Question on port forwarding

[Indigo35 4]

Greetings,

Does port forwarding on my torrent client reveal any details about my host or expose me in any way?

Thanks.

[Staff 9770]

Greetings,

Does port forwarding on my torrent client reveal any details about my host or expose me in any way?

Thanks.

Hello!

No, it does not.

Make sure NOT to forward on your router the same ports that you remotely forwarded, this would not expose your IP but may expose you to correlation attacks from an adversary with the ability to monitor your line.

Kind regards

[iHabanCUeUtj 1]

Does port forwarding on my torrent client reveal any details about my host or expose me in any way?

No, it does not.

It absolutely does.

Your BitTorrent software--depending what sort, what plugins it may have installed, and whether its traffic is being modified by a BitTorrent-specific proxy--is likely to reveal at least the application name and version. This is an inherent part of the BitTorrent protocol. Many trackers refuse connections from clients that do not provide this information, or are perceived to be masquerading as another application. Your BitTorrent software may also deliberately reveal your OS type or other minor details. You may already be aware of all this. If you're not, it's a good thing to be aware of.

Your question implies that the host running the software is behind some sort of hardware firewall or router. If this is the case, and you're not establishing a VPN tunnel from the *router* to AirVPN, then you must be running the software on a machine behind the router. That seems to be most usual. If that's the case, you're bypassing your router entirely and establishing a link directly between AirVPN and your machine behind the router. That being the case, ports forwarded to you by AirVPN are relatively close to a direct link to the Internet, AirVPN being your second ISP on top of the first.

In this case, which is again most usual, any sufficiently advanced fingerprinting software observing traffic between the AirVPN exit node and whatever IP-addressable machines your BitTorrent software contacts may be able to determine not only information about the software, but also some details about the operating system, such as which operating system it is and how long it's been running.

Assuming no one is able to view the traffic between the AirVPN exit node and any hosts you may be talking to, less-stealthy fingerprinting software can actively probe any ports you have forwarded from AirVPN to your machine running VPN software. And, in the case of running BitTorrent software, it's implied that you might occasionally be exchanging data involuntarily with machines run by people such as BayTSP. Yes, even if you use BitTorrent blocklists--they're not perfect.

Now, how alarming is all this?

Probably not very. Presumably your machine is not the only one on your node running--this is purely an example--Transmission 2.72 on OSX 10.8. Even if a few more details are available, such as your OS' uptime, *most* people will only ever see "a machine connecting from AirVPN's exit node Whatever at this time running Some OS and This BitTorrent Software" plus whatever data this relatively anonymous BitTorrent client is handling.

For most purposes, this is probably good enough, especially if you're just downloading Linux Mint 14 or the latest patch to World of Warcraft and don't like the idea of people spying on you, and that's what I'm assuming. If you're selling state secrets or trying to protect yourself from high-level corporate espionage, I would consider a more industrial-grade setup.

[Indigo35 4]

Wow.

Thank you for such an elaborate reply.

How do I know if I am not establishing a VPN from the router to AirVPN, or bypassing my router entirely?

Much thanks.

[Indigo35 4]

Also, I don't understand exit node.

Could you explain this to me?

How does my machine fit into the schema of an exit node of your VPN?

I find this interesting!

[Staff 9770]

Does port forwarding on my torrent client reveal any details about my host or expose me in any way?

No, it does not.

Your question implies that the host running the software is behind some sort of hardware firewall or router. If this is the case, and you're not establishing a VPN tunnel from the *router* to AirVPN, then you must be running the software on a machine behind the router. That seems to be most usual. If that's the case, you're bypassing your router entirely and establishing a link directly between AirVPN and your machine behind the router. That being the case, ports forwarded to you by AirVPN are relatively close to a direct link to the Internet, AirVPN being your second ISP on top of the first.

Hello!

Just some additional notes on your good considerations. You have to take into account that the client host connects to an IP address (entry-IP) which is not the Air exit node IP address. Additionally, if the torrent client had the intention to send out the IP address of the card it's bound, it would send out the VPN IP.

It is assumed that the torrent client is not connecting over any proxy and is not forced (for example with ForceBindIP or similar code injectors) to bind to the physical network card of the client host, which would result in tunnel (routing table/gateway) bypassing.

Assuming no one is able to view the traffic between the AirVPN exit node and any hosts you may be talking to, less-stealthy fingerprinting software can actively probe any ports you have forwarded from AirVPN to your machine running VPN software. And, in the case of running BitTorrent software, it's implied that you might occasionally be exchanging data involuntarily with machines run by people such as BayTSP. Yes, even if you use BitTorrent blocklists--they're not perfect.

Not very alarming, as you already said. To make it even less alarming, consider also that, in this case, an entity like that would see exit-IP and port of the Air exit node, not the IP the OpenVPN client of the customer is connecting to in order to establish the connection to one of our servers (in all the Air servers, the connecting IP does not match the exit-IP).

However, a more sinister scenario is possible, but only if the customer had the same port both remotely forwarded AND open on its router. In that case an entity with the ability to monitor the customer line can send packets both to the real IP address and to the exit-IP address of the VPN (toward the same port) to establish a sure correlation between the p2p activity detected on the VPN exit-node and on the customer host running the p2p client with a relatively low error margin (probably not valid as a legal proof anyway). For this reason we recommend not to open the same remotely forwarded ports on the routers' customers.

Kind regards

[Indigo35 4]

I didn't map/port forward on my router.

The only thing I did was use your web interface to forward a port, it gave me a random number, and I plugged that into my torrent client.

Not that I'm actually using my torrent client, but it's good to know how to do it.

[iHabanCUeUtj 1]

How do I know if I am not establishing a VPN from the router to AirVPN, or bypassing my router entirely?

Well, that's relatively easy. If you downloaded the VPN client software that AirVPN provide, and you're using that, then you're bypassing your router. If you downloaded some other client--or perhaps have one that comes with your operating system--and you fed that the data from the nice little Zip archives AirVPN generate for you ("Member Area" -> "Access without our client"), then you're bypassing your router.

If you remember configuring your *router* with all the details it would need to establish VPN tunnels to AirVPN, such as your uniquely-generated encryption key and signing request and other details--that's all available in the Zip archive I just mentioned--then your router is handling all the legwork, and it's filtering traffic between you and AirVPN's network.

Again, this is probably not alarming. You have to place a certain amount of trust in AirVPN to use their services in the first place, and you're also not accessing the Internet directly, as you do with most ISPs. To get details on how AirVPN handles your traffic once it gets to their network, you may want to read up on network address translation at Wikipedia.

If you don't want to read up on it, think of network address translation as being something like one-way glass. Under ideal circumstances, AirVPN's service is placing requests on your behalf and returning the data to you. You can "see" the Internet--initiate requests to web servers or whichever as normal--but no one can "see" back through AirVPN's exit nodes without performing a lot of very complicated traffic analysis, and probably not even then.

To refer back to your original question, port forwarding is a means of notifying AirVPN's servers that traffic arriving on a specially designated port (TCP or UDP ports in this case) should be passed directly to you without doing anything more than inspecting it to see where it's going. Security-wise, it's cutting a tiny hole in that one-way glass that can be used to infer a small amount of information about the machine on the other side.

[iHabanCUeUtj 1]

How does my machine fit into the schema of an exit node of your VPN?

It's not my VPN service. Now you're trusting AirVPN and a third-party stranger to handle your security.

I'm using "node" in its very general sense, so in a computer networking context, just "a point or or place or thing in a network". This next bit could be complicated. You may want to skip to the ending summary, then scroll back and read the rest. Up to you.

This would be easier with a couple diagrams, so I'll try to keep it simple. Your VPN client--a router running VPN software, or a desktop or laptop or smartphone or what have you--establishes a VPN session with some entrance node operated by AirVPN. This is simply some kind of server running the server portion of the OpenVPN software, or something else compatible. Once your machine and AirVPN's machine finish agreeing on what encryption and other security features to use, they also agree on a point-to-point IP network.

Digression: It's a good idea to have some basic knowledge of the various networking layers used in commodity networks. For all its failings, you may want to look up the OSI networking model. In greatly abridged form, Layer 1 is your physical media: on your personal network, most likely a UTP ("Ethernet"--but not really) patch cable or a wireless signal. Layer 2 is almost certainly either wired or wireless Ethernet in your case. (IEEE standards 802.3 or 802.11, if you want to look those up.) For you, Layer 3 is almost certainly Internet Protocol Version 4, but possibly IPv6.

Layer 7--I said the OSI model is broken--is almost always Transmission Control Protocol or User Datagram Protocol. You can read several textbooks on those, or you can consult Wikipedia for good summaries.

Back to the VPN session: you're using your Layers 3 and 7 protocols to speak with AirVPN. When all the handshaking is done and a VPN tunnel established, you start a new Layer 3 (definitely, absolutely IPv4) session directly with AirVPN. The entrance node, which is handling the actual VPN session, facilitates it, and your information traverses AirVPN's internal network. To be clear, the rest of their network is not part of the VPN. The VPN is an entrance to their network.

I don't know how their internal communications are routed; I just trust that it works. You can ask for details, but they're probably a little shy about those, on either or both security or trade secret grounds.

Eventually, your traffic gets to an exit node. It's exactly what it sounds like: your traffic is leaving AirVPN's network and services, where it can pass through various routers and switches and what have you to get to a web server, or an FTP server, or a VoIP server, or whatever kind of server. In a very trivial VPN setup, the entrance and exit node could be the same machine, but we have AirVPN's assurance that they're not, to obfuscate your data and protect your identity.

So, in summary: you establish a VPN session with a machine that acts as an entrance to AirVPN's network. Hopefully, your traffic passes through one or two more machines** in a different (geographic) location, to make it difficult to establish whose traffic originated where. At some point, your traffic reaches an exit node and leaves AirVPN's network, where it gets out to the rest of the Internet. Eventually, any data you requested is returned to AirVPN's exit node, where they use magic (see network address translation in my earlier post) to figure out who requested it, and then it's passed back through their network, where it ends up at your VPN entrance node, and is passed back to you.

This is pretty much how your first-stage ISP works, by the way--they simply don't do the encryption, and most of them don't perform network address translation. Any of the big ones do own a good portion of the Internet's infrastructure, so your data generally gets handed around by two or three (or more) of their big routers before it moves on to a network operated by someone else.

** Being in different geographic locations, these points in AirVPN's network are probably connected by their own VPN tunnels.

[Indigo35 4]

Thank you!

Much appreciated!

[Staff 9770]

Eventually, your traffic gets to an exit node. It's exactly what it sounds like: your traffic is leaving AirVPN's network and services, where it can pass through various routers and switches and what have you to get to a web server, or an FTP server, or a VoIP server, or whatever kind of server. In a very trivial VPN setup, the entrance and exit node could be the same machine, but we have AirVPN's assurance that they're not, to obfuscate your data and protect your identity.

Hello!

Wait, this admin apologizes for any misunderstanding: the entrance and exit IP addresses are different, not necessarily the physical machine. Multi-hopping with servers belonging to the same entity does not really add any significant security (if you can't afford to trust the VPN operators) so if you need multi-hopping we recommend Air over TOR or VPN over VPN etc. Sorry if there was any misunderstanding on that.

Kind regards

[Indigo35 4]

What would multi-hopping be used for?

I've used the TOR browser bundle, and [browsing] is painfully slow.

A trade off?

[iHabanCUeUtj 1]

Wait, this admin apologizes for any misunderstanding: the entrance and exit IP addresses are different, not necessarily the physical machine. Multi-hopping with servers belonging to the same entity does not really add any significant security (if you can't afford to trust the VPN operators) so if you need multi-hopping we recommend Air over TOR or VPN over VPN etc. Sorry if there was any misunderstanding on that.

Thanks for clearing that up. Honestly, I didn't think the entrance and exit nodes were different machines, and I was wondering about that.

However, there *are* very good reasons to add at least one extra leg to the route. Since this is a semi-public forum, I'd rather not go into details that might give certain sorts of busybodies any ideas. They've demonstrated rather majestic technological illiteracy in the past, and I'd rather not subtract from it.

[Indigo35 4]

Wait.

I'm confused.

And I don't mean to be paranoid, but I hope you weren't referring to me with the majestic technological illiteracy. I'm trying my best to learn, which is more than some.

I'd like to know why I'd need an extra leg/hop (using TOR) for privacy?

I thought a well-configured VPN was sufficient?

#facepalm

[skxBMrYsxlli 9]

And I don't mean to be paranoid, but I hope you weren't referring to me with the majestic technological illiteracy.

Not at all. I apologize, since it must have appeared that way. I was referring very generally to a few classes of third parties who would love to be able to find a flaw in a VPN setup and see right through it. If you're using BitTorrent and a VPN service, and you're not just using it to download World of Warcraft patches and Linux distributions after all, you should be able to guess at a few names.

I'm trying my best to learn, which is more than some.

More than most, in fact.

I'd like to know why I'd need an extra leg/hop (using TOR) for privacy?

I wasn't referring to Tor, actually. I was referring to the desirability of putting at least one extra router between yourself and a VPN exit. Without getting into specifics, it's best practice for making sure the path between entrance and exit is sufficiently obscured. Done right, it more or less ensures that you're lost in the crowd.

The admin was saying that AirVPN provides single VPN nodes for you that don't talk to each other. So: you and I and a lot of other people all exchange traffic with one host over an encrypted tunnel so no one can tell who's saying what by the time our traffic exits back onto the Internet, where it's not encrypted any more.

Ideally, we'd pass through randomly chosen nodes in a private network before exiting back onto the Internet. While this does sacrifice some speed, and increases latency, it ensures that trying to reconstruct traffic flows is (ideally) impossible. If you've looked into the details of using Tor, you may know that Tor establishes three-hop routes in all cases. If the Tor node you operate can't find a complete three-hop route back out of the Tor network, your traffic is not passed along. It's less than ideal if you really wanted to get somewhere, but it's *very* ideal for security.

Tor has other problems that make speed a hard problem to solve, but the explanation is a long one. The very short version is that Tor would be faster if all the nodes were paid for.

I thought a well-configured VPN was sufficient?

It should be. The admin and I were exchanging hypothetical situations. Not attacks against AirVPN's security or anonymity that would be impossible, but the kind that are--presently--unlikely.

All security is applied risk management.