Free P2P VPN

People use a VPN — virtual private network — for a lot of reasons. However, for many people it is synonymous with hiding your network traffic, one thing that VPN can do. FreePN is a relatively new open source project that aims to build a free peer-to-peer VPN network. Like TOR, it is decentralized.

Right now, you can download for Ubuntu and Gentoo. There is a way to ask for early access for Debian, Fedora, and Arch. Windows, iOS, MacOS, and Android versions are promised for the future.

The code is on GitHub, so all questions are in theory answerable. Digging into the fpnd README told us most of the features we hoped to find on the main page (but didn’t):

The FreePN network daemon (fpnd) is a P2P implementation of a distributed virtual private network (dVPN) that creates an anonymous “cloud” of peers where each peer is both a client node and an exit node. Peers are randomly connected on startup and reconnected to new (random) peers as needed.

The FreePN network daemon (fpnd) is a P2P implementation of a distributed virtual private network (dVPN) that creates an anonymous “cloud” of peers where each peer is both a client node and an exit node. Peers are randomly connected on startup and reconnected to new (random) peers as needed.

In addition, the page notes that they only route http(s) traffic and, optionally, DNS traffic. IPv6 packets are dropped, unless you configure it to pass without VPN.

Is this a better answer than TOR? We don’t know. We weren’t clear on how you could set this up for some possible use cases, but there appears to be a fledgling support group on Reddit. If this works well and can support more platforms, it could be a good thing for online privacy and protection.

We’ve noted before that truly secure networking can be hard to accomplish. For many of us, a VPN is just an extra layer of security, or a way to watch TV that is only available in another country. But for some people, a VPN is a political necessity.

35 thoughts on “Free P2P VPN

  1. OK. So. First. I’m not going to claim that VPNs have no purpose. They absolutely do.

    BUT. “hiding your network traffic” is not one of them. This is a fallacy spread by all those ‘secure VPN’ companies as marketing.

    FURTHER. There are times when using a VPN will make you LESS secure.
    Example: If you are using Tor, you should NOT be using a VPN too.

    1. It does not hide the traffic to everyone, but it hides the traffic from your device to the VPN exit node. And that’s enough for some use cases. If you are connected on a hotel WiFi, the VPN hides the traffic to the hotel and the ISP at the very least. If you are connected on a totalitarian country and the VPN server is outside, it hides the traffic to the originating country.

      So yes, “hiding your network traffic” is a valid usage for VPNs, but you must know the limitations and know what you’re doing.

      1. It trades your ISP (and government) for someone else (the VPN provider), his ISP and his government.

        And that’s best case scenario (i.e. you properly configured your VPN – used it for the DNS lookup, and the encryption isn’t broken or simply backdoored).

        That’s enough for some, but I’d estimate (based on nothing at all) that it’s what less than 50% of users wanted.

        49% of the other users just wanted to watch Netflix USA.

        1% wanted to be protected from government.

        1. That trade is sometimes exactly what’s needed. Most of the point of relaying to the outside of an oppressive regime is that your communications are outside of that regime’s jurisdiction, so it’s harder for them to detect unauthorized speech.

      1. I wouldn’t say this is 100% true, but imagine this. You are using Tor to connect to a cheap VPN you payed with your Credit Card. What a website will see is your VPN that is linked to your CC. So you are less secure that way. The other way around it is not necessarily true. If you use a VPN to connect to tor, if the NSA breaks tor, they still have the VPN to worry about. But since most of the time they break firefox from the Tor Bundle, that would probably also allow exposing your non-VPN address. So it doesn’t increase security by much.
        But if you properly isolate the VPN connaction from TOR and use a trusworthy non-logging VPN, TOR over VPN can be more secure then either one of them.

          1. The FBI has made the necessary investment to compromise TOR nodes in a number of occasions, both in colocation facilities and other installations. The irony is palpable, but it does happen.

          2. If Tor is well designed, then per Kerckhoff’s principle, it shouldn’t matter who developed it – only as long as it’s strong enough from the crypto perspective. Whether it is well designed, well that’s another matter altogether and I don’t have enough info to tell.

          3. “well designed” and “should”.

            First, “well designed” has two possible meanings:
            1) designed to do what it’s advertised to do,
            2) designed to do what it’s actually meant to do.

            Pretty much all “free” software (aside from free-and-open-source) fits in the latter category, and is spyware. “Should” is just fantasy. It absolutely matters who designed it.

            And of course, that’s only for well designed software, which I also won’t go into.

  2. This seems incredibly dangerous to use. Because it is peer to peer, your machine is the exit node for other people’s traffic. So, if someone downloads some illegal content like child porn, the police come knocking down your door.

    1. Rather than running it on your home network, you could run it on a public hotspot. Granted, that offers a lot less protection than it used to because COVID means there’s not much of a crowd to disappear into.

      It could also work for users to share their own VPN subscriptions with others.

    2. Agreed, but that’s the hole in all proxy systems. the messenger always gets shot, either by authorities or a port scanner on the popular forums and immediately banned. I think that a marketplace of tasks could be an alternative, pick and choose what you choose to download/upload and then you get awarded the privilige to do the same.

  3. I use OpenVPN for my vpn needs, the server comes build into my home’s Asus router and I also deployed it to a vps hosting I have for general use. It’s pretty easy to get running on Windows, Linux, Android and IOS (which I all have to use..). It’s also been around forever.

  4. Doesn’t this, as far as the law is concerned, make me liable for any nefarious business done by anyone else over the VPN under my exit IP address? I don’t think a “uhh but it wasn’t me” will fly in a court of law when accused with downloading CP or hacking into a govt facility.

    1. Ubuntu is developed by Canonical, in the United Kingdom. There is no state operating system for China, but Kylin, which is _based_ on Ubuntu but developed in China, is installed on many computers sold in China.
      You don’t have to wonder about the backdoors on either. Download the source code and look.

      1. Oh right. I forgot I can look at the source code. Piece of cake. How big could that be? And oh, by the way, how many people build their OS from source? And if you don’t (shocker!), how do you know that the OS you have was built from the published source code?

        1. If you care about security it isn’t that big a deal to build your own OS. No one expects a single person to examine the whole thing. What we count on is that every single person who does look at the pieces can’t be working for China, Google, Facebook, or whatever three letter agency you are afraid if. At some point you need a little faith or get off the internet altogether.

          1. Yeah. That’s the theory. There is a guide called “Linux From Scratch”, that instructs you where to go to download the source for each package needed for a “complete” Linux system, then details what special procedures you have to do in order for each of them to build successfully, for those packages where ./configure; make; make install doesn’t work. Which is most of them. It even has you do two builds of gcc – the second is built by the first, to ensure that whatever compiler your starting system has doesn’t infect the one you’re going to use for real. And yes, the instructions are well tested, and you can successfully build an OS this way. Of course, you can’t use a package manager with it, because that just brings back uncertainty about what will end up installed on your system, which would defeat the whole purpose, so once you’ve built an LFS system, you’re kind of committed to building all subsequent software from source. There is no graphical web browser in the distro, if you want to call it that. At least, there wasn’t the last time I looked.

            But that only takes care of half of the problem – ensuring that your executables match the source code. Which gets us back to the original problem: can ANYONE actually analyze the source code for every software package on an operating system sufficiently equipped for daily use, looking for back doors, spies, and other mal-stoff? Oh, I’m sure someone not only can, and maybe five people on Earth actually have, but only by severely limiting the utility of their systems. The only organization I’ve seen that actually does this is the Nevada Gaming Commission, who requires a copy of the source code, which they compile and compare against the ROM contents after analyzing it. And that’s only possible because the software involved is non-multitasking gaming applications that don’t actually use operating systems.

  5. I came here to say what others have already pointed out. You could be liable for the content coming from your exit node. This gets worse if there isn’t some geographic consideration in the random distrobution. I find this idea fraught with problems. I wish there were a good answer. I haven’t thought of one yet.

  6. I guess it REALLY depends on how you define “HIDE”.

    1. You walk into a liquor store, spend 11 minutes inside, then walk out with a brown paper bag.
    2. You have a friend over on Monday. You have a friend over again on Thursday.

    In example 1 an outside observer might not be able to tell if you bought wine, vodka, or water. But they can guess with a high likelihood of success that you purchased something. If your only concern is keeping the brand of wine you buy a secret, then it’s fine. But for other purposes it is not.

    In example 2 there is little to no evidence that you gave your friend some cash to go buy you liquor. But an observer can still see you hanging out with them regularly. And if they care enough (or are already running a wide enough net) they can watch your friend’s behavior to infer what they want to know about YOU.

    These ‘small’ VPN providers are MUCH easier to de-anonymized than something like Tor. And Tor can already be de-anonymized by state actors (It just isn’t worth it to look at your porn habits). Why would you actively CHOOSE a method that is less secure, AND relies on the links in your web-of-trust to be honest too?

  7. While the P2P design is interesting on paper, everyone is an ending node = so it’s more difficult for a spying agency (name who you want) to control the ending nodes (like with Tor). But in some countries, due to legislation, it can lead you to some troubles.

    For instance in France, everyone is liable and accountable of what passes through one’s internet connection… So for example, if you share your WIFI with your neighboor and your neighboor does bad things on the internet, then you’re also accountable for his activities. And if you plead “it wasn’t me, I wasn’t at home that day”, then you’re eligible for an additional penalty: “lack of securization of your network/internet connection/wifi/…” which will cost you a 1500€ fine + registration in the national criminal record (so there are jobs you cannot do anymore after being on this criminal record). So in France (but probably other countries), in a P2P VPN network where everyone is an ending node, you are accountable for any criminal activities that could passes through your ending node (even if you’re not aware of what passed through).
    Note: this “lack of securization” infraction was introduced in France with the Hadopi law (intendend to track torrent video sharing users), as too many defenders were arguing “it wasn’t me”.

Leave a Reply to zombie Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.