Running a free VPN on a router

I am considering installing a free VPN client (e.g., Proton VPN) on my home router to run all of my home network traffic trough. I am not really sure why I should do this though. I use Xfinity as my ISP and they say they do not track me (https://www.xfinity.com/privacy), not that I trust them. The thing is, I do not trust Proton VPN to be any better about my privacy than Xfinity.

I am not interested in using the VPN to change my geo location, but am worried the VPN will screw up my wife’s ability to stream.

I also run a VPN server on my router and connect to that when using public WiFi, so I ahve that part already covered.

Is there a good reason to run a VPN on my home network?

You should probably read Xfinity’s detailed policy (https://www.xfinity.com/privacy/policy). They seem to collect quite a bit of information.

That said, using a VPN to hide your activity from Xfinity addresses only a smart part of the problem. Your Internet activity can still be tracked by any sites that you interact with. Sure, those sites will not know your public IP address, but they can track your identity in many other ways (cookies, browser fingerprinting, etc.).

Unless you plan to do something that is against Xfinity’s Terms of Service, I don’t personally see a huge benefit from using a VPN for your situation. I’m just a random Internet stranger, so take this with a grain of salt. I’m sure others will advocate differently.

Use a service DNS service like NextDNS or AdGuard (not local) and then set up your router to have it use that for dns. You can keep a fair bit of privacy that way, without routing everything over a VPN.

Yes, Comcast/Xfinity still sees that you’re communicating with some server somewhere, but they lose that DNS query info. From what I know of networking, that means that they know you’re accessing some site in AWS, but not which site in AWS thanks to HTTPS.

The alternative is to route everything over VPN, but then you’re letting another provider have literally all of your traffic, and unless you pick a reputable provider, they could possibly be worse than your ISP. To be fair, that last bit is pretty unlikely if you stick to one of the big players like Proton.

Another caveat with VPN is that some sites won’t load properly or will give you more captchas, etc, because of the VPN use. Unless you split tunnel, then you have to worry about maintaining a list of what to VPN, and what not to VPN. Once you have a list, you now have to keep up on the 20-50 subdomains that every site seems to load as well, and the one you need, will always be some random one buried somewhere.

When I was at Comcast roughly 6 years ago, we could see what you had connected, how many devices, link speeds, network names, passwords, you name it. Pretty much everything except for “Jim is visiting site X” in real time, but that was because we couldn’t see the DNS logs. Best way around that is to get a standalone modem. Not some WiFi/router/modem combo deal. Just a modem. Just a box with a coax jack, a single Ethernet, and the power plug.

Best thing you can do IMO is ditch your ISP provided modem/router, and use a DoH/DoT service. That is a reasonable compromise between usability, maintenance and what I call the PITA factor.

Most people have no reason to do this and they just unnecessarily slow down their Internet connections. Most anything you do on the Internet is natively encrypted now via HTTPS. Browsers also allow you to encrypt your DNS traffic too via DNS over TLS or DNS over HTTPS. if you’re doing something that really needs to be hidden beyond this then you probably should do it on a cloud server rather than your home Internet connection.

Two good things a home based VPN are good for…

End to End encryption,: man in the middle (Xifinity) can see the traffic, but not access the data.

Geo location: although many streaming services are blocking detected VPN access, you can still make it look like you are else where. this can come in handy to get around censorship.

As others have said, you are tracked in many ways already, a vpn is not going to change that.

What are you hiding?

Use DuckDuckGo browser and nordvpn to avoid any tracking. Use a DuckDuckGo email address as well. It helps

Mullvad vpn. They use ram for their servers so they physically cannot sell your data. Dis is da wey

I saw that policy, I am not sure a VPN blocks any of what they collect. That said, I don’t trust them to be honest/forthcoming about what data they collect and how they use it. The fact that I can be tracked in so many ways makes me agree with your conclusion that running a VPN client on my router is not beneficial.

I am still going to keep the VPN server running and use that when I connect to public WiFi and need remote access to my home network.

I am already running my own modem and standalone router. I use Unbound for DoT. Most of the sites i go to use https.

My biggest concern with the VPN is making things worse in terms of privacy and a free service makes me worry that they are going to mine my data. It sounds like Proton does not, but … My second big concern is that using a VPN is going to have a negative wife approval factor. It sounds like that is a real risk for little actual benefit.

Yup, so despite what sponsored influencers say, it really does not seem beneficial in my use case to use a VPN. I think I will continue to use a VPN for remote access, to protect myself on public networks, to change my geo location, but won’t use one for privacy from my ISP.

So you assume that without VPN Xfinity can see data in HTTPS traffic? Can you describe how exactly it could work?

Where do you see that? The Proton webpage makes it sound like they do not log data on the free version.

I am not doing anything wrong, but what I choose to browse is none of their business.

Are you suggesting NordVPN on every device or on the router? Why should I pay for a NordVPN when ProtonVPN is free?

A VPN encrypts your traffic, therefore all Xfinity can see is gibberish going between you and your VPN provider. This will significantly limit what data they can collect about you.

Running a VPN server is a completely separate thing and is definitely the best way to remotely access your home network.

Usually a VPN will result in more captchas, and some sites will absolutely refuse to load at all. What works today may or may not work tomorrow.

As far as the data mining, 99% of the time, if it’s free, you absolutely are the product.

Personally, the only time I use VPN is to remote in to my home network with my self hosted VPN, or I use a cloud provider to connect my unRAID box for “linux ISO” purposes. Other than that, VPN’s usually cause more issues than they solve.

I use Twingate for most remote access stuff. I can set it up for MFA and can granularly choose what to allow access to and for what accounts.

About the only thing these “free” VPN’s are good for these days is changing your geolocation.

Maybe not the actual data but HTTPS only protects web traffic between your browser/app and the https server on the other end the headers are not encrypted which can provide a lot of information about the data. VPN protects the entire data stream from your system. all the IP packets including headers are encrypted and encapsulated.

VPN also uses other methods to protect your system, such as ip spoofing and even geolocation. all your traffic looks like it is coming from the vpn server. Now that MIGHT be the same server or another one on your network if you roll your own, and that is why, for the best security, it should be hosted off site as long as you can trust the admins of the VPN server.

makes it sound like

You answered your own question. With anything “free” online, YOU are the product.