Amnezia: everything will be forgotten
Are you sure that your VPN will continue to work in the face of political collapse or a new habr blocking law? Are you confident in the reliability of the VPN provider? What if that company is bought tomorrow by another user data company? Are you sure your VPN isn’t collecting logs right now?
The future is not far off. It is behind an open source free client that can set up its own server with multiple protocols and connect to it in one click.
Hello, Khabrovites! We are a small team that wants to contribute to anonymity and privacy on the Internet. The solution we create should not collect and store user data; it should be safe, usable, as easy to use as possible, with a user-friendly interface and a pleasant design. We have previously participated in hackathon Demhack, took first place and then went to Privacy Acceleratorwhere we make this product.
about the project
Amnezia VPN is a free VPN client with the functionality to create your own server. In general terms: you can drive the details of your VPS into the client, the client will connect to it via ssh, and configure several Docker containers with different VPN services.
At the first stage, we will have versions for Windows and macOS, and a little later – for Android and iOS. All project results will be published under one of the open source licenses.
In the client, you can select the use mode: redirect all traffic through the VPN server or perform selective routing (you can add an IP address or domain).
The user will only need to pay for any VPS of any provider on his own (we are even working through this part – we create detailed step-by-step instructions “How to buy a VPS server”) and enjoy your own VPN service!
Design and interface
We want to make the product as user-friendly as possible – no consoles for users. It will look something like this:
What is planned to be done at the current stage:
- The server side is Docker containers, no additional compiled code, only understandable scripts.
- The container will not use any persistent storage, re-initialize the server every time it is restarted. This means there will be no logs, there will not even be an opportunity to save them. On restart, the server generates a new root certificate.
- With each connection, the client generates a new key pair, sends a request to the server to sign the certificate, receives the signed certificate, and connects using it. No fashionable simplifications – like the server itself generates everything for the client, the client only downloads the certificate.
- Support for multiple protocols is planned (OpenVPN, ShadowSocks, WireGuard).
- We are planning to deal with the utilities obfs4, meek. These are utilities that are used to disguise traffic as normal web traffic. how showed the latest events in Belarus, all popular VPN protocols turn into a pumpkin in the days when the Internet is really needed.
- Configurable client-side routing. There are 2 modes of operation: to drive all traffic into the tunnel, or to register ip-addresses and resource domains for which you need to drive traffic through the tunnel (this is very convenient if you need to bypass blocking only for a couple of sites).
- Do you have ideas or just want to help? You are welcome!
We compare our project with other VPN services and want to learn from the experience of our comrades – to pick up the best features that have already been invented before us and not repeat their mistakes.
If we compare our product with commercial VPN services, it is immediately clear that in commercial, even with open source client side, no one really shows what is happening on the server. We want our VPN to satisfy the most demanding users in terms of security.
Compared to other open source solutions, they usually require special installation and are not suitable for inexperienced users who cannot copy even one line to the console. We want to make the use of the product as simple as possible, save users from interacting with the console, provide them with clear instructions, and in the future, it can be integrated into the VPS control panel.
And, of course, we compared our project to the Outline VPN created in the Google incubator. And we see the Outline problems that annoy us a lot:
- Outline collects server ip – always.
- Outline can collect logs – if you configure. https://support.getoutline.org/s/article/Data-collection
- Outline has only one protocol on board.
- Outline can be automatically installed only on DigitalOcean, Google Cloud, or Amazon, for the rest of the servers you need a manual installation – open the console and drive in one command. This is an insurmountable task for users with no knowledge of the console.
- You guess that wherever there is a trail of large companies, there is tracking?
Figure: 1. Oops! Outline VPN tries to update itself every time it starts and sends a unique “x-user-staging-id” setup parameter to the server. Nini, they’re not going to use it for tracking – it’s just for official technical purposes. Overheard through mitmproxy…
In our opinion, this is a given. Any large company providing VPN services keeps logs of who went where through them. And if there are such companies that do not store anything, who knows, maybe the special services have not yet reached them? Do you really think that they will protect your privacy and anonymity if requested? This is business, nothing personal.
About our bright future
Have you heard that law, which will shape traffic to unwanted resources, is it slowly but surely moving forward?
Where will all this lead? We believe that the struggle between those who want to block everything and those who want a free internet will only intensify. This confrontation gives rise to more and more complex technical solutions, both on one side and on the other. And it seems to us that this technical confrontation can radically change the Internet, the habits of users.
And we also dug out this article… The researchers managed to decrypt the ssh tunnel by having a traffic dump and a snapshot of the virtual machine. Perhaps someone will be able to automate this process, or maybe someone has already done it: and satisfied intelligence officers will not even ask VPN services that have servers running at large cloud providers to provide them with logs.
We want our product to be as convenient and useful as possible at the time of release, so we find out the needs and pains of users of different VPN services.
It is interesting to us:
What are / are not comfortable with the VPN service you are currently using?
Why do you trust him or not? (How do you understand which service you can trust – recommendations, sources, etc.)
Leave your answers in the comments. This is very valuable information for us, we focus on it when developing!
Thanks to everyone who read to the end!
We are implementing a project with the support of:
Social technology greenhouse
And a couple more detailed polls at the end.