DDNS with multiple connections

[Judas4all 3]

I wonder if you could configure DDNS based on Device/Key ?

Would that be an option to only setup DDNS on a dedicated device ?

would love to see that feature.

[OpenSourcerer 1359]

While I generally find such a feature cool as well, it would be detrimental to privacy. It would mean a data point people can use against you personally. "So, this IP downloaded [insert copyrighted content] on port 9000, and we found out it's an AirVPN exit. We studied your website and found out that ports are bound to keys, and keys are bound to users. So, which user forwarded this port?" AirVPN find themselves in a dilemma quickly:
If they tell the truth, the others will ask for all data on that user account, including mail address. Also, trust would be obliterated forever.
If they lie, they will have trouble with authorities and the users, because if they lied here, where else?

[eburom 16]

On 11/26/2020 at 6:22 PM, OpenSourcerer said:

We studied your website and found out that ports are bound to keys, and keys are bound to users. So, which user forwarded this port?

Just curious, how do they avoid that situation right now that ports are forwarded by users? how does selecting a device key make this worse?

[OpenSourcerer 1359]

Quite honestly, I have no idea. Maybe AirVPN were never asked that before?
When I think about it a bit more thoroughly, also given what @eburom wrote, while it would create the mentioned additional data point, the information about which user forwarded which port is already there. I'm currently thinking if such a feature really would be detrimental to privacy given that AirVPN can already be asked which user forwarded port 9000. The question thus is not about privacy but technical feasibility.

The real question here is how far someone would go to find out who exactly runs the torrent client on that port, or the webserver serving that Wikileaks-style website on that port. Say, someone is motivated enough and asks AirVPN for that info. Same dilemma as above applies, I think, but let's just assume they tell the truth because the info is there and the requester further asks for account information, which AirVPN again answers honestly. The only point they can possibly use against that user is the entered mail address. And some people do use a working one! If it's your own domain, you're done. If it's free mail like GMail, the requester will probably ask Google (and they will mostt probably consolidate all account information to comply with the request). If it's Posteo, Mailbox.org, Tutanota, ProtonMail, they might ask them, too, but everything is encrypted. If it's nonexistent, you're good.

[Flx 76]

On 11/26/2020 at 11:18 AM, Judas4all said:

Would that be an option to only setup DDNS on a dedicated device ?

This is the second time I see this "odd request". It's a logical one. If you expect Staff to do this even as an option(opt-in); they will "most likely" not.
Why don't you implement it client-side?

 

[NaDre 154]

23 hours ago, eburom said:

Just curious, how do they avoid that situation right now that ports are forwarded by users? ...

They don't keep a record of what ports you forwarded in the past. Change the port you use for something sensitive often. Say weekly? Thanks for the reminder.

EDIT: I mentioned this issue in comments I made about Wireguard security issues:

https://airvpn.org/forums/topic/44949-wireguard-response-from-mullvad/page/2/?tab=comments#comment-109998

"At some point, on the server, the "AllowedIPs" value for the Wireguard configuration file for each user will have to be set. Collisions will have to be avoided. Much like forwarded port numbers now. It seems to me allowing a user to use a web interface similar to the one used for ports in order to set the local IP address would go some way to mitigating this. Users who are concerned could change this frequently. They would need to download a new network configuration script for their device after doing that. Of course AirVPN would keep no record of past local IP addresses, just as it keeps no record of past forwarded port numbers."

I also pointed our another record kept by the OpenVPN servers that is not immediately obvious:

"Keep in mind that even with OpenVPN, there is a record of the local IP address for each server kept by each server, so that the same local IP address will be given again to the same client. Using "--ifconfig-pool-persist file". "

In the post that followed Staff said this:

"Yes, we still use ifconfig-pool-persist in OpenVPN.  It's very different than Wireguard's addresses binary mapping, especially under a legal point of view."

Perhaps a more detailed explanation of the differences from a legal point of view would be interesting?

EDIT 2: Keep in mind the Wireguard issue and the ifconfig-pool-persist issue are only an issue if someone has been able to determine what your local IP address was.

EDIT 3: If you were concerned about the record of your local IP address being retained due to ifconfig-pool-persist, I believe you could break any link to you by creating a new device key to replace the old one. I believe this will generate a new certificate which contains the "common name" used to save IP addresses when ifconfig-pool-persist is used.

 

[eburom 16]

6 hours ago, Flx said:

his is the second time I see this "odd request". It's a logical one.

At least I did ask for it before 😅

6 hours ago, Flx said:

Why don't you implement it client-side?

I don't see exactly how, the very thing is to be able to control witch client will be resolved for that URL. Any suggestion will be appreciated. For the moment, when I need it, I usually connect that client to a specific server and use it's raw exit IP, I also have a script that gives me the exit IPs of my connected devices using the API.

2 hours ago, NaDre said:

They don't keep a record of what ports you forwarded in the past. Change the port you use for something sensitive often. Say weekly? Thanks for the reminder.

I was just trying to understand if the requested feature would be detrimental in that sense, but thanks for the info.

[NaDre 154]

16 minutes ago, eburom said:

..
  I was just trying to understand if the requested feature would be detrimental in that sense, but thanks for the info.

I don't see how having DDNS associated with the device rather than the user would make it any worse.

For that matter having forwarded ports associated with the device might be useful to some also. And I don't see how that would make things any worse. Perhaps having a level of indirection might even help from a legal perspective? I say this because of Staff's earlier comment about the saving of local IP addresses by OpenVPN servers being different than Wireguard saving local IP addresses, from a legal point of view. How so? Because of indirection?
 

[Flx 76]

11 hours ago, eburom said:

I don't see exactly how, the very thing is to be able to control witch client will be resolved for that URL. Any suggestion will be appreciated.

I did scratch my head around this to what you are referring. Instead of doing it as such a different approach was used.(Last link-multi session/tunnel). 3 AirVPN IPs "floating/mingling" at OS level. 2 AirVPN IPs DNS level. But probably this will not qualify as an answer you expected.
https://ipx.ac/results/G73IIBc7i1yNv7Ot
 

[NaDre 154]

On 11/30/2020 at 10:47 AM, eburom said:

On 11/30/2020 at 4:34 AM, Flx said:

Why don't you implement it client-side?

I don't see exactly how, the very thing is to be able to control witch client will be resolved for that URL. Any suggestion will be appreciated. For the moment, when I need it, I usually connect that client to a specific server and use it's raw exit IP, I also have a script that gives me the exit IPs of my connected devices using the API.

I took this to mean that you could use a dynamic DNS service other than what AirVPN provides. I used to use dyndns.org long ago, But I am not sure there is a free tier anymore.

If you are using the server IP address now, then you could look at getting a domain name, use Cloudflare for free DNS, and just update the address manually when you change servers. That way you only change an IP address in one place. Rather than having to tell a bunch of people. There would of course be a propagation delay.

EDIT:

Cloudflare also provides an API that can be a used to update the IP address for a DNS record:

https://api.cloudflare.com/

So you can "roll your own" dynamic DNS. In a bash script in a client machine running Linux (or using Cygwin under Windows) you could use "curl -4 icanhazip.com" and "curl -6 icanhazip.com" to retrieve external IP addresses and then use curl again to update the IP address in DNS records via the Cloudflare API. You can set the TTL as low as 120 seconds.

:End of Edit

But if you use any sort of DNS other than AirVPN then you have to worry about whether this has left you traceable.

You could also ask yourself whether you really need to connect to these services through AirVPN. It is possible in Linux (if that is what you are using) to have the VPN as the default gateway but still connect to services using the real interface:

https://github.com/tool-maker/VPN_just_for_torrents/wiki/Maintaining-SSH-Access-Using-a-VPN-on-a-Remote-Linux-Server

Does everything you are doing really need to be VPN-ed?
 

[eburom 16]

Thanks for both suggestions. Its not like I have a big issue with this, but my use case scenario is something like:
I have a Pc at home in witch I use AirVPN to connect to the internet. From time to time I might want to remotely ssh it (lets say to tunnel a vnc connection or whatever). So I use AirVPN to forward a port to the one my machine's ssh server is listening on. So far so good but I still have to solve how I get the IP of this server. AirVPNs DDNS just seemed too convenient to ignore. The thing is that AirVPN also lets you have more devices simultaneously connected and this doesn't play well with DDNS. But wait, what if DDNS were set for a specific Device Key? That would make ut possible to have a configuration with various devices simultaneously connected through AirVPN and using DDNS to reach one of them.

Wont get it to be done? Ok, I handled it some other way, no big deal. But I suggested it because I think that making those tho things play well together would make sense and make AirVPNs features better.

[Flx 76]

@NaDre
Let's see what Staff has to say regarding this--->>
https://airvpn.org/forums/topic/48561-ddns-with-multiple-connections/?do=findComment&comment=132081
This time a different Staff member Mr. Brini Mr. pj or Mr. Clodo
Please enlighten us?
Thx

 

[NaDre 154]

10 hours ago, Flx said:

@NaDre
Let's see what Staff has to say regarding this--->>
https://airvpn.org/forums/topic/48561-ddns-with-multiple-connections/?do=findComment&comment=132081
This time a different Staff member Mr. Brini Mr. pj or Mr. Clodo
Please enlighten us?
Thx

 

Just to be clear, I would NOT want them to stop using "ifconfig-pool-persist" or pick random ports to listen on for each VPN connnection. This would make AirVPN much harder to use for torrenting. And particularly for people who use AirVPN only for torrenting (not as the default gateway) with uTorrent. People would have to change the configuration of their torrent client each time they started the VPN. A nightmare.

My post was not meant as a criticism. The one question that I did direct to staff about "ifconfig-pool-persist" was answered. I quoted the answer.

EDIT:

Well I guess I did wonder why Wireguard's saving of local IP addresses was more risky than OpenVPN's approach from a legal viewpoint. Is that the thing you want staff to comment on? I am not really that bothered about this either. Particularly because they would probably have to get a lawyer to answer.
 

[Flx 76]

11 hours ago, NaDre said:

Well I guess I did wonder why Wireguard's saving of local IP addresses was more risky than OpenVPN's approach from a legal viewpoint. Is that the thing you want staff to comment on?

Yes...on that.

11 hours ago, NaDre said:

I am not really that bothered about this either. Particularly because they would probably have to get a lawyer to answer.

Neither am I. Don't they have their own lawyers?

 

[BKK20 0]

On 11/26/2020 at 6:22 PM, OpenSourcerer said:

While I generally find such a feature cool as well, it would be detrimental to privacy. It would mean a data point people can use against you personally. "So, this IP downloaded [insert copyrighted content] on port 9000, and we found out it's an AirVPN exit. We studied your website and found out that ports are bound to keys, and keys are bound to users. So, which user forwarded this port?" AirVPN find themselves in a dilemma quickly:
If they tell the truth, the others will ask for all data on that user account, including mail address. Also, trust would be obliterated forever.
If they lie, they will have trouble with authorities and the users, because if they lied here, where else?

@OpenSourcerer But actually they maybe not only ask for user profile information. If I'm not wrong, they could also get orignal IP address you are connecting to AirVPN isn't ?

[OpenSourcerer 1359]

14 hours ago, BKK20 said:

If I'm not wrong, they could also get orignal IP address you are connecting to AirVPN isn't ?

This bit is not saved anywhere. Your ISP IP is shown for transparency in the sessions overview because it's inevitably known to the OpenVPN daemon. You kill the connection, you kill this information.