- Brave presents a new design for a decentralized distributed VPN that respects privacy and is performing well.
- The team of researchers has implemented ways to manage node traffic without knowing its contents.
- They also found a way to conduct exit node lookup while moving the client towards the target domain.
According to a research conducted and presented by a team of researchers working for Brave Browser, there is a way to design a distributed VPN (dVPN) that performs well, respects the user’s privacy, and features superior relay node management. Back in May, the Brave Browser analyzed various dVPN tools like the Hola, VPN Gate, Mysterium, Sentinel, Nymtech, and Substratum, and found that all of them lacked one or more of the following: a.) privacy, b.) traffic accountability, c.) performance. The team now presents a novel method which they call VPN0, and which is a dVPN that does all of the above three well enough.
VPN0 can control what traffic is transmitted through the relay nodes, but without getting to know the actual content of the traffic. This is done by leveraging a DHT (Distributed Hash Table), which deploys a special lookup service. The nodes announce their whitelists, and clients lookup the nodes that are available to them, all done in a completely private context. After the DHT lookup, the client receives the relay’s IP and an encryption of the accessed service provider’s public key. This proves that the service has been accessed and that it matches one of the entries of the node’s whitelist. The validation of this is finally sealed with a TLS v1.3 handshake.
On the performance side, VPN0 is based on “chains”, which is practically a series of bounces between nodes. As these bounces occur, the client is still routed towards the domain they are trying to visit with every step. Instead of waiting for a VPN connection with a node that features a corresponding whitelist entry, the client is assigned with a “classic” connection to any node, while the software keeps running in the background looking for a valid exit node. When this happens, the temporary relay chains the two tunnels towards the designated exit node, and the user lands on the target domain without noticeable delays.
The Brave Browser team tested the VPN0 design in collaboration with BitTorrent DHT and ProtonVPN, and found that it is working as expected in real-world use case scenarios. They have noticed some delays introduced by diverse network paths during DHT lookups, and also a high percentage of negotiation failures attributed to ProtonVPN’s protection against frequent switches. These elements, however, are nothing that can’t be fixed in products that are created with VPN0 in mind. DHT lookup and chain selection are bound to be optimized in the future, so it really looks like we have a truly private and well-performing decentralized VPN design to work with in the future.