How to build your own VPN if you’re wary of ISPs—or the government

In the wake of the new Investigatory Powers Act and the effect it might have on end-to-end crypto, and the further privacy- and security-eroding effects of the Digital Economy Act, we thought it was high time to write a guide on building your own VPN. If you want to keep your data safe and your browsing habits private, funnelling everything through your own VPN is one of the best things you can do.

Before you can fix the problem of ISPs (or other actors) snooping on your behaviour, you need to understand it. That means knowing what your ISP (or the government) can (and cannot) detect (and modify) in your traffic. HTTPS traffic is already relatively secure—or, at least, its content is. Your ISP can't actually read the encrypted traffic that goes between you and an HTTPS website (at least, they can't unless they convince you to install a MITM certificate, like Lenovo did to unsuspecting users of its consumer laptops in 2015). However, ISPs do know that you visited that website, when you visited it, how long you stayed there, and how much data went back and forth.

They know this a couple of ways. First, if your website uses Server Name Indication (SNI) to allow multiple HTTPS sites to be served from a single IP address, the hostname is sent in the clear so that the server knows which certificate to use for the connection. Second, and more importantly, your DNS traffic gives you away. Whether you're going to Amazon.com or BobsEmporiumOfDiscountFurryMemorabilia.com, your computer needs to resolve that domain name to an IP address. That's done in the clear, meaning it's easily intercepted (and even changeable in flight!) by your ISP (or any other MITM) whether you're actually using your ISP's DNS servers or not.