ntldr wrote:I'm curious but which file I've to give you to check if while connecting to their node it's giving out my real ip to them? I mean if they say there's no logging isn't this wrong..so?
It is impossible, to my knowledge in any case, to connect to a "VPN service" node/server without in doing so exposing one's physical/local IP address to that node in the process. If there's a clever way to provably obfuscate that information during connect, I'd love to study it more... and we've a few "blue sky" concepts in that space that are down-the-road research projects for "spare time" fiddling (ha).
Our solution to this has been to modify the source code of the openvpn instances running on our nodes, so the physical IP of connected members is not used as an internal-process tracking key... this removes not only logging, but the capability
of logging, from our production infrastructure. Those mods are published in full in this forum thread: logs.cryptostorm.org
There's no way to confirm or disconfirm, via external means, whether a "VPN service" is keeping logs, or not. It comes down to trust - which basically sucks, in terms of technical solutions... but that's the reality of things. There's enough examples of "no-logging" services that are caught red-handed turning over logs to third parties to make such trust a hard thing to earn. We've earned that trust, we feel, over many years of service provisioning and a demonstrated record of never turning over the logs which we really don't retain and have never retained.
Often looking at Terms of Service will show a direct contradiction between a "no logging" claim on one marketing page, and in the ToS an admission that logs are actually maintained. This is so common that we've basically stopped flagging such situations, as it becomes essentially routine.
In 2007 when "no logging" was first pioneered by several folks who are now on the cryptostorm team, it was considered to be "illegal, irresponsible, and totally impractical." In the span of five years, it went from that to a standard marketing claim every company now makes. Which is sort of sad, to me anyhow. At the time we pioneered it, no-logging was profoundly revolutionary... mostly because we actually didn't (and don't) keep any logs.
Finally, of course, our move to token-based authentication means that even if we did keep logs (which we don't - and we can't, per source edits posted above), those logs don't connect back to real-life identity of human beings. Which is exactly the point, tbh.