Security on the PtP interface

[worric 12]

Hi!

Upon noticing that programs like spotify and dropbox use the 10.x.x.x interface for their normal operation (like Dropbox broadcasting its LanSync on udp 17500, and spotify listening on udp 1900), I started to wonder how important it is to protect the interface with a firewall even from the AirVPN PtP peer.

I mean, surely, with ports open and no firewall on tun/tap interface it would be possible for the other peer to browse shared folders/printers and even initiate an exploitation attack to gain control over the machine connecting to AirVPN. Would I be correct in that?

Of course, in all the time I've used your service I haven't encountered a single incoming packet from the peer IP (maybe save for DHCP, but I don't log those), and, being a security/anonymization service, attacking/exploiting connected clients may not be all that great for business . But as a paying customer putting my trust in your hands, so to speak, I have to consider these things.

Now, I guess in the case of broadcasts, they don't really work in a PtP environment, but that doesn't mean that the netbios ports/whatever aren't open.

Are my concerns valid in the least?

[Staff 9773]

Hi!

Upon noticing that programs like spotify and dropbox use the 10.x.x.x interface for their normal operation (like Dropbox broadcasting its LanSync on udp 17500, and spotify listening on udp 1900), I started to wonder how important it is to protect the interface with a firewall even from the AirVPN PtP peer.

I mean, surely, with ports open and no firewall on tun/tap interface it would be possible for the other peer to browse shared folders/printers and even initiate an exploitation attack to gain control over the machine connecting to AirVPN. Would I be correct in that?

Of course, in all the time I've used your service I haven't encountered a single incoming packet from the peer IP (maybe save for DHCP, but I don't log those), and, being a security/anonymization service, attacking/exploiting connected clients may not be all that great for business . But as a paying customer putting my trust in your hands, so to speak, I have to consider these things.

Now, I guess in the case of broadcasts, they don't really work in a PtP environment, but that doesn't mean that the netbios ports/whatever aren't open.

Are my concerns valid in the least?

Hello!

We understand your concerns. However, it is not possible for two or more clients to communicate between them if they're connected to the same VPN server. This is an additional security feature that we implemented since the beginning of our activity. While it makes our VPN not a "fully connected" VPN (in the sense that clients on the same server can't communicate with each other inside the private network), this is a feature that should answer to your concerns.

Kind regards