Bits I cut out from the main bigbigvpn post
This blog post contains parts I cut out from the main blog post I wrote on the topic, and as such is quite messy. Sorry!
Backstory and my issues with commercial VPN services
I happen to be a Turkey resident at the moment, and Turkey is a country with significant internet censorship, with even some simple websites like pastebin blocked. VPN use is widespread.
Turkish government, as a result, also goes after many VPN providers.
I used to have an account on PIA, but they got banned, and PIA not only did nothing to help Turkish users work around these bans, but also didn't even cancel our subscriptions, forcing us to get onto alternative VPN providers simply to cancel our subscriptions.
I grew overly suspicious of commercial VPN services over the years, but after hearing many good things about Mullvad (and even seeing stickers of them on 36c3 sticker exchange) I ended up getting an account with them. Everything was alright for 6 months or so, but Turkey, or at least my household ISP (Superonline) banned them around January 2021.
Mullvad, unlike PIA, didn't have my email and as such no way to contact me, and (hopefully) don't keep data on my IP geoloc, so I don't blame them for not cancelling my account or contacting me.
When I contacted them, I was told that they're aware of some Turkish users having issues connecting to Mullvad. I was recommended to use the Shadowsocks option in the app, but I ended up cancelling my subscription anyways as I wanted to go back to defaulting to self hosted options.
“So why not selfhost?”
I'm lucky enough to be a person who owns and operates a bunch of servers, and I already have Wireguard deployments on most of them (some older ones also have OpenVPN).
However, there are limitations with self hosting on non-dedicated hardware. Some stuff that come to mind include:
- Privacy concerns as you have a static IP that is already associated with services you host (or in my case, also potentially a company I own)
- Stealthy ports being already potentially taken by services you host on that box
- Overall limitations caused by infra being in a limited number of countries for latency reasons.
A dedicated self-hosted VPN box solves most of these except for the static IP and the number of locations.
bigbigvpn approach solves all of these, at least to some degree.
“How'd you even get the idea for this cursed thing?”
Me and my partner were watching a recent video by styropyro when he ended up interjecting a section about some commercial VPN service.
My partner ended up asking me why anyone gets them anyways, as a VPS costs the same. We did talk about this stuff before, and I'm rather outspoken against most commercial VPN services (for reasons I specified earlier).
I told her that I agree, but then went on to talk the limited number of benefits they provide (that may be good to have depending on some usecases), such as paying once and being able to access many locations and many IPs without having to pay extra... and then I started talking about how you'd need to pay hourly fees in the region to self-host a similar service in addition to your main VPN server...
Then I realized one can just make a VPN service that just does that for all your boxes. At the end of the day:
- There's many VPS providers offering cheap servers all around the world
- Most VPS providers bill hourly, have little to no setup costs, and have no commitment requirements
- One can spin up and down a VPS in mere seconds and have it VPS be configured to their pre-defined requirements (using things like cloud-init)
and I had what can only be described as a “eureka moment“.
So I started working on designing it right there and then, and may have turned off the video. (Sorry styropyro!)
“insert random technical questions“
- bigbigvpn currently supports Hetzner, Scaleway and DigitalOcean. More stuff are planned as I stated on the main blog, potentially even just using smth like terraform so that we can support everything.
- Automatic kill on idle code involves a daemon running on the VPN server, checking for the last Wireguard handshake from all peers. It then kills the server after a configurable amount of time, unless someone connects, in which case it resets the timer.
- bigbigvpn does indeed support IPv6. Currently it's NAT'd but that's one of the things I intend to improve as I add multi device support.