In the wake of the COVID-19 crisis and everyone setting up emergency work-from-home infrastructures, here is a detailed cookbook for setting up a VPN from scratch without spending any money. It even has video demos. Enjoy.
https://www.dgregscott.com/how-to-build-a-vpn-in-four-easy-steps-without-spending-one-penny/
- Greg Scott
The problem is that if you have a single purpose for a VPN, such as connecting to you work, that's great! The real problem is that if you are using a VPN to protect your privacy and defend again possible hacks it becomes a really problem! Far too may silly companies base their security on IP address, so when I have my VPN turned on I either get extra checks or I am not allowed to connect at all. While I do understand the thought that bad actors might be hiding behind these VPNs it completely ignores the more progressive user who simply does not want his ISP recording and selling his traffic. So for those who work in companies who block based on IP, please rethink this Policy!
John-
Well... yeah. The solution I documented is supposed to be for the single purpose of connecting remote workers to work. It's split-tunnel anyway, so **by design** it does nothing to protect against the other attack scenarios you mentioned. But even if it weren't split-tunnel, everything coming from that VPN would be from the same IP Address anyway, and so it would be a lousy solution for evading hostile governments. But it was never meant for that - it's only meant to connect remote workers to work.
The attack scenarios you brought up are real and they need a solution - but there are lots of VPN services designed to help solve them, and people have been connecting to them for years.
But - as I think this through - one huge weakness with VPNs in general is, as you pointed out - hostile ISPs can record traffic and analyze it later, and it's easy to spot VPN traffic. But now with COVID-19, if organizations everywhere adopt VPN technology, and now it's easy with my documentation, hostile ISPs can no longer make assumptions about VPN traffic. And so, maybe my documentation has some indirect benefit with the hostile government problem. But I don't think I'll pitch it that way.