Port forwarding availability change

[Staff 9764]

Hello!

Please note that starting Saturday, June 24, all new accounts will have the ability to forward remotely a maximum of 5 inbound ports.

The decision is intended to extend the time period after which we will run out of ports.

The change is not retroactive: all current customers and all accounts created before Saturday, June 24 will have the usual, total ports availability.

In addition, we will continue to investigate viable alternatives in anticipation of port exhaustion.

Kind regards & datalove
AirVPN Staff

[Air4141841 23]

I have submitted a ticket/ request in regards to this.  I hope this helps 

[ss11 15]

Port forwarding 5 inbound ports on per-device basis as AirVPN offers is still sufficient as one normal user with an average use-case can run their p2p software just fine.
However, some solution to prevent port exhaustion should exist, as there are only 65536 minus 2048 ports that can be forwarded, and this resource is shared along ENTIRE AIRVPN COMMUNITY. It might sound a lot but it is really not, and as opposite to IPv6 vs IPv4 where IPv6 comes with the solution to offer orders of magnitude more IP addresses, for Ports there is none, as in there will never be more than 65536 ports.

Obviously solutions are required. Would it be wise to post in a Forum topic about it and brainstorm a little bit, see what solutions we have so far and decide which to choose?

[Quallian 24]

On 6/17/2023 at 12:24 PM, Staff said:

The change is not retroactive: 

Bravo! That's how you do it. By preserving what was advertised to all previous customers you have proved your honesty and fairness again. 👏

[oassQ9w4cbl4AySZhhth%p36x 2]

On 6/17/2023 at 11:24 AM, Staff said:

Hello!

Please note that starting Saturday, June 24, all new accounts will have the ability to forward remotely a maximum of 5 inbound ports.

The decision is intended to extend the time period after which we will run out of ports.

The change is not retroactive: all current customers and all accounts created before Saturday, June 24 will have the usual, total ports availability.

In addition, we will continue to investigate viable alternatives in anticipation of port exhaustion.

Kind regards & datalove
AirVPN Staff

just a suggestion to help extend, give current customers the ability to declare themselves as ipv4 or ipv6 only. So for example i block all ipv6, and in the port forwarding settings I get allocated both ipv4 and ipv6. I won't use ipv6 port forwarding but it is still allocated to me. This could be better served with some other customers being able to utilise those ports instead of me. 

If that makes sense. 

[ss11 15]

I think this is will complicate things too much, like port 12310 will be assigned to you via IPv4 and to other customer via IPv6 - this means separate records need to be kept on per IP class basis instead of just per user basis.

It will be very confusing and significantly more complicated for AirVPN central server that does allocations.
It will also be very hard to explain to someone that port XXXX is available for IPv4 only; port XXXX is available for IPv6 only and port XXXX is available for both IPv4 and IPv6. Nobody will understand any more.

Most users don't even care if they are running in dual stack mode (ipv4 and ipv6 simultaneously) and this is the correct behavior IMO -- AirVPN provides you with IPv6 exiting, you should use it - period. Some are under the false assumption that if they use only IPv4 they are more secure or more private -- it's not the case. AirVPN assigns ULA (unique local addresses) for IPv6 to its customers ,they are not reachable from the public internet unless you use the port forwarding service.

IPv6 has better latency (not a noticeable difference but still), better routes and it's less blacklisted than IPv4.

Also, maybe it's just me but I am so against not using AirVPN in dual-stack mode, since it provides native IPv6 I don't see a reason to exclude it. Days where IPv6 was not clearly understood and had somewhat privacy implications are long gone. I am also in favor of using IPv6 as the entry layer for users that are Native IPv6. We have to move on towards superior technology, sooner rather than later.

[oassQ9w4cbl4AySZhhth%p36x 2]

well its the best way for me, i dont know enough about ipv6 and the idea of each individual device having their own publicly routable ip on the internet scares me. i know ipv4 and i'll stick with it, even if it means reduced latency. maybe one day i'll have enough trust in ipv6 and do enough research to be happy with it from a privacy stance but thats not going to be within the next 4 years at least. 

I agree about the complexity but you can give people choice. The ipv6 allocations to me as exit nodes for example are worthless since I won't use them. Those could be reclaimed from me too. I specifically specify in the config generator that I want ipv4 exit only. I'm sure the ones like me could result in more ports being available. 

Outside of that or on top of it, we could have it be per server rather than ALL servers. Or 1 port on all servers and then 4 more allocated as the user sees fit. now the more community orientated ones of creating a pseudo marketplace where requests go in and people possibly pay a nominal fee and airvpn try middleman the allocation to some degree. 

Finally reclamation. [this one will help solve the issue a lot i think] A use it or lose it policy. If no traffic as flowed from that port in {duration} possibly 2 weeks to 1 month, then its automatically reclaimed back to the system / available pool for allocation. 

[cccthats3cs 9]

I am in favor of having a slightly limited 20 ports for everyone, instead of 5 for new users. The main reason behind this is that while this change doesn't impact me currently, ports as they are now are finite and eventually, I can see a situation in which the system needs to be changed for all accounts.

The easiest solution to me seems to be having ports allocated on a per-server basis: with around 60000 ports per server that would allow for 3000+ users to forward a full 20 ports on the same server. If somehow a server ran out of ports in that instance, another could be purchased in the same location/datacenter.

For my own port forwarding applications, I am constantly connected to the same server and don't mind briefly losing the ports if I need to switch locations.

[ss11 15]

I cannot say the per server port forwarding is ideal, but is at least better than spreading port forwarding per IP class (either IPv4 only, either IPv6 only, either dual-stack).
In a perfect future, everybody is at least dual-stacked, because IPv6 only seams further away.

The per server selection has a negative impact on load balancing, one that selected a port there is kind of forced to connect only to that server, regardless its load. I can think of other privacy implications as well.

[mythrare 1]

I think a good & sane solution would be to allow people to choose a city that their port forwards would apply too, thus they are not bound to a single server or all servers. This would be the best of both worlds between reliability and availability...although some countries' servers are heavily based in one city...maybe splitting a city into zones/wards may be a way.

[cccthats3cs 9]

With news of Mullvad and now IVPN removing port forwarding, can we have assurance from staff that AirVPN is not planning to remove port forwarding?

[dj77 6]

1 hour ago, cccthats3cs said:

With news of Mullvad and now IVPN removing port forwarding, can we have assurance from staff that AirVPN is not planning to remove port forwarding?

good question 

[Undated8198 1]

9 hours ago, cccthats3cs said:

With news of Mullvad and now IVPN removing port forwarding, can we have assurance from staff that AirVPN is not planning to remove port forwarding?

Hi everyone, potential customer here and I would really appreciate a response to this question. I actually registered just to emphasize that. After speaking with someone at IVPN it's clear they have neither the capacity nor the desire to take on Mullvads customers. I've now changed VPNs twice in as many weeks, and this will be my third... As you might imagine it is pretty annoying.

[Staff 9764]

@Undated8198


Hello,

we have no plans to remove port forwarding, quite the contrary: we are currently deploying resources to delay port exhaustion and find alternative, but comfortable, procedures to keep offering this service in anticipation of port exhaustion. As you can see we already limited to new customers the amount of bookable ports, in order to preserve advertised features to those who are already our customers. We are committed to avoid retro-active modifications of the service for pre-existing customers, when such modifications would be detrimental for the service or anyway betraying an advertised feature.

Kind regards
 

[benfitita 35]

My understanding is that there's a limited number of ports per IP address, so perhaps introducing a 2nd exit IP would solve the issue? New customers would be allocated to the 2nd exit IP.

[go558a83nk 352]

Maybe require users to select which server the port will be reserved on?  And if they want to switch servers for the port forward rule they can try but if it's already reserved by another user they'll have to choose a different port.

[drum 4]

1 hour ago, benfitita said:

My understanding is that there's a limited number of ports per IP address, so perhaps introducing a 2nd exit IP would solve the issue? New customers would be allocated to the 2nd exit IP.

That is exactly what i was thinking. Segmenting the user base into n groups, each group with distinct exit ip addresses, while i guess, all groups will use the same entry ip.

[Quallian 24]

On 6/17/2023 at 12:24 PM, Staff said:

Hello!

Please note that starting Saturday, June 24, all new accounts will have the ability to forward remotely a maximum of 5 inbound ports.

The decision is intended to extend the time period after which we will run out of ports.

The change is not retroactive: all current customers and all accounts created before Saturday, June 24 will have the usual, total ports availability.

In addition, we will continue to investigate viable alternatives in anticipation of port exhaustion.

Kind regards & datalove
AirVPN Staff

Hi,
I use AirVPN through different accounts. One of them has no valid plans since years, but it was active in the past (2016, 2017...). If I add a plan to this account now or in the near future, shall this account have 20 or 5 ports available? Maybe a silly question but I'm in doubt, sorry.
 

[Staff 9764]

2 hours ago, Quallian said:

Hi,
I use AirVPN through different accounts. One of them has no valid plans since years, but it was active in the past (2016, 2017...). If I add a plan to this account now or in the near future, shall this account have 20 or 5 ports available? Maybe a silly question but I'm in doubt, sorry.
 

Hello!

An account with such features will have a maximum of 20 ports available. Thank you for your great feedback.

Kind regards
 

[MusicPeek 0]

Are you going to remove port forwarding? Can you guarantee if you won't remove it? You removed port forwarding, will you refund money?

[Oblivion 2013 8]

In the past at Posted 08/20/2021 already a topic was being open about this going to happen. You can look at that topic. I did open it because aMule for Linux needs 3 ports that are very unfortunately need to be consecutive. Like 3003,3004,3005.

https://airvpn.org/forums/topic/49704-the-big-port-forwarding-airvpn-topic/

At that time i thought it was possible to make more software IPv6 ready and give customers an IPv6 address that has a random ending, even making customers being able to have same ports forwarded.

That topic ended about why i went to WINE with Emule on top of it because Emule running on WINE can use 2 random ports anyway.

Another ridiculous sounding idea is getting random ports when connecting with uPNP, but very few people would like that. ( But I wouldn't mind, since i don't use Windows natively ) and the software I use does support uPNP. But at least EDDIE should then easily show control about which ports have been temporarily created with uPNP

About that topic it ended like this: If running an application with WINE you have to wait 2 minutes before restarting the application that uses port forwarding. Linux does not allow WINE to discard a port itself, Windows however does. There was no reason to reboot.

For Linux users, nowadays the netstat command is replaced with ss like

ss|grep tcp
ss|grep udp

If your application has closed in WINE like with eMule and the port is still listed there, just wait 2 minutes, then it will work again.

So in the past it was obvious this was going to happen since the ports are a shared resource. It is also possible to push random ports and execute a script, that script modifies configuration of software using these ports, that is possible, but inconvenient, but will be necessary if say hundred million subscribers come to here.

-- To Moderator, forgot to log in before posting this so this message is in your approval que, but as you can see i logged in and it now is posted already --


 

[ss11 15]

8 hours ago, Sarcley said:

Are you going to remove port forwarding? Can you guarantee if you won't remove it? You removed port forwarding, will you refund money?

Can you guarantee that you won't misuse the port forwarding feature, and pay the entire server bill for one month if you abuse?
What kind of more guarantees do you want, @Staff just confirmed there are no plans to remove this feature, to the contrary, there are plans to look for solutions to make these resources available forever.

All other VPN providers you mention that cowardly remove this feature do not have a net neutrality prospect and mission prospect like airvpn does. If you read those, you will see p2p (not possible without port forwarding) is one of the most important aspects in a decentralized censorship-resistant internet, which is in tango with airvpn's mission. The mission and net neutrality prospects of airvpn have not changed since its inception so I doubt it will happen, unless something really ugly happens.

Happy p2p-ing in the mean time.

[Oblivion 2013 8]

I was thinking about a small pool of e.g. 500 reserved PORTS that can be aquired by uPNP aware applications. But EDDIE would need to clearly make it visible when an application requires and asks for a uPNP port, so people know that a sneaky application won't culprit.

There seems to be newer technology though.

NAT traversal

One solution for NAT traversal, called the Internet Gateway Device Protocol (IGD Protocol), is implemented via UPnP. Many routers and firewalls expose themselves as Internet Gateway Devices, allowing any local UPnP control point to perform a variety of actions, including retrieving the external IP address of the device, enumerating existing port mappings, and adding or removing port mappings. By adding a port mapping, a UPnP controller behind the IGD can enable traversal of the IGD from an external address to an internal client.

There are numerous compatibility issues due the different interpretations of the very large actually backward compatible IGDv1 and IGDv2 specifications. One of them is the UPnP IGD client integrated with current Microsoft Windows and Xbox systems with certified IGDv2 routers. The compatibility issue still exist since the introduced of the IGDv1 client in Windows XP in 2001, and a IGDv2 router without a workaround that makes router port mapping impossible.[17]

If UPnP is only used to control router port mappings and pinholes, there are alternative, newer much simpler and lightweight protocols such as the PCP and the NAT-PMP, both of which have been standardized as RFCs by the IETF. These alternatives are not yet known to have compatibility issues between different clients and servers, but adoption is still low. For consumer routers, only AVM and the open source router software projects OpenWrt, OPNsense, and pfSense are currently known to support PCP as an alternative to UPnP. These open source router software projects use the MiniUPnPd[18] server, which supports all three protocols.

https://en.wikipedia.org/wiki/Universal_Plug_and_Play

[benfitita 35]

It seems that NAT-PMP is used by Proton. Their support docs indicate it isn’t anywhere as easy to setup as the current AirVPN solution.
https://protonvpn.com/support/port-forwarding-manual-setup/
I can’t imagine how to use this for any kind of a long-lived home server. seems to be mostly useful for BitTorrent or gaming. 

An interesting thing is that they have a separate pool of servers with port forwarding. Not sure how much that helps for reducing bans/blacklisting. 

 

[Stalinium 44]

Quote

Not the usual UPnP/NAT-PMP. Although maybe you'll eventually need it (to solve the port exhaustion problem). The problem with those: users have too little control over them in programs.

That's what I said in 2021, thanks to the user above who found and liked my post 😁

On 7/2/2023 at 4:38 PM, ss11 said:

If you read those, you will see p2p (not possible without port forwarding)

Before I go on, I would like to CLARIFY FOR EVERYONE WHOM IT MAY CONCERN that peer-to-peer communication is possible even WITHOUT port-forwarding. Anybody who is basing their actions and policies by claiming otherwise (lying, deceiving or due to incompetence) is a fool who should look for a new job. I make no statement about the quality of service with vs without it.
 

12 hours ago, Oblivion 2013 said:

I was thinking about a small pool of e.g. 500 reserved PORTS that can be aquired by uPNP aware applications.

I agree with Oblivion's solution the most. While using dynamic ports would slightly degrade persistence, it's a great opt-in for the users who can use automatic dynamic port-forwarding. AirVPN already reserves ~1024 (1024-2048) ports in the non-administrative range for something. However he is right this is a really ugly can of worms to implement and support due to various specifications, their versions and implementation bugs.

I understand the "city idea" of following Mullvad but I believe it is a bad idea. Not only due to load balancing as mentioned above (great point!) but the increased demand of the users to track and understand this. Further, in some cases you want the clients to switch servers... sometimes.

An improvement over the city-clustering would be per-country clustering, which would follow geographical separation pretty closely. Almost nobody from Americas, Europe would want to use Asian servers for port-forwarding, for example. There may be some from NA willing to use Dutch servers, but as far as Europe is concerned, there are always backup choices in geographical proximity. The DNS names already follow all that structure.
This can be refined with cluster-based and/or per-country separation, lets say 4 servers end up in one cluster for load-balancing and get the same DNS address: nl-cluster4.airdns.org. This is even harder to grasp than the per-city definition and eventually as servers are moved and replaced, some clusters will wind up empty and need a reshuffling of servers and users.

If a user is free to choose a port, nothing prevents port-clashing at a global scale (when the user wants to use the same port across clusters) but this could be softened by limiting port choice globally to only 2,3... users at a time and indicating this in the UI. This, again, is ugly.

Multiple Exit IPs is in Air's management hands, only they can comment on viability.

IPv4 vs IPv6 makes absolutely no sense. You can't compare IPv6-only servers, because they are servers vs mostly residential use-cases of a VPN where the overwhelming majority will want dual-stack as an option. Or would you like to have two different ports for IPv4 and IPv6 for the same application? This is what it leads to. How many applications would support divergent ports in a dual-stack config? You can start counting and I'd be surprised if it could not be counted with fingers.
 

5 hours ago, benfitita said:

ProtonVPN ... An interesting thing is that they have a separate pool of servers with port forwarding.

That's because they have a heterogenous infrastructure, whereas Air has equal requirements towards all servers, their locations/providers. I hope you understand what I mean by that beyond Air's legal analysis of each countries' laws for surveillance.