Jump to content
Not connected, Your IP: 100.26.179.196
hugomueller

Open ports expose VPN users’ real IP

Recommended Posts

https://www.perfect-privacy.com/blog/2015/12/21/wrong-way-security-problem-exposes-real-ip/

 

 

Another VPN security problem was found: “Wrong Way” may reveal the user’s real IP address like “Port Fail“. This time are not only providers with port forwarding affected but rather all providers, they havn’t fixed the problem. The underlying problem is that packets received over the real IP will be answered via the VPN interface under certain conditions.

 

 

@AirVPN

Does your client handle this problem with the Network Lock?

Share this post


Link to post

Hello!
 
1) It's not that Network Lock "mitigates" the issue, it does solve it entirely at its root.
 
2) Again, this is much ado about nothing. According to our instructions, it's since 2010 that we instruct how to avoid correlations of these kinds (disable UPnP for example: 5 years ago it was already written in our proto web site). Those VPNs teams that show much concern and exploit sensationalism are just sending a message to gullible and inexperienced people. All the other persons can clearly see that this sensationalism hints to a lack of competence about the most basic and trivial routing concepts.
 
See also this nice article, which treats so called "Port Fail" in addition to other issues (including the one treated in this thread).

Another “critical” “VPN” “vulnerability” and why Port Fail is bullshit
https://medium.com/@ValdikSS/another-critical-vpn-vulnerability-and-why-port-fail-is-bullshit-352b2ebd22e2#.vgjazzmz8

and how the Great ValdikSS (author of the article and probably reading us) could get (according to his own words which we feel to share) a total of 7300 USD for "such a bullshit issue" (from les incompétents, we would be tempted to add). :D

Kind regards

Share this post


Link to post

Hi Guys,

 

how does this affect those who have OpenVPN client running on a router?

 

Thank you.

 

Good question, I connect to Air servers using the included OpenVPN client on Asuswrt Merlin with UPnP off. Are there any further precautions needed and what about those on dd-wrt, tomato or even pfsense?

Share this post


Link to post

 

Hi Guys,

 

how does this affect those who have OpenVPN client running on a router?

 

Thank you.

 

Good question, I connect to Air servers using the included OpenVPN client on Asuswrt Merlin with UPnP off. Are there any further precautions needed and what about those on dd-wrt, tomato or even pfsense?

 

Note these rules (on the guide about how to forward ports in DD-WRT etc.):

 

https://airvpn.org/topic/9270-how-to-forward-ports-in-dd-wrt-tomato-with-iptables

 

iptables -I FORWARD -i tun1 -p udp -d destIP --dport port -j ACCEPT

iptables -I FORWARD -i tun1 -p tcp -d destIP --dport port -j ACCEPT

iptables -t nat -I PREROUTING -i tun1 -p tcp --dport port -j DNAT --to-destination destIP

iptables -t nat -I PREROUTING -i tun1 -p udp --dport port -j DNAT --to-destination destIP

 

Bold is ours to make the answer to your question clearer.

 

Kind regards

Share this post


Link to post

I had not turned off UPNP until now (but always used Network Block). Would leaving UPNP on have left me vulnerable? Thanks. BTW, you guys do a great job!

Share this post


Link to post

I had not turned off UPNP until now (but always used Network Block). Would leaving UPNP on have left me vulnerable? Thanks. BTW, you guys do a great job!

 

Hello!

 

Don't worry, since you had Network Lock on UPnP did not expose your system to correlations.

 

Kind regards

Share this post


Link to post

Hello!

 

1) It's not that Network Lock "mitigates" the issue, it does solve it entirely at its root.

 

2) Again, this is much ado about nothing. According to our instructions, it's since 2010 that we instruct how to avoid correlations of these kinds (disable UPnP for example: 5 years ago it was already written in our proto web site). Those VPNs teams that show much concern and exploit sensationalism are just sending a message to gullible and inexperienced people. All the other persons can clearly see that this sensationalism hints to a lack of competence about the most basic and trivial routing concepts.

 

See also this nice article, which treats so called "Port Fail" in addition to other issues (including the one treated in this thread).

 

Another “critical” “VPN” “vulnerability” and why Port Fail is bullshit

https://medium.com/@ValdikSS/another-critical-vpn-vulnerability-and-why-port-fail-is-bullshit-352b2ebd22e2#.vgjazzmz8

 

and how the Great ValdikSS (author of the article and probably reading us) could get (according to his own words which we feel to share) a total of 7300 USD for "such a bullshit issue" (from les incompétents, we would be tempted to add).

 

Kind regards

I use ESET Smart Security's Firewall, so Network Lock doesn't work for me because it uses Windows Firewall. I was wondering if maybe you know what rules to set in ESET's firewall and what IPs to allow/deny so that only AirVPN traffic is allowed?

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...