Buying a VPN with Sats ➕ Bonus Firewall Tips
Want an easy way to level-up your ~privacy that you can setup in minutes? Today, we're going to purchase access to a VPN service with sats. This will encrypt the data between our devices & our internet service provider (ISP) and shield us from snooping. The likes of PIA, NordVPN, Surfshark, ExpressVPN and others may be better than going without a VPN entirely, but we as Bitcoiners can do much better. We can use one that has shields our identity from our data much better. One of Mullvad, iVPN or Proton.
Today we're going to be purchasing with one of these VPN providers using Bitcoin in less than 10 minutes. Take your pick from 3 companies that Stackers have been recommending over & over again. So add a comment below in the SN chat to let us know how you get on with...
Today's Challenge: Purchasing a VPN using sats, plus advanced tips on using VPS/Routers/Firewalls.
Share Tips! ⚡
If you already use one of these services, share your tips in the comments below 🔽
Related Stacker Articles 👀
VPN and Fun Hacks Using it by @Natalia
How to Protect Your Home Network with a Gigabit VPN by @k00b
How to Build Your Own Wireguard VPN in Five Minutes (2022) by @Roll
Configure a dedicated router with VPN service by @modobitcoin
Hierarchy of Network Privacy
🍕 Laszlow was the pizza guy and an early Bitcoiner. For no other reason, we're calling this segment "Laszlow's Hierarchy of Network Privacy". Like Maslow's Hierarchy of Needs except as follows:
- Acknowledge importance of privacy
- Install first mainstream VPN
- Buy a privacy-focused VPN (+ install firewall)
- Purchase new router & install own VPN on server
- Copy what Jameson Lopp is doing
As you know, VPNs are not only useful for obfuscating your location and protecting your user-data, they can also save you money highlighted by @Natalia's article on SN here and if configured correctly, they'll shield you from ads too.
Level 3. Intermediate - Buy a privacy-focused VPN 🌐
With this post, we're covering VPNs on our devices that interact with the internet most - our phones & computers. As mentioned, we'll be buying a privacy-minded VPN, from either MullVad, Proton or iVPN. Discussing the sign-up flow and benefits of each and tips for additional layers of obfuscation.
At the bottom of this article for instance, is a section in firewalls and DNS. DNS is how you connect with the internet, routing domain names to IP addresses. Each VPN offers their own DNS server, with some now rolling-out and "open-sourcing" known block-lists to shield you from adverts & malware before they even reach your browser. This doesn't mean they are filtering your content or seeing what you are doing, it is simply an allow/block list applied to traffic. You'll see the option to enable/disable some blocklists with the VPNs on offer below, however you may seek more control.
The additional DNS 'perks' with our VPNs are great, but at times they may be a little limiting, particularly if you need granular control over which IP addresses are blocked/enabled. For instance if doing client software development and needing to enable ads for access to a specific site. For that reason, I have included another section looking into
Firewalls, considering they can be run on single machines or configured to pair with your chosen VPN on owned/cloud hardware. If you already have a firewall and custom DNS setup, here are some block-lists to take advantage of:Where to Find IP Addresses to Block?
- The Block List Project
- The Big Blocklist Collection
- DNS Blocklists
- NextDNS - Blocklist
- NextDNS - Native Tracking Domains
- NextDNS - Click Tracking Domains
Level 4. Upper Intermediate - Router-Level VPN ☎️
Eventually you're going to want to step up your game and buy a new router and install your own VPN on it. Reason being, the security on your TV, security cameras, light bulbs, fridge - you name it - anything that's connected to the internet, quite frankly sucks. Plus it prevents us from needing to install clients on every machine connected to our Wifi.
If you want to become a ~privacy popeye, you might wish to take the extra time to buy a separate router for ~$100-150. To understand why you might do this, go read this article on the drawbacks of ISP/consumer routers.
One you have a new router, you can then ring your ISP and ask them to turn your existing router/modem combo into just a modem. And plug-it into your newly bought router. That way, ALL data on your home network can be separated and shielded with certainty, and easily routed through a VPN installed on the router itself. Meaning regardless of the device (inc. TVs, fridges, family and the like), ALL traffic will be shielded from your Internet Service Provider (ISP) without needing to install separate VPN app clients.
There was a great SN post as a guide recently, specifically using Mullvad. Given I am moving around a bit right now, I'm not in a position to perform these steps on a home router, but perhaps we'll do a follow-up post on this in future. Furthermore, if you have zero trust for third parties, chances are you may have your own proxy VPS setup already. There's also that option too of setting-up a VPN on a cloud server. Here is a SN post on doing that with WireGuard and also some GitHub repos to check out if this is of interest: Algo & OpenVPN.
Level 5. Advanced - Hardware Ninja-Turtle Setup 🐢
Rather than even attempt to describe what to do here, just go & read Jameson Lopp's article which was posted by @k00b here on SN . The guide runs through the entire $475 hardware stack, configuration & installation process, with some great diagrams of a 'perfect' setup. This seems to be the holy grail for us improving our network privacy. One day we'll all get there and be at the top of the pyramid yelling "yeehaa". For today though, we'll take it easy and simply buy a privacy-focused VPN with our hard-earned sats...
Time to buy a VPN with Bitcoin! 🟠
| Mullvad | Proton* | iVPN* | |
|---|---|---|---|
| <1 Week | - | - | $16 or $9.20 ⚡ |
| 1 Month | $5.46 ⚡ | $9.99 | $10 or $6.90 ⚡ |
| 1 Year | $5.46 ⚡ | $5.99 | $8.33 |
| 2 Years | $5.46 ⚡ | $4.99 | $6.66 |
| 3 Years | $5.46 ⚡ | - | $6.11 |
Note: Prices are pro-rata monthly USD. Proton has a free plan also. iVPN pricing shown is 'Pro', they offer a cheaper plan for 2 devices, plus a light service to use for as few as 3 hours also.
1. Mullvad
Website = https://mullvad.net/en
GitHub = https://github.com/mullvad/mullvadvpn-app
Mullvad has plenty of Stackers recommending their services: here, here, here & here. It is likely going to be my preferred choice going forward, because of the additional integration & reliability when pairing with other services, like Firewalls (for custom IP block-lists) and Wireguard/Tailscale (for potentially file-sharing between devices or interacting with an LN node via Zeus).
Positives
- No username or password - just store one (disposable) key.
- No logging by Mullvad as seen in their policy.
- They "want you to remain anonymous".
- Only stores
account number&expiry date of account(providing that you don't pay using a credit/debit card, purchase in app or email them). - If using their apps, they send the
app version&operating systemversion to Mullvad servers (this can be avoided in advanced steps). - If using Wireguard, also
account number,pubkey,tunnel address. - Mullvad VPN subject to a search warrant. Customer data not compromised.
- 10% off when paying with on-chain Bitcoin.
- Buy vouchers without credit card or personal information, using an external site not run by Mullvad, we can buy Mullvad vouchers over LN ⚡
- Built-in kill switch that kicks-in automatically and prevents any data or IP leaks when switching between server or VPN locations.
- Built-in ad blockers, multi-hops & censorship obfuscation via Wireguard.
- Same pricing, no matter the length of term.
- Supports multi-hops (entry and exit servers).
- Been around since 2009.
- Open-sourced VPN on GitHub.
- Great external review can be found here by CNet.
- It also has a dedicated CLI which works even when the app/GUI is closed.
- Beta integration with Tailscale (useful to remotely access your node on mobile).
- For now, you cannot do this anonymously.
- A new Mullvad account needs to be purchased via Tailscale platform (without anonymous voucher signup). Hopefully soon this will be rolled-out for other existing Mullvad accounts:
Negatives
- Currently incorporated in Sweden, a government that is part of the "14 Eyes Intelligence Sharing" alliance & conducting mass surveillance.
- Limited to just 5 devices per account.
- Some reports of battery drain when using Tailscale on mobile with Mullvad on older versions of iOS - apparently now fixed with iOS 17.2.
- No "direct" lightning purchase yet.
- Almost all IP addresses black-listed by Reddit
Step by Step
- Go to https://mullvad.net/en/account/create (ideally using a Tor browser).
- Generate yourself an account key.
- Top-up using voucher (Lightning) or on-chain Bitcoin.
- If using voucher, go to this site to anonymously purchase a voucher.
- Enter voucher code on Mullvad manually and get hiding!
- Download Desktop app and configure Settings (location, blockers, hops).
- Enable kill switch & lockdown mode (to prevent leaks, even when app closed)
- Enable content blocking (Ads, Malware for example).
- Choose location(s) & click 'Secure My Connection' then you're all set!
- Filter by country (Entry/Exit) + owner of IP - for a full list visit here
- Select 'Wireguard' as Tunnel protocol (since OpenVPN is often slower).
- 'Wireguard Settings' & enable 'Multihop' & 'Obfuscation' for max privacy if latency not an issue.
- Create a fresh account in 3 months time, pay via Lightning and use a new account identifier, to minimise data collection!
Bonus Steps
To enable a different server proxy for a particular browser:
- Enable SOCKS5 settings and use a 3rd hop in an alternative location to further differentiate your regular browsing vs all other apps (e.g. for Firefox).
To install WireGuard on Phone:
- If without a privacy phone (and run Apple/Google/Samsung) and not wishing to associate yourself with Mullvad by downloading their app from AppStore, visit this link. This will avoid you showing up as customer of theirs. Note: VPN killswitch is often disabled when using this method.
- Open desktop site and select location(s) for exit node(s) AND server.
- Open 'Advanced Settings' toggle in browser, and enable 'Multihop' for maximum privacy if latency not an issue.
- Click 'Generate QR Code' and scan with mobile device. Voila!
To install Mullvad on Router:
- Buy a new router, e.g. from GL-iNet (particularly this one) or from MicroTikor from any other vendor. Then install WireGuard on it by following this Mullvad Guide.
2. iVPN
Website = https://www.ivpn.net/
'Light' Service = https://www.ivpn.net/light
GitHub = https://github.com/iVPN
It's great to see people at iVPN really engaging with the Bitcoin community, having launched a product specifically for us here on SN. iVPN has also had various stackers recommending them on SN here , here , here & here. Since having used their product, I am blown-away by the amount of advanced features, the great UX and the levels of customisation on offer.
Positives
- Try for as little as 3 hours!
- Pay with Bitcoin/Lightning natively at just 2nd Step! 👏
- @viktorv the COO from the iVPN team lurks with us here on SN 🤠
- No email or password - just store one (disposable) key.
- Pay over Lightning with Bitcoin! ⚡🤩 using their own BTCPayServer!!!
- Built-in ad and malware blockers - feature called AntiTracker
- Integrates with Wireguard on mobile/desktop.
- No logs, regularly audited VPN service, VERY clear privacy policy
- Killswitch and really advanced settings (like custom DNS) to give you full control of ~privacy.
- Pro plan is best offering.
- Works on up to 7 devices.
- Supports multi-hops (entry and exit locations).
- Great integration with NextDNS.
- Additional SOCKS5 proxy also.
- Been around since 2009/2010, so been around for a while.
- Open-sourced code on Github.
Negatives
- 'Light' service incompatible with their own VPN apps (only Wireguard ).
- Took a restart to get it working with latest version of MacOS
Step By Step - iVPN - Standard/Pro
- Go to https://www.ivpn.net/pricing/ and select plan.
- Copy account key, select plan length & click 'Bitcoin'
- Choose Lightning, scan QR code and pay with sats
- Download & install app(s) for your device
- Login using your account key from #2
- Enable firewall, anti-tracker and choose a Location
- Settings - General - Change default launch options
- Settings - Connection - Choose protocol & key rotation ⭐
- Settings - Firewall - Enable always-on & prevent access without it if wish
- Settings - Anti-Tracker - Add custom block lists & toggle more hardcore option
- Settings - DNS - Redirect DNS to your own network firewall (see later section, if wish)
- Settings - Advanced - Enable additional auth for ~security and require password when restarting app.
Step By Step - iVPN Light
- Purchase the light service with zero friction, select single/multi-hop locations and click 'Purchase access' (can do this in a Tor browser).
- Be taken to BTCPayServer, scan the QR code and you're in! Click the 2nd button to continue.
- You'll be redirected back to iVPN, where you can download the config file with the blue button at the bottom.
- Now download Wireguard app. The iVPN Light service is NOT yet compatible yet with iVPN app(s).
- Import the tunnel config file we downloaded from 3. Click 'Activate' and you're setup!
Bonus Steps
- To install iVPN on a router follow this guide - https://www.ivpn.net/setup/router
3. Proton
Website = https://protonvpn.com/
GitHub = https://github.com/ProtonVPN
Last but not least, we have Proton. Proton is also a service used by a few Stackers in the community, with posts here, here, here, here and here. There was some constructive criticism of their service here on SN when using Tor. They offer a free VPN and a paid service and on their VPN service have a no-logs policy. For some strange reason they don't accept Bitcoin payments over Tor though, which has led to some scepticism.
I can certainly see the appeal from a convenience perspective with Proton offering the VPN in an 'Unlimited package' amongst other Proton services (passwords, email, calendar, drive). They are fighting the good fight, although it may be wise to spread our risk wherever possible (perhaps keeping our VPN with a separate provider to our mail/password manager and thus preventing lock-in).
Positives
- No-logs policy.
- Free service to try before you buy, with paid subscribers subsidising it for free users.
- Purchase with Bitcoin (over clearnet).
- Kill-switch and secure core for routing traffic through "privacy-friendly" countries
- Create multiple custom profiles and switch between them easily. Create Tor profiles.
- "NetShield" for blocking malware, ads & trackers.
- Open-sourced VPN code on GitHub.
Negatives
- Lack of advanced options & configuration - in comparison to alternatives
- Requires email & password to sign-up - other options provide simple account key to remember.
- Automatically generates passwords for users - potential big vulnerability
- Difficult to find Bitcoin payment options (until have an existing account, and go to checkout page after sign-up)
- Only on-chain Bitcoin supported, no lightning.
- Proton seems to work hard to "filter" spam / track & identify users at sign-up.
- e.g: Cannot use Proton email address for signing-up.
- e.g: Cannot use Brave Browser with shields or Tor to sign-up.
- Cannot create / pay for account with Bitcoin when using Tor - see here on SN.
- More commonly used and therefore more likely to have certain IP addresses blocked.
- Proton has previously given over IP addresses to Swiss authorities for email service, but not for VPN.
- Reports of compatibility concerns with NextDNS.
Step By Step
- Go to https://protonvpn.com/pricing and click 'Get Proton Free'
- Enter email address and click 'Start using' Proton VPN
- Verify email address if needed
- For some silly reason Proton don't allow you to use a Proton email address for sign-up, and have blocked many 'burner' / temporary email services
- Also troublesome when using Tor or Brave with 'shields up'
- Choose secure password - DO NO use their own calculated default 🤦♂
- Download the correct app for your device
- Login, connect, enable & start using the VPN
- If enjoying the Proton experience, visit your ProtonVPN Dashboard and select a plan.
- Under 'Payment method' for checkout, choose Bitcoin. Send on-chain sats.
- After confirmation, restart VPN and check 'advanced' options displaying for you. Create custom profiles.
Bonus Steps
- To install Proton on router, buy a new router from InvizBox or other compatible hardware.
- Download the Wireguard configuration files from Proton - instructions here
- Follow the complete guide on obtaining seamless integration between your router & Proton VPN
🔥 Firewalls
Talking about DNS and firewalls could have been a post in it's own right, but using a VPN with a Firewall is a powerful combination for privacy, especially when you have both:
- Extremely private open-source VPN - without requiring email - all paid anonymously with our hard-earned satoshis.
- Fully-featured firewall that helps you restrict certain traffic - providing protection for all web traffic, apps & OS-level network operations. Open-source software.
There are a bunch of Firewall solutions out there, but I have chosen a few that cover a range of hardware / setups. There may be better options like OPNSense if installing direct on the router. Some of the recommendations are open-source and those that are not have a decent track record with no known instances of logging data.
1. PiHole
Website = https://pi-hole.net/
Positives
- 100% free
- Open-source
- Can double as a network monitoring tool (see screenshot above)
- Can reduce bandwidth usage
- Blocks ads & trackers web-wide places, inc. in several video streaming platforms
- Supports Gravity, a script which retrieves blocklists & consolidates them into one unique list for the DNS server to use.
- Big enthusiastic and helpful community
- Integrates with well Home Assistant (open source home-automation)
- Only need to have 4GB space & 512MB RAM to run (recommended)
- Configure your own local 'domain' for development on your network
- Can be installed on other hardware besdies Raspberry Pi devices.
- e.g. Great plug-and-play support for running on Umbrel
- Simple setup, just set the Primary DNS on your VPN/router to the IP address of your Umbrel.
Negatives
- If you have a device you don’t want blocking enabled on, you will have to manually change that device’s DNS settings to exclude it
- There is no option in the web interface to disable blocking on individual devices. Or to have any parental controls.
- Uses Coinbase to process donations via Bitcoin (and other💩)
- Most people will need to purchase new hardware, costing minimum $35.
- If not maintained/configured properly can cause issues, valid from @Darthcoin here on SN
2. NextDNS
Website = https://nextdns.io/
I have only just started using NextDNS, but they have done a great job at providing an accessible service that integrates well with most VPNs. They do so without requiring any specific hardware to host it on, with you simply pointing your VPN at it.
Positives
-
You can automatically subscribe-to and add existing advert block lists (in 1).
-
Just as impressively, you can disable native tracking done by Big Tech if you have yet to migrate from their operating systems (2).
-
Lastly, there are also certain restrictions (3) you can place on yourself or "kids" at a network level also -
e.g: no StackerNews before the saloon opens at 6am EST.
Negatives
- NextDNS accept Bitcoin via BitPay 😠
- NextDNS are a U.S based company, and they provide no evidence they cannot see/process your information.
- They have shared the source for their clients, but not the server software.
- Freemium business model with free tier limited to 300k queries per month and after that their filtering stops. Free software can sometimes mean users are the product.
- Apple's Private Relay can have issues with NextDNS.
- No court cases to "battle-test" the zero-logging policy they reference.
Furthermore...
- NextDNS also published theirnative tracking domains and ad blocklists on their GitHub, so even if you don't wish to use their software, you could use these lists for an alternative firewall setup.
- NextDNS have also said they "will never engage in any data sharing or selling activities, now or in the future." And have agreed to abide by the Mozilla Policy.
- Even on their free tier, they mention they do not log any data their clients do not specifically request.
- You can configure your DNS settings on your device(s) using these instructions.
- You will have most success with either iVPN or Mullvad. Proton occasionally has been known to have compatibility issues with NextDNS.
- You may have cookie-blocking or tracking protection enabled in your browser, but with a setup like NextDNS you can now have that extra comfort in case something sneaky slips-through either the browser or an app you are using.
3. Portmaster / OpenSnitch / LittleSnitch
In this section, we have listed some firewall clients that can be installed on isolated computers and machines. I have previously used LittleSnitch on Mac to great effect. They can be configured so that every data packet from every IP address from every application needs to be approved by you if you wish. However their real power just comes from the traceability and rules you build-up over time, to create your own allow/block lists - without depending on any third parties or hardware setup.
Portmaster (Linux/Windows)
- Linux and Windows only.
- Some limited compatibility with certain VPNs. Look into compatibility here.
OpenSnitch (Linux)
Website = https://github.com/evilsocket/opensnitch
LittleSnitch (Mac)
Positives of All
- Portmaster and OpenSnitch (not LittleSnitch) are both Open Source.
- Ability to set custom rules, device-wide or per app.
- Outbound connections filtering (not just inbound)
- Auto-block trackers, cookies and malware.
- The ability to monitor all network activity on your computer. LittleSnitch allows you to do this via a map.
- OpenSnitch allows you to manage multiple instances/nodes from single GUI.
- LittleSnitch offers the ability to quickly switch between modes (see screen above).
Negatives of All
- Slightly cumbersome and involved to setup rules & blocklists.
- Computer device specific - don't protect you network-wide (on Smart TVs, guests etc)
- OpenSnitch has rugged UI (LittleSnitch & Portmaster more polished)
- Portmaster not yet available on Mac. Plans are in progress.
- LittleSnitch is Mac specific.
- LittleSnitch is also paid, but available for free for 30 days!
Other Firewall Options
- OPNsense (Open Source)
- Firewalla
- pfSense (Open Source)
- Got another suggestion? Add it in the comments below...
Buy your VPN today!
So there you have it, setting-up a VPN is really simple and hopefully this post has shown just how so. In the future it'll be time to install the VPN on a newly-bought router.
Keep in mind that access to VPNs may become increasingly difficult in many countries like the 🇺🇸🇬🇧🇪🇺 in future. Thanks to draft legislation like the RESTRICT act, which would "outlaw" VPN usage in the event of 'foreign adversaries' or for 'national security' reasons. It's important therefore to use a service that offers payments via Bitcoin or anonymous vouchers, which don't need to be linked to our identity, and that can be swapped-out for your own VPN service in future. Also another reason to consider generating a new account or new service every few months, so that usage or account data of any kind is limited to a certain period. Many of the VPN services below are disposable in that aspect.
Some VPN companies may be logging meta data regarding page visits, sessions, device IDs etc, with some found to have been this as a secondary way of monetising their product/users or are feeding the surveillance-state To analyse and compare VPN providers, including those that are not found within this write-up, this website is a good start .
We've simply focused our attention above on the top 3 services in Mullvad, Proton & iVPN. If you have any extra tips, let's turn this into a real pub chat...
Upcoming Privacy Pub Challenge 🍺
Thursday 25th January - Buy a Domain + SimpleLogin burner emails
Purchasing a domain name using sats, plus pairing it with SimpleLogin for segregated email signups.Advanced Reading 🔗
- Router Security - Security Checklist for your Router
- Router Security - Consumer Routers
- Michael Horowitz - A second router can make working from home much more secure
- Tom's Guide - Your router's security stinks: Here's how to fix it
- Comparitech - Comparing VPN providers
- Helge Klein - Home Network Privacy With NextDNS