Using a VPN is a great way to stay safe online, with your ‘client’ device connecting to a VPN server via a secure, encrypted VPN tunnel. This protects your web traffic from online snoopers.
Still, not all VPNs are the same. Some are poorly set up and use weak encryption, others may even sell your data to third parties - an issue often associated with free VPN services. Some countries even ban VPNs from local app stores and monitor their citizens’ web traffic to detect and block VPN usage.
This is where Outline VPN (opens in new tab) comes in.
Outline VPN: what is it?
Outline VPN is a free and open-source tool developed by Jigsaw, a subsidiary of Google. Its main purpose is to allow people to set up and manage their own VPN server.
Despite the name, Outline isn’t a VPN in the traditional sense. It makes use of the Shadowsocks protocol to communicate between client and server. In this sense it’s more like a secure form of proxy than a VPN.
Shadowsocks encrypts web traffic in such a way that it’s almost impossible to detect the difference between it and regular HTTPS web browsing. This makes it much harder to censor.
Outline VPN includes dedicated server software for this service to act as a proxy. The idea is that this is something the user must set up themselves, only accessing it themselves or allowing people they trust fully to do so.
This means that in order to set up Outline VPN from scratch you must have access to a server, though a Virtual Private Server (VPS) will do just as well in most cases. The Outline VPN server has dedicated “Manager” software, with REST API that allows for easy setup and even lets you choose where the server will be located. The server software supports unattended upgrades: it uses the open-source tool “Watchtower” to automatically update itself every hour in order to stay secure. It’s available for Windows, Mac and Linux.
Why use Outline?
Traditional VPN clients perform a virtual ‘handshake’ with the VPN server to establish a secure connection, which encryption protocols are supported, and so on. This is fairly easy for rogue governments to detect.
This is why the OpenVPN client uses a ‘handshake-less’, ‘look like nothing’ protocol. That makes it extremely difficult for bad actors to detect that you’re making any attempt to conceal your web traffic. Data between the client and server is also encrypted using the Authenticated Encryption with Associated Data (AEAD) 256-bit Chacha2020 Poly 1305 stream cipher. This means even if it were intercepted and recognised for what it was, it would be virtually impossible to decode.
As the entire project is open-source, it’s hardly surprising that the OpenVPN client is available for virtually all modern platforms including Windows, macOS, Linux, ChromeOS, Android and iOS.
No-log policies & VPN audits
Whilst many VPN providers claim not to keep any logs that include your personal data, as you read earlier this is usually a matter of trust. Whilst some VPN services like ExpressVPN allow trusted third-parties to conduct a VPN audit, checking the company’s no-logs policy. However, this is the exception not the rule.
Using OutlineVPN usually means setting up the server yourself, so you remain in control of both the logging policy and any logs generated.
Most importantly the Outline VPN Project has submitted itself for auditing by security specialists. The Project’s security page (opens in new tab) links to the reports of two such firms, which affirm that OutlineVPN only collects anonymous usage data for those using the software. It does this by generating a random “Server ID” each time one is set up, so that none of your personal information is linked to any collected data. You can reset your Server ID by creating a new server in the Outline Manager.
Should you use Outline VPN?
So, Outline is not a VPN. And it’s not primarily designed to help you stay anonymous online in the same way as a traditional VPN service.
Using the server and manager software isn’t difficult but you’ll be responsible for setting up Outline VPN correctly and for keeping your server secure. You should only consider doing this if you’re an experienced network administrator.
Assuming you have the experience to use it, Outline VPN can make it harder for bad actors to discover your IP address but as the project pages point out that you can still be identified in other ways, such as browser fingerprinting.
Although websites will find it very difficult to detect your real IP, they can also trace your connection back to the cloud server being used by Outline VPN. This may raise suspicions as most people connect directly to the internet without going through a proxy.
If an adversary does detect that you’re using Outline VPN, they may attempt to block you from connecting to the server’s IP address just as they would for a regular VPN. That said, it’s less likely to happen if you’re concealing your web activity through using Outline VPN.
Using Outline VPN won’t protect you from all forms of cyberattack such as social engineering. For example, if you use the server software to generate a special “access key” for client devices then are tricked into giving that access key to someone else, they’ll also be able to access the server.
Outline VPN in itself also can’t prevent your “client” device from being infected with malware. Your first line of defence for this should be a reliable ad blocker which will filter out most harmful URLs.
If you’re running WIndows or macOS, you should also consider installing antivirus software and malware removal software.