Alphabet’s cybersecurity division Jigsaw released an interesting new project called Outline. If I simplify things quite a lot, it lets anyone create and run a VPN server on DigitalOcean, and then grant your team access to this server.
I played a bit with Outline and it’s an interesting product. There are two components, a managing app and a client. Let’s start with the manager.
Right now, the manager is available on Windows and Linux, with a macOS version coming soon. It’s an Electron app so it feels like using a web app. By default, Outline recommends that you use DigitalOcean, a well-known cloud hosting provider.
You can also create your VPN server on another server, but that’s not really the point of Outline. Outline is all about making it as easy as possible to run your own server. Otherwise you’d already be using Algo VPN or Streisand.
If you choose DigitalOcean, the app opens a web view and asks you to enter your login, password and one-time password. After that, you need to let Outline use the DigitalOcean API. And that’s all you need to do during the initial setup process.
Now let’s create a VPN server. Outline automatically chooses the cheapest droplet on DigitalOcean, which costs $5 per month for 1TB of transfer data (somehow, Outline says you get 500GB). DigitalOcean currently has data centers in 8 different cities — Amsterdam, Singapore, Bangalore, Frankfurt, London, San Francisco, Toronto and New York.
After selecting a city, the managing app automatically downloads a Docker image and creates a server on DigitalOcean based on this Docker image. Software on the server will be automatically updated every hour. Your DigitalOcean server will also automatically perform security updates for the operating system and reboot the server if necessary.
Now let’s go back to the computer you’re currently using. You can now control your VPN server from the managing app. By default, Outline only generates one key for you. But you can add more users and invite your coworkers to use your server.
You can use the managing app to create more servers, delete a server or delete users if they don’t need access to your server anymore. The app also tells you how much bandwidth each user has used.
The invite page is just a static webpage hosted on Amazon S3 with two things. First, the page invites you to download the Outline client on your phone or computer. Second, the key is in the URL. Your browser displays the key when you load the page.
That’s why you shouldn’t invite your friends using an unencrypted method — don’t use Facebook, don’t use emails. Remember that the key will also be stored in your browser history.
But connecting to the VPN server is as easy as installing an app and clicking on an invitation link. It’s a great experience for non-tech-savvy users.
Let’s talk about the client for a minute. The app that you use to connect to the VPN server is currently available on Windows, Android and Chrome OS. Jigsaw is working on macOS and iOS clients. It features a single screen that lets you connect and disconnect from a server — quite straightforward.
Outline isn’t a VPN
Under the hood, Outline relies on the Shadowsocks protocol. And if you’re familiar with VPN protocols, Shadowsocks is nothing like OpenVPN, IPSec or WireGuard. In fact, Shadowsocks isn’t a VPN protocol at all.
Shadowsocks is an open-source project to create an encrypted socks5 proxy to redirect internet traffic. This is a bit technical, but a VPN is like an encrypted tunnel between your device and a server. All your network traffic goes through this tunnel and the VPN server (not your phone or computer) is the device talking to the internet.
It’s great because you know for sure that your ISP and other users on your WiFi network can’t look at your traffic (except if there are DNS leaks). You can also pretend you’re in another country.
But it’s also awful because anybody who has access to your VPN server can see your internet traffic. That’s why you should never rely on a VPN company, even if they promise that they respect your privacy. They’ll analyze your browsing habits, sell them to advertisers, inject their own ads on non-secure pages or steal your identity. And you can’t know for sure if you can trust them.
Traditional VPN protocols can also be blocked because they use specific ports and they look like VPN traffic if authorities and ISPs use deep packet inspection. That’s why countries can block VPNs altogether.
And yet, a socks5 proxy looks like normal internet traffic. Shadowsocks is taking advantage of that and combining the advantage of a proxy with traffic encryption. It’s supposed to work great in China for instance.
But you can’t guarantee that all internet traffic goes through a proxy server — it depends on each app. A proxy adds a level of granularity that can be convenient but also a security issue. For instance, the Outline client doesn’t redirect all your Windows traffic to the Outline server right now.
So Outline can be the perfect tool if you want to access censored websites with your web browser. But you won’t disappear from the network with an Outline connection.
Trusting Google
It’s hard to forget that Outline is a Jigsaw project. People working on this project are paid by Alphabet, Google’s parent company. In other words, it’s hard to trust a Google project when it comes to privacy.
But Jigsaw really wants you to trust them with this one. Outline is an open-source project. This way, experts can have a look at the code to see if there’s anything shady. The service has also been audited by a third-party security firm.
Jigsaw collects crash logs with non-identifiable data. They also collect all server IPs but can’t access those servers — I’m not sure why Jigsaw wants to see all IPs. You can also opt in to share more usage data.
Your Outline servers don’t keep any log of your internet traffic. So even if the NSA has a warrant to access an Outline server, it’ll only find out how much bandwidth each user has used with this server. But there’s no way to connect the dots and find out who’s behind this Outline server.
The biggest risk might be DigitalOcean. You have to enter your name, email and credit card to create a DigitalOcean account. Authorities could just ask DigitalOcean to find out who’s paying for your Outline server and get back to you.
Security vs. accessibility
Outline isn’t the most secure (sort of) VPN out there. It’s always better to build your own hardware server, connect it to the internet using a connection that you don’t pay under your own name and installing VPN software yourself.
But nobody is going to do that.
Privacy is always a balance between security and accessibility. The most secure tools out there are also the most difficult tools to use.
Many projects are now trying to make security more accessible. And it’s a breath of fresh air. Algo VPN lets you build your own IPSec VPN server with just a few command lines. Streisand also lets you build a server with all sorts of protocols with little technical knowledge.
These are great projects and I would recommend looking at them if you want to build your own VPN. But Outline goes one step further. You don’t need to type a single command line to create a Shadowsocks server.
Jigsaw says it’s the perfect tool for news organizations. And it’s true that most journalists know how to install an app. It’s not as scary as adding a VPN certificate. I would say it’s a great way to access censored websites if you live in China or another country with restrictions, even if you’re not a journalist.
You have to evaluate your level of risk and choose the technical solution that is right for you. If you’re not doing anything illegal and you just want to access blocked website, you can make some concessions.
And there’s one thing for sure, Outline is much better than any free or commercial VPN service out there.
Comment