be if you had used nothing at all.

This is essentially because when you create a VPN connection, you're hiding your real IP, regardless of what's happening on the other end you're generally more protected in the wild wild western controlled internet.

To give an analogy, better to have a broken condom than none at all. Sure, there's risk that a little unencrypted traffic might sneak through, but overall you're protecting yourself from bigger dangers.

Dylan
  • 115
  • 1
  • 8
0

I am assuming you want privacy... I cant comment, so I'll write here. I saw this article that I think is relevant - It links to a paper titled "vpwns: Virtual Pwned Networks" and basically, it says that VPNs were not designed for privacy, they are mostly designed to join two or more private networks without wasting too much money on infrastructure. If your goal is privacy I would much rather use tor or something like it.

Bruno
  • 37
  • 1