[HN Gopher] Removing support for forwarded ports
___________________________________________________________________
Removing support for forwarded ports
Author : brakmic
Score : 202 points
Date : 2023-05-29 12:17 UTC (10 hours ago)
(HTM) web link (mullvad.net)
(TXT) w3m dump (mullvad.net)
| jason2323 wrote:
| Can someone explain to me why they need port forwarding
| functionality through a VPN?
| input_sh wrote:
| Torrents. As in you don't want your whole traffic to go through
| a VPN, but you may be in one of those places where a torrent
| client is a must.
| michaelmrose wrote:
| You don't need port forwarded to use bittorrent. Clients
| connected to the network exchange information with each
| other. Magnet links or torrent files provide the information
| needed to get in touch with peers to make the initial
| connection.
| [deleted]
| [deleted]
| gersg wrote:
| If neither side has their ports open there is no way to
| make the initial connection.
| wkat4242 wrote:
| Routing your whole traffic doesn't help. The IP on the other
| side isn't just used by you.
|
| The problem is inbound connections. If both peers are behind
| NAT they can't connect.
| seized wrote:
| Torrents need a port open and forwarded.
| michaelmrose wrote:
| You don't need port forwarded to use bittorrent. Clients
| connected to the network exchange information with each
| other. Magnet links or torrent files provide the information
| needed to get in touch with peers to make the initial
| connection.
| wkat4242 wrote:
| They do, but you will only be able to connect to peers that
| do have a public port open on their IP, unless you have one
| open yourself, then everyone can connect to you. But this
| latter option is now going away.
|
| Which is not a lot because in most countries exposing your
| IP on the torrent leads to legal threats.
| michaelmrose wrote:
| Actually you have no problem initiating the connection
| with port forwarding. Brief reading suggests it would
| work better/faster with it enabled as some peers may not
| be able to initiate with you.
| michaelcampbell wrote:
| I want a VPN for privacy.
|
| And I run services through it that I want access to from
| outside my subnet.
| joffspkfjeueebo wrote:
| [dead]
| armitron wrote:
| Port forwarding is the reason I use mullvad, time to switch.
| Roark66 wrote:
| Pity. I never used them, but I know the pain of not having an
| externally reachable IP. My Lte provider (the only one in my area
| with "unlimited" plans) has basically all of its tens of
| thousands of users on a single IP. So I've been using a vpn
| terminated in Aws to access for example Ip cameras and other
| stuff at home while I'm away. I can't wait until we finally get
| ubiquitous ipv6. Probably not in my lifetime(because security).
| I've been waiting for it for last 20 years.
| naet wrote:
| Shame, I'd been greatly enjoying Mullvad and their stance on
| privacy, but port forwarding is a must for some of the services I
| run. Anyone have a good suggested alternative?
| jftuga wrote:
| I wrote something tangentially related, but for single user.
|
| "gofwd" is a cross-platform TCP port forwarder with Duo 2FA and
| Geographic IP integration. Its use case is to help protect
| services when using a VPN is not possible. Before a connection is
| forwarded, the remote IP address is geographically checked
| against city, region (state), and/or country. Distance (in miles)
| can also be used. If this condition is satisfied, a Duo 2FA
| request can then be sent to a mobile device. The connection is
| only forwarded after Duo has verified the user.
|
| https://github.com/jftuga/gofwd
| elashri wrote:
| Probably this was the reason for the warrant they received
| earlier this month [1].
|
| [1] https://news.ycombinator.com/item?id=35638917
| capableweb wrote:
| According to TFA, it's because of multiple reasons, not just
| one search warrant:
|
| > This has led to law enforcement contacting us, our IPs
| getting blacklisted, and hosting providers cancelling us.
| Atlas22 wrote:
| All of those happen on VPNs period, not just with port
| forwarding.
|
| Dealing with annoyed law enforcement, hosting providers, and
| IP reputation is 99% of the value of a VPN. The other 1% is
| just setting up a VPN server to open proxy everything (which
| there are scripts on github that can do it in 2mins). Of
| course its not really preserving privacy much unless there
| are multiple users...
|
| Any significantly shared connection will have at least one
| person abusing it and causing most of the problems, the
| logical conclusion would be to ban the few abusers but if
| mullvad truely doesn't log/retain billing data as they claim,
| permanent banning would be difficult as a new account could
| just be created.
|
| I don't see why they couldn't do some kind of compromise like
| an account has to be of certain age/spend to use port
| forwarding. They do keep mappings of ports to account, so its
| not like they don't know which accounts are abusing. Getting
| banned would then be more expensive for the abusers.
| derefr wrote:
| > I don't see why they couldn't do some kind of compromise
| like an account has to be of certain age/spend to use port
| forwarding.
|
| In my personal experience investigating these scammers:
| people are happy to resell "used accounts of good age and
| reputation that they no longer need" on blackhat
| marketplaces -- usually for about a dollar.
|
| Here's one such marketplace: https://lzt.market/
|
| (Hopefully linking to it like this will increase the
| probability of the right eyes seeing it and getting it
| taken down)
| fullspectrumdev wrote:
| Unfortunately was only a matter of time, this happens to every
| VPN provider who offers port forwarding eventually - widespread
| abuse by script kiddies and such to host RAT C&C servers.
| 2OEH8eoCRo0 wrote:
| Horrible news but I can't blame them
|
| > This has led to law enforcement contacting us, our IPs getting
| blacklisted, and hosting providers cancelling us.
| yokem55 wrote:
| This is really going to hit folks who were trying to host stuff
| behind cgnat. I suppose a cheap vps will have to do instead.
| jsheard wrote:
| I had to stop using Mullvad because so many of their IP ranges
| were blocked or throttled by various services, it was borderline
| unusable as a daily driver. Unfortunately there isn't a good way
| for them to protect the reputation of their IPs when they don't
| collect any information that could be used to identify abusive
| customers, by design.
|
| Maybe retiring port forwarding will help, but their IP ranges
| aren't going to be removed from every shitlist out there
| overnight.
| aftbit wrote:
| I doubt port forwarding had anything to do with this. These IPs
| are on blacklists because they are used by robots and scammers
| to make requests, not because they are used to host malware.
| onetimeusename wrote:
| yes. Cloudflare seems to be aggressively blocking Mullvad and
| Tor and I am sure others. It started a few months ago. Meta has
| been blocking them for some time also. The other side of this
| problem is so many domains are sitting behind Cloudflare.
| mildmotive wrote:
| Isn't it possible for Cloudflare customers to turn off the
| captcha, or at the very least prevent infinite captchas?
| joseph_grobbles wrote:
| [dead]
| onetimeusename wrote:
| Yes, but I don't know which rules are responsible. It could
| be the bot management product but it could also be custom
| or default firewall rules. I think it's a combination of
| both. I don't know if the goal was to deliberately block
| certain exit points or if that was a side effect of some
| common settings meant to block bots or generic abuse.
| marginalia_nu wrote:
| It's not without reason. VPN providers are (by the nature of
| their business) home to all sorts of shady business. Sucks
| that some innocent people get hassle from it, but IP
| reputation systems are nothing if not damn effective at
| preventing abuse.
| pierat wrote:
| To be fair, I use subscribed ProtonVPN. Same exact issues.
|
| Cloudflare gives me captchahell with infinite "click on fire
| hydrants or vans or bicycles or stoplights".
|
| Amazon just pretends to "site error".
|
| Numerous sites like Tiktok, JLwaters, my state's data portal,
| and others just give me a 403 forbidden.
|
| Other sites just load a <html></html> blank document on my VPN.
|
| And Proton is actually kind of hard to get port forwarding
| turned on. _You can do it by adding a suffix to the OpenVPN
| name, or by generating a wireguard with port forwarding on._
|
| But again, I don't think it's anything to do with port
| forwarding per se. The current web demands deanonymization. And
| naturally "abuse" is blamed, even when attached to legit
| accounts with legit historical purchases etc.
| dublinben wrote:
| Even without a VPN, the built-in tracking protection in
| Firefox trips Cloudflare's bot detection every time. It's a
| not-so-subtle FU for taking any steps to protect your privacy
| online.
| [deleted]
| KomoD wrote:
| ProtonVPN supports port forwarding? Had no clue!
| VWWHFSfQ wrote:
| > The current web demands deanonymization. And naturally
| "abuse" is blamed
|
| I used to work at a smallish mom-and-pop website host (do
| those even exist anymore?) that also offered email services.
| Our PF firewall just straight-up blocked huge swaths of IPv4
| CIDRs because it was 99% email spam and exploit scanners. We
| had no ability whatsoever to fight it any other way. I don't
| recall even a single complaint from any of our customers.
| Wowfunhappy wrote:
| > And Proton is actually kind of hard to get port forwarding
| turned on. You can do it by adding a suffix to the OpenVPN
| name, or by generating a wireguard with port forwarding on.
|
| Regrettably, I suspect this does nothing for abusers, who are
| motivated, and instead impacts only "legitimate" customers.
| iudqnolq wrote:
| I deliberately chose Mullvad because their IPs are on those
| blacklists.
|
| My impression is that the only way for an established, non-tiny
| VPN provider to have clean IPs is if they're buying residential
| proxys. My impression is that the only way to make the
| residential proxy business work at scale is either malware or
| unwanted misleading bundled crapware. I don't feel comfortable
| benefiting from a service that, at best, relies on tricking
| less tech savvy people into installing crapware.
| mardifoufs wrote:
| There are ways to get residential proxies in a more ethical
| way these days. Some apps/extensions are now offering money
| for network access/network usage and they are open about what
| they are doing. They pay you with cash in exchange for your
| network, no covert VPN or sneaky SDK in unrelated apps.
|
| I think even the more ethically dubious providers are
| shifting towards that model. Which makes sense since they
| have to pay anyways.
| iudqnolq wrote:
| I'm skeptical even those services properly inform users
| about the risks and downsides. I also suspect those
| services turn a blind eye to resellers violating their
| consent policies
| explaininjs wrote:
| Alternatively, the users are well aware and embrace the
| plausible deniability it lends their own traffic.
| iudqnolq wrote:
| I think the experiences of people operating open relays
| suggest that would be a foolish assumption.
|
| If you tell a police search team you have plausible
| deniability they will seize all your tech and investigate
| you. If you're actually guilty there's a decent chance
| there will be other incriminating evidence. If you're
| innocent this will be unpleasant, expensive, and they
| might end up finding what they think is evidence against
| you anyway
| gioo wrote:
| Really a shame, especially for torrent users. The other good
| alternatives are double the monthly price at 10$/month in the
| case of IVPN (if you want port forwarding that is) and ProtonVPN.
| Unless you want to commit for a year or two and pay all in
| advance, which is meh but the discount may be worth it.
| tomjen3 wrote:
| I am pretty sure you can get a deal with NordVPN. Just search
| youtube for someone you follow Nordvpn and sponsor.
| stefandesu wrote:
| NordVPN doesn't offer port forwarding.
| https://support.nordvpn.com/FAQ/1047408432/Do-you-offer-
| port...
| byyll wrote:
| Can't have a place on the internet without some Nord
| shilling.
| anaganisk wrote:
| Why would this affect torrenting, isn't this only for
| explicitly added port forwards? Or am I missing something?
| switch007 wrote:
| Torrenting requires an open port accessible from peers for
| good speeds
| armada651 wrote:
| It wouldn't be very helpful in preventing abuse if you could
| still forward ports through UPnP.
| reisse wrote:
| For torrenting at least one of the peers has to be accessible
| for outside world, either by having white IP, by using NAT
| with port forwarding, or by using IPv6-to-IPv4 shenanigans.
| If both peers are behind NAT, they cannot download data from
| each other.
|
| If you're an active seeder, it makes sense to configure your
| machine so that it is accessible for all the peers, including
| ones behind NAT. If you're just a leecher though, it makes
| little difference.
| colinsane wrote:
| is this an issue only for magnet/DHT transfers? or does it
| apply to torrents that have an associated tracker too? i
| would have expected in the latter case that two NAT'd
| clients could connect to the tracker, and then the tracker
| could help them hole-punch a direct peer-to-peer
| connection.
| the8472 wrote:
| Try to extrapolate. If nobody has an open port to which a
| connection can be established, how will the network work?
|
| Trackers don't enable hole-punching, existing peer
| connections do[0]. And hole-punching is hardly a reliable
| measure to base your network on, if NAT or connection-
| tracking is implemented in an address-/port-dependent
| manner[1] then hole-punching becomes more complicated or
| fails, especially for TCP.
|
| [0] http://bittorrent.org/beps/bep_0055.html [1]
| https://www.rfc-editor.org/rfc/rfc4787.html#page-6
| SparkyMcUnicorn wrote:
| It will affect leeching torrents that don't have a ton of
| seeders. No forwarding could render a torrent unusable that
| would otherwise download just fine if you had an open port.
| toxik wrote:
| My experience resonates with this, if you have a torrent
| that isn't coming home, make sure you're actually
| reachable.
| WeylandYutani wrote:
| It would be better to look into a dedicated seedbox for
| torrents.
|
| The companies offering those have experience dealing with
| copyright cartels.
| that_guy_iain wrote:
| I wouldn't even go all the way to a dedicated seedbox. I'm
| using a shared one, gets the job done and only costs $12 a
| month.
| byyll wrote:
| Mullvad isn't stopping port forwarding because of copyright
| issues. It's because you can use their IPs to host highly
| illegal websites and they can't connect your account to the
| content and suspend it.
| colinsane wrote:
| can you elaborate? how could someone outside Mullvad claim
| that Mullvad is passing illegal traffic, but Mullvad itself
| can't figure out who in their network is passing that
| traffic?
| that_guy_iain wrote:
| Why not use a seedbox? Download torrent to the seedbox and then
| ftp home. This way you get the upload from a server which if
| you're on a private tracker (which you should be) you'll get
| good upload speeds, easy to hit the default seed requirements,
| and you'll get full download speed when you want to use it
| locally.
| bscphil wrote:
| Cost. If you've already got an old, cheap server lying
| around, then having an 8 TB box at home is _very_ cheap. Say,
| $15 a month for Mullvad + power usage. Reputable seedboxes
| seem to be in the range of ~$60 a month for 8TB of storage.
| Obviously, if you want to scale beyond that, it 's as simple
| as adding another 8 TB drive to your box at home, whereas a
| cloud seedbox would nearly double in price.
| [deleted]
| nocoiner wrote:
| I recognize this is probably similar to asking about how to
| get into fight club, but any tips on how to find a private
| tracker? I assume it involves becoming part of a community,
| but I don't even know where to start looking for the
| communities!
| xnyanta wrote:
| Browse the /ptg/ (private tracker general) thread on
| 4chan's /g/ board
| dtx1 wrote:
| If you had a way to contact you on your profile, things
| might be arranged
| ewenjo wrote:
| Interested if still available :)
| cbsks wrote:
| I am also interested...
| that_guy_iain wrote:
| Check your inbox.
| 6ak74rfy wrote:
| I am highly interested in getting started in this -
| please reach out!
| przems wrote:
| I am extremely interested too, could you help me out?
| katbyte wrote:
| there are a few subreddits that people offer invites/ask
| for them
|
| otherwise many have open signups randomly throughout the
| year
|
| the better ones are harder and often expect proof of
| previous seeding, like i've been in IPT for years with
| 7TB/2TB ratio but still not managed to find an invite to
| some of the more renowned ones.
| Gareth321 wrote:
| This doesn't answer your question directly but it might
| help anyway. Usenet is an excellent (paid) alternative to
| climbing the private tracker ladder. All traffic is secure
| and effectively anonymous. Download is lightning fast. If
| you're on the right backbone there is an ocean of content.
| It's only missing very old, obscure stuff. It's MUCH easier
| than climbing that ladder and worrying about ratios.
| wkat4242 wrote:
| Stuff is also taken down within about a day. This is
| really the problem with usenet.
|
| I actually find it much better for ancient stuff because
| my provider has 10 years retention and the DMCA takedowns
| only started a few years ago.
| that_guy_iain wrote:
| Been so long since I've even been in the community that I
| don't know any of the smaller forums but check out
| https://filesharingtalk.com/content/. Get known for being
| active and if there is still an IRC pop by there. The key
| once you're past the standard ones like TL, is to not be
| that hungry for invites, the less hungry you are the more
| places you get to. Maybe check out
| https://thepiratesociety.org/ which used to be a solid
| community 10 years ago but I dunno how it is nowadays.
|
| Or you can just buy one.
| https://www.ebay.com/itm/143939358334 for example is $2 and
| is the private (semi public - all the benefits of private
| but easy to get). It's the one I use. Buying invites can
| lead to getting banned but if you're just chilling out on
| TL then you'll be fine.
|
| A tip for private trackers. Only download new things and
| freeleech until you build up a buffer (You've uploaded more
| than you've downloaded)
| gioo wrote:
| Buying an invite for TL is not a smart idea, they have
| regular open signups. You put all your accounts at risk
| for little gain.
| that_guy_iain wrote:
| This is why I gave the cavet that it's only worth doing
| if you're just going to use TL. If you're not into the
| whole tracker ladder thing then buying TL is kinda a safe
| bet, it's semi public. TL just care about money, I
| wouldn't be shocked to find out that TL has been sold a
| few times.
|
| Previously, when I was really into torrenting I climbed
| the ladder really well, I was in the forum sections where
| staff would share the details of banned users. They
| mostly cared about cheaters, unless it was a small site
| trying to be exclusive. I knew people who would go to
| tracker staff and out people for trading and selling and
| nothing would happen.
|
| But overall if you want to get into the torrent community
| buying and trading isn't worth it. But if you just want a
| single solid torrent site and are willing to pay TL is
| the one to do it with.
| gioo wrote:
| The common advice is to start out on RED (Redacted) by
| doing the interview, and climbing the pyramid from there.
| Use official recruitement to join other trackers, and with
| some patience you'll eventually have everything you need.
| Roark66 wrote:
| Can I ask, what do people download via those private
| trackers? I never had problems finding anything I wanted
| using public tpb proxies etc.
| theshrike79 wrote:
| Reliable source for movies and TV-Shows - even rare ones.
|
| And zero chance of being picked up by copyright watchdogs
| who download the whole swarm's IP addresses and send
| legal notices to each one fishing for ISPs that will give
| their user's data without a warrant.
| symlinkk wrote:
| "Zero chance" is bullshit, they could easily join a
| private tracker and look for IPs, they just don't
| currently because private trackers are not widely known.
| akiselev wrote:
| They're widely known enough to have their own wikipedia
| page: https://en.m.wikipedia.org/wiki/Comparison_of_BitTo
| rrent_sit...
|
| One site on that list, for example, TorrentLeech.org has
| been around for almost 18 years and has hundreds of
| thousands of active users. In fifteen years I've never
| had an issue.
|
| There are also foreign language trackers that are largely
| immune like rutracker.org - you just have to make sure to
| download the English versions
| suddenclarity wrote:
| Is TL really the same site it used to be? I have a vague
| memory of losing my account and the site shutting down
| 10+ years ago. When they came back, they offered open
| sign-up now and then. Made me avoid it.
| miki123211 wrote:
| It's actually harder than it sounds. To scrape IPs from a
| public tracker, all you need to do is to download the
| torrent, pretend to the tracker that you want to join the
| swarm (without actually sharing any content) and you get
| a nice list. On a private tracker, all your activity is
| linked to an account and the tracker knows how much you
| upload / download. If you are a copyright owner, actually
| seeding content is probably a terrible idea for legal
| reasons, and you'll quickly run afoul of ratio
| requirements and get banned if you do not do so. Besides,
| if users report which torrents they're getting copyright
| complaints on, it won't be hard for staff to figure out
| which account tried downloading all of those and has 0
| upload activity on them.
| theshrike79 wrote:
| Close (enough) to zero then.
|
| Most good private trackers have an invite system, you
| can't just join one on a whim and get access.
|
| Their process is profitable enough just by scanning the
| well known ones so they don't need to bother with trying
| to get access to private trackers.
| fruitreunion1 wrote:
| Well, depending on your tastes some stuff can be hard to
| find especially if you want lossless copies. Other nice
| features are the user collages, comments, and great
| organisation which are pros over something similar like
| Soulseek.
| that_guy_iain wrote:
| For me, it's generally the same as private trackers but a
| few differences. Very little - almost zero chance of
| viruses in the apps. The speeds are way faster, this is
| very noticable on older stuff. There is no bait and
| switch.
|
| For niche stuff you can even find the super hard to find.
| Want to find the tv version of episode 12 of season 3 of
| Flashpoint, there is a site where that is possible.
|
| Some have communities which are super useful if you're
| into those. But if you just want to download and get good
| speeds, a general tracker like TorrentLeech is pretty
| much all you need.
| serf wrote:
| in the case of What.CD there was a community of music
| makers that released exclusively or very close to the
| tracker community.
|
| One of the great losses from the shutdown of that site
| was the destruction of that creative community.
| Hamuko wrote:
| I don't really desire the added complexity of having my files
| somewhere else.
| that_guy_iain wrote:
| Seems same level of complexity to me as adding a VPN into
| the mix.
| [deleted]
| Hamuko wrote:
| Not really. With a VPN, the only change is that the
| networking between A and B now go through a tunnel with
| no changes to A or B. But if you get a seedbox, A is
| completely removed from the picture and you just have a
| connection between B and C.
| theshrike79 wrote:
| The level of complexity is running a rsync cron job every X
| minutes to check if you have new files to transfer back
| home.
|
| It's not exactly rocket surgery.
| Hamuko wrote:
| So it's more complex _and_ slower.
| theshrike79 wrote:
| I can wait for the extra 60 seconds it takes for my
| cronjob to check new files :D
| emeril wrote:
| dude, at least for tv/movies, just use ultra.cc (cheapest
| plan) and kodi can connect to it via https so no need for
| vpn and you don't even need to to download anything - super
| easy
|
| you can even pay more if you really need plex
| justsomehnguy wrote:
| You don't even need to ftp it, you can run the client at home
| and it would connect to the seedbox through the swarm (or you
| can manually add a peer if needed)
| 2OEH8eoCRo0 wrote:
| Tell me more please.
| justsomehnguy wrote:
| ?
|
| You add the torrent to the seedbox torrent client and
| your (eg) home torrent client.
|
| They are both become part of the swarm for that torrent,
| through the tracker or DHT, so eventually they would know
| about each other.
|
| If your seedbox dowload the chunk then you home client
| _can connect_ to the seedbox client and download that
| chunk, just as a regular participant of the swarm, no
| need to do anything.
|
| Because the seedbox has a direct connectivity then if
| there is a seed without a direct connectivity - it can
| connect to your seedbox (again, discovered through DHT or
| tracker) and give out all the needed chunks.
|
| A bit slower than having a direct connectivity at you
| home, but most of the time it doesn't matter.
| Hamuko wrote:
| I'm having a hard time understanding the point of this
| setup.
| justsomehnguy wrote:
| Seedbox has a real IP (or port forward, though that
| doesn't matter here) so seed and peers behind the NAT can
| coonect to it and transfer torrent data. Your home
| torrent client therefore can connect to it and receive
| the torrent data even if it can't connect to the seed
| directly.
| MikusR wrote:
| Pia has port forwarding and is half the price of mullvad
| serf wrote:
| Many Mullvad customers migrated from there to Mullvad in the
| first place after Kape Tech bought them.
|
| Kape Tech , at the time, had a less than stellar reputation.
| I haven't followed it much since that time.
| UI_at_80x24 wrote:
| Well bummer.
|
| I'll be applying for a refund.
| nly wrote:
| I've just done so. I might rejoin but I'll look for
| alternatives first.
| alberth wrote:
| Why do individuals use a VPN, other than to do questionable
| activities?
|
| Not trolling, genuinely curious.
| dharmab wrote:
| - There are countries, and ISPs in some countries, that block
| or throttle access to commonly used websites.
|
| - You can get cheaper rates on some travel expenses, such as
| car rentals, by changing your IP to one in a different geo.
| oefnak wrote:
| To access my home network?
| zo1 wrote:
| My local ISP throttles YouTube.
|
| VPN bypasses that entirely, despite my traffic traveling to
| another continent on the other hemisphere.
| b5n wrote:
| All depends on who it is that is deciding what is questionable
| and what is not.
| alberth wrote:
| What's an example of an activity you'd consider debatable on
| whether or not it's "questionable"?
| DarmokJalad1701 wrote:
| Watching Netflix outside your "region".
| [deleted]
| serf wrote:
| I would like to watch Japanese commercials and trailers for
| things i'd like to watch -- but Japanese publishers are _big_
| on region locking on the streaming sites, so I circumvent the
| issues with VPNs.
|
| Questionable? Maybe; but I don't really feel personally
| beholden to copyright/trademark law that isn't preventing a
| loss anywhere -- in many cases when I watch these trailers I
| make purchases based upon them, so if anything the corporations
| that region-lock their YouTube videos away from other markets
| are doing more damage than I -- the extra diligent customer.
|
| If you need an absolutely vanilla answer : I VPN into a network
| node that can access other nodes that only host their services
| to the local network. That's also a big advantage, and as far
| as I know it doesn't step on any legal toes.
| zokier wrote:
| Fyi there are plenty of commercial/foss solutions in this sort of
| "port forwarding service" space
| https://github.com/anderspitman/awesome-tunneling
| switch007 wrote:
| This seems like a signal that it's the beginning of the end. We
| all knew popularity would be their demise.
|
| Hopefully a competitor will start up and attract less attention
| for a while until we have to do it all over again.
| altairprime wrote:
| How? Port forwarding isn't a major factor in VPN selection and
| usage for most people, right?
| dymk wrote:
| Well, yeah, it is
| sys42590 wrote:
| Yes, the potential for abuse is quite a lot... from the rather
| harmless Torrent user up to running C&C servers for botnets.
| forty wrote:
| I'm curious: if you have a forwarded port on your vpn that anyone
| can send traffic to, assuming that someone can observe the
| encrypted traffic going out of the vpn provider, couldn't they
| send various traffic "shape" to the port and try to find the same
| pattern in the encrypted traffic to figure out who you are?
| dtx1 wrote:
| Yes, if you can observe incoming and outgoing traffic you can
| trivially use timing attacks. That being said, If you have that
| capability, mullvad isn't going to keep you save anyway. As the
| folks over at PerfectPrivacy succinctly put it: If you have a
| whole NSA Team after you it's game over anyway.
| Capricorn2481 wrote:
| Why does this affect torrent users?
| 5e92cb50239222b wrote:
| You need to be able to accept incoming connections to be able
| to fully participate in the network. Last time I seriously
| looked into this, BitTorrent clients didn't support any sort of
| NAT hole punching (and they often work over TCP in any case).
| Try running a client with and without a forwarded port and you
| will see massive difference in the number of peer connections.
| [deleted]
| 1letterunixname wrote:
| Transmission has supported UPnP and NAT-PMP for many years.
| Although it doesn't always work as reliably as having a
| client with directly routable address(es), it does exist and
| works okay.
| krossitalk wrote:
| > NAT hole punching
|
| Could we just throw a STUN service in front of this, then?
| shrimp_emoji wrote:
| So you're saying there's a chance
| justsomehnguy wrote:
| Of course, but if everyone is behind the NAT then no one in
| the swarm can connect to any one. If this is a popular
| torrent when someone with the connectivity would show up,
| eventually, but otherwise good luck. Recently it took me
| four months to complete one torrent and I was the one with
| the real IP.
| Capricorn2481 wrote:
| I think I might be doing that already, as this is the first
| I've heard of this. Unless Mullvad was automatically opening
| a port for me.
|
| Is it possible a lot of average torrenters are already not
| port forwarding?
| wincy wrote:
| Because a least one person has to have forwarded ports for them
| to form a direct connection. [0]
|
| This will degrade torrent performance and make torrenting
| worse, routers normally have uPnP enabled these days so we
| forget about it, but this will make it so you can't connect to
| any other users who are also using Mullvad, for one.
|
| [0]https://superuser.com/questions/1053414/how-does-port-
| forwar...
| bscphil wrote:
| > routers normally have uPnP enabled these days
|
| From what I understand, uPnP took off for a while, but
| started to become much less common about a decade ago because
| of the security issues it caused. I think most routers come
| with it disabled by default now. (If you know of any surveys
| indicating otherwise, I'd be curious to read them.)
|
| Part of it is that hole punching became a standard feature
| for new protocols, so the need to forward ports has been
| reduced.
| dharmab wrote:
| Most consumer routers I've seen come with UPnP on while
| SOHO routers require explicit configuration
| AraceliHarker wrote:
| In order to download a file via Torrent, someone has to upload
| it, and when using Torrent via VPN, the file cannot be uploaded
| without port forwarding.
| fruitreunion1 wrote:
| Actually, the initial seeder with a closed port can upload if
| someone else has an open port. Generally a lack of port
| forwarding means you can only connect to others who do have
| port forwarding.
| ddtaylor wrote:
| Uploading can still happen even without open ports. The open
| port part is that someone has to initiate the connection
| after the connection is established anyone can send anything
| in any direction.
| 0x_rs wrote:
| Port forwarding is a big deal. Mullvad is very well respected,
| and so is their advocacy of privacy, but once the setup ports
| expire I'll be forced to pick another provider, not as safe and
| certainly not as cheap either--I think many others are on the
| same boat too. Up until now if you needed a VPN with this feature
| there weren't any better alternatives. Another day cursing at
| networking, I guess.
| giancarlostoro wrote:
| This feature alone is what kept me using IPredator for years.
| derefr wrote:
| Presumably whichever provider you pick will be experiencing the
| same abuse problems and will eventually discontinue offering
| this feature as well.
|
| You should probably rethink how you expose your service. If
| your service is a web service, maybe consider running it as a
| Tor hidden service, and pointing your non-Tor-using users to a
| Tor web gateway?
| konstancja wrote:
| windscribe is a no-log VPN that still provides port forwarding
| features, if you're looking for an alternative
|
| (full disclosure this is my place of work)
| mardifoufs wrote:
| How do you guys deal with abuse? Just wondering because it
| seems like it has been a massive headache for mullvad so I
| wonder if they are targeted by abusers more than other
| services.
| _zoltan_ wrote:
| does it accept cash in an envelope?
| efitz wrote:
| No, but I do.
| psd1 wrote:
| Tailscale has a beta feature called "funnel". As of now, it
| only supports 80 and 443, and does not support custom domains -
| though you could presumably add your own cname.
| acaloiar wrote:
| Funnel has come in handy for me a number of times. Though I
| now wonder if the abuse experienced by Mullvad will be
| realized by Tailscale as well. Perhaps compounded by an
| exodus of Mullvad (ab)users seeking alternatives.
| xena wrote:
| Tailscalar here: your own CNAME won't work because of how the
| routing logic in funnel works. When tailscaled sets up a
| funnel with the control plane, it uses the derived DNS name
| from your tailnet (eg: pneuma.shark-harmonic.ts.net for the
| machine pneuma on the tailnet shark-harmonic.ts.net). As far
| as I understand there's no issue currently tracking this
| work.
|
| Tailscale Funnel does allow you to use any TLS-wrapped
| protocol (IE: one where the client does TLS and the server
| can optionally listen over plain TCP), but I'm not sure it
| would really meet the same goal as port forwarding in Mullvad
| does (for one you could use any non-TLS or UDP protocol with
| Mullvad port forwards, IE: Minecraft server hosting,
| Minecraft doesn't use TLS afaik). It's great for HTTPS
| though. I'm not sure how the bandwidth limits would add up
| over time for something more interactive like Minecraft.
|
| Either way, Funnel does do some things well, but it's not a
| generic replacement for Mullvad port forwards.
| mijoharas wrote:
| What's the usecase that makes it so important for you out of
| interest?
| [deleted]
| eatbitseveryday wrote:
| Yes, again the extreme abusers of a service ruin it for the
| rest.
| AnonC wrote:
| So basically, Mullvad is saying that you can use its VPN aeevice
| as a client to reach services but not host a service yourself
| (especially in a home network behind NAT or CGNAT) and have
| others connect to it via the VPN.
|
| The most commonly used scenario for port forwarding would be
| torrenting, where users forward ports so that they can be
| "connectable" (i.e., accept incoming connections from the
| Internet).
| gigatexal wrote:
| This is off topic but how can Mullvad be a no log vpn and still
| operate without impunity? What about Uber illegal stuff like csam
| or terrorist stuff etc?
| capableweb wrote:
| Generally it's not illegal to host services that could
| potentially be used for those things (as basically any online
| service with user generated content could be used for that),
| but it's illegal to not act once you have received complaints
| about it and not acted. Presumably, Mullvad does act when they
| get noticed about their service being used in those manners.
| Mordisquitos wrote:
| Compare it for example to a company operating taxis that can be
| hailed on the street and be paid in cash on arrival. The
| company does not log any details about its passengers, nor does
| it inspect their luggage or inquire about their reason to
| travel. How can the taxi company still operate with impunity?
| What about passengers using them for _uber_ illegal stuff, like
| transporting drugs, illegal arms, or for escaping from law
| enforcement?
| remram wrote:
| You can still put the taxi driver on the stand. Most cabs are
| even equipped with cameras now.
|
| This is more comparable to a taxi company which makes driver
| take a pill to forget all details on arrival. That would be
| harder to defend, after the first incident of "why was this
| car in my driveway last night? - we couldn't tell you!"
| michaelmrose wrote:
| That is a terrible analogy because the information is
| inherently captured and you are talking about taking
| extraordinary measures to destroy evidence. It's also a
| failed conversational gambit because we end up discussing
| the bad analogy instead of the underlying issue.
|
| In other news despite VPNs people who commit crimes are
| prosecuted all the time via ordinary police work per
| normal. In fact despite sophisticated tech criminals on
| average leave behind more breadcrumbs than they ever did in
| prior eras.
| michaelmrose wrote:
| Do you think if VPNs became illegal in America that it would
| have any effect on terrorism or child abuse? People who don't
| care about violating little children don't care about violating
| the law.
| flangola7 wrote:
| If I don't torrent how does this affect me
| joffspkfjeueebo wrote:
| [dead]
| [deleted]
| wkat4242 wrote:
| Ohhhh too bad. It was useful for torrents.
|
| That said, I never actually got incoming connections over UDP
| working properly anyway through these ports, even though they
| were supposed to be supported.
|
| But I can understand the reasoning yeah.
| Hamuko wrote:
| No mention of refunds? That's quite a significant change to the
| service.
| jsheard wrote:
| They offer refunds within 30 days of purchase as a matter of
| course, provided you paid with a method that can actually be
| refunded. Seems like you're out of luck if you paid longer than
| 30 days ago, though.
|
| https://mullvad.net/en/help/refunds/
| worldofmatthew wrote:
| Not for vouchers or crypto as per their official policy.
| oarsinsync wrote:
| Cant refund a gift card purchase, or anything else where you've
| deliberately not saved the customer payment details. Privacy
| has drawbacks.
| wkat4242 wrote:
| Nope but they could add 10% of time credit or something.
| Especially to those who had port forwarding configured in the
| last year or so.
| iakov wrote:
| I've paid with my card though. It's possible to refund those,
| and PayPal.
|
| It's a very sudden move on the Mullvad part that impacts a
| lot of their customers. If the torrent speed drops down as
| much as I think it will I won't be very happy...
| [deleted]
| fruitreunion1 wrote:
| They used to allow refunds for cryptocurrency payments but
| there's probably opportunity for abuse there since the
| payment method is practically anonymous to them.
| orra wrote:
| To be fair, the terms and conditions say they stopped offering
| port forwarding two years ago
| https://web.archive.org/web/20210430072429/https://mullvad.n...
| Hamuko wrote:
| That specifies "an account that has an active subscription"
| and they only seem to be using the term "subscription" in the
| ToS for auto-renewing plans.
|
| > _If you wish to subscribe to the service, you can sign up
| for a PayPal subscription. With a subscription, EUR5 is
| automatically deducted from your PayPal account each month._
|
| Otherwise they just talk about "using" or "paying". It has
| also been absolutely possible to a) add new port forwards if
| you have paid for Mullvad b) pay for Mullvad when you have
| port forwards, so those ToS wouldn't make sense if they
| referred to all Mullvad accounts.
| orra wrote:
| Ah, thanks, I had forgotten the distinction.
| LjutiBrk wrote:
| Hide.me supports port forwarding with uPnP
| timtom39 wrote:
| Dam, really liked these guys but this makes it about useless for
| torrent seeding. I wish they would have considered alternatives
| like only allowing port forwarding for some of their IPs. I don't
| care about IP reputation.
| JP44 wrote:
| Not in need of fowarding, and a happy mullvad customer but that
| does sound like a good compromise. Although I think that still
| may attract a lot of attention from authorities etc
| Gareth321 wrote:
| Exactly. For torrenting it doesn't need to access web services.
| It just needs to be able to connect to peers. Having a port
| forwarding IP block would make everyone happy.
| fulafel wrote:
| Can you still accept incoming connections on IPs that are behind
| the VPN?
| fruitreunion1 wrote:
| That requires port forwarding
| ctime wrote:
| Also, does this mean they just aren't going to allow fully
| routable ipv6 because of "abuse" or whatever (one of the promises
| of ipv6 whenever it's realized probably shortly before the heat
| death of the universe is preciously what mullvad claims to be the
| cause of trouble)
| fruitreunion1 wrote:
| Everyone having a unique globally routable IPv6 address might
| be less private/anonymous. Less ability to blend with the
| crowd. Personally I wouldn't mind ULA on a commercial VPN.
| kome wrote:
| fyi AirVPN still support port forwarding
| https://airvpn.org/faq/port_forwarding/
| KomoD wrote:
| AirVPN looks sketchy
| Fire-Dragon-DoL wrote:
| It does, but it works. Been using it for 3 years.
___________________________________________________________________
(page generated 2023-05-29 23:00 UTC)