Jump to content
Not connected, Your IP: 3.147.28.111
randomairuser

Question regarding AirVPN's "Your IP"

Recommended Posts

Hello fellow AirVPN users. Today I am writing to discuss a long standing gripe with mine. Now currently I am a PIA user and have been for some time. I have been studying the AirVPN service for some time and had the pleasure in being able to test their service, client and everything in between (including these forums).

 

However, there has always been one major gripe with this service, and that is the "Your IP" field when viewing the client area. For reference here is a redacted image:

 

http://i.imgur.com/JaBsonf.png

 

Now, I understand that a VPN provider may happen to know a users real IP address when connecting. However, PIA does not display a users IP address, anywhere, for any reason, ever. It is simply not possible to get any single IP in the same way you can from AirVPN.

 

The reason this concerns me is because this IP address must be stored somewhere, somehow. I've taken a look through the eddie source code and spent many hours trying to figure how they are storing our IP. I found a http request to a web server which returns an XML based response with our real IP, however, it is not obvious how this is then sent to the AirVPN website, as I have yet to be able to spoof the IP displayed on that page from the client software.

 

I would like to understand why a VPN provider feels the necessity to display our real IP address on their website, I mean, it doesn't do anything apart from potentially reduce security; If a user wants to know their real IP address they are more than capable of finding out without this website telling them. 

 

To be honest, it's the only thing holding me back from ditching PIA and using AirVPN full time. This service exposes a lot of information that PIA simply does not, from a users real IP, to server statistics and information regarding a users connection (bandwidth, connected since).

 

This surely puts a strain on the backend of this website? If there so happened to be a breach then all our real IP's are taken from the database and the point of using a VPN is nullified.

 

Full disclosure: I understand that in order for this post to be visible the staff must approve it, hopefully they will do so as I feel the answers can be beneficial to the community.

 

Thank you for reading.

Share this post


Link to post

To be honest, I asked this question myself several times during the first days of using AirVPN, and it took me some

time to understand how the Staff adresses potential security issues.

Most of common vulnerabilities are fixed within hours, and usually they will write a public disclosure regarding any

potential breach that can threaten users security and/or privacy.

 

On top of that, I wanted a provider that doesn't use a single shared VPS on it's entire network, because of the

inevitable risk of the hosting provider being able to see anything in the guest OS, from traffic and, but not limited

to, live memory images.

I want to believe that AirVPN applies full disk encryption on their servers as an additional layer.

Any provider that fails to do so, exposes the user to all potential risks from malicious datacenter employees, to

classic hypervisor attacks like the recent Venom.

PIA uses Vultr.com, which are all based on shared memory QEMU images on their German nodes. So now in case

of any breach of the underlying infrastructure, all the IP addresses and even more, could be exposed.

 

Second, I wanted to see the "real" terms of service and not another marketing "No logs" buzzwords.

A simple look at this page:

 

BREACH
PrivateInternetAccess.com abides by a ZERO TOLERANCE policy relating to any activity which breaches or violates our terms and conditions.

Along with the ZERO TOLERANCE policy, Clients who materially breach the terms and conditions will have their account removed without any refund. Additionally, Client understands that PrivateInternetAccess.com expressly reserves the right to hold the Client or any third-party using the service on Client’s behalf responsible for any and all financial damages and losses which may be incurred arising out of said breach or breaches, including, but not limited to attorneys fees, fees for expert witnesses, court costs, and other charges.

 

 

would tell you that the company logs all activities, and is taking actions against it's users.

There is a difference between applying packet rate limits globally, and putting something like

this in the AUP.  Sadly, many providers do that, even ones that have a 300x300 "No logs" banners.

 

 

If you are using Tor>VPN such as I do sometimes, or chaining 2 VPN servers one after another, I see

this feature as actually useful, to see what IP the end (exit) server sees, and most of the times it will

be the first Air's server or Tor. You cannot verify your setup properly with providers that don't show

you this data.

 

The only point of failure here is a breach of the Forum CMS or one of the servers directly. But assuming

you are not exposing your real identity here in another ways (judging by your username - you don't), in

case of such breach the attacker will see 4842 connected users, without being able to determine who

is who. I am sure that using U.S. based company regulates them to do stuff you were not aware of, even

if you don't see it in your provider's client area.

 

Regards


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Thank you for your reply zhang888. I am not sure why this post is currently located in the "reviews" section, I am pretty sure I posted this originally in the "general discussion" where it's more likely to get debate about this issue. If a staff member reads this please move this topic to that forum, thank you.

 

As for your points, they are interesting and enlightening. However, it still does not answer the question of "why" they decide to show our real IP address. My biggest concern is that it prevents account sharing of any description. With PIA I can happily share it with friends or family and they also provide up to 5 connections at once (vs 3 on AirVPN), and there is no way to know who is using the VPN at any given time. 

 

The security of the VPN is hampered simply by the fact this information is displayed and there is no way (that I have discovered) of knowing how it is being stored. All I know is how the request is being made (from Eddie). 

Share this post


Link to post

Respectfully, nothing in that quoted text actually says they log anything, and nothing in that requires them to. There is a big difference between saying "If you set my home on fire I will call the police." and saying "You are not permitted to set my home on fire."...

 

If you fail to understand this, then perhaps you should not make bold claims about VPNs based upon information that is clearly extrapolated from a quote that says nothing of the sort.


Debugging is at least twice as hard as writing the program in the first place.

So if you write your code as clever as you can possibly make it, then by definition you are not smart enough to debug it.

Share this post


Link to post

Respectfully, nothing in that quoted text actually says they log anything, and nothing in that requires them to. There is a big difference between saying "If you set my home on fire I will call the police." and saying "You are not permitted to set my home on fire."...

 

If you fail to understand this, then perhaps you should not make bold claims about VPNs based upon information that is clearly extrapolated from a quote that says nothing of the sort.

 

I did not understand your example as it has nothing to do with the topic.

A more realistic example would be "I don't collect information about you, but if you set fire in the house, I will punish you".

 

Please explain how a VPN provider is technically able to remove a user account that violated some made-up policies without logging.

I will happily continue this discussion if you can provide an answer.

 

Regards,


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

 

Respectfully, nothing in that quoted text actually says they log anything, and nothing in that requires them to. There is a big difference between saying "If you set my home on fire I will call the police." and saying "You are not permitted to set my home on fire."...

 

If you fail to understand this, then perhaps you should not make bold claims about VPNs based upon information that is clearly extrapolated from a quote that says nothing of the sort.

I did not understand your example as it has nothing to do with the topic.

A more realistic example would be "I don't collect information about you, but if you set fire in the house, I will punish you".

 

Please explain how a VPN provider is technically able to remove a user account that violated some made-up policies without logging.

I will happily continue this discussion if you can provide an answer.

 

Regards,

Who says logging is required to block a user that violates a policy? And have you even heard of this policy being enforced in the first place? They pretty much have to say that, but since they do not log, their hands are tied with regards to enforcement. The same is true of AirVPN.

 

And yeah, my example was terrible. I will get some Coffee and see if I can think of a better metaphore. Thank you for not biting my head off.


Debugging is at least twice as hard as writing the program in the first place.

So if you write your code as clever as you can possibly make it, then by definition you are not smart enough to debug it.

Share this post


Link to post

Who, what, when, where are all lost once the VPN session is over if there is indeed no logging.  However, real-time monitoring occurs in every VPN network, no doubt.  No reputable VPN company wants their IPs to be involved in heinous things such as child porn.

Share this post


Link to post

The wording of their TOS really make it sound like they're logging. I have no idea if they are or not and can't comment on that. Its just phrased is really really badly.

 

But if they're seriously using VPS's they've already failed. -poorly written tos or not.

Share this post


Link to post

Well it would be nice if a staff member of Airvpn would comment on this, only to clarify the matter. Otherwise it will forever stay a discussion based on assumption and guesses.

Share this post


Link to post

Re VPS usage, PIA staff have commented that all their servers are bare metal. I can't explain why the previous commentor has evidence to the contrary.

 

https://www.privateinternetaccess.com/forum/discussion/comment/27828/

 

Don't believe anything you read on the internet, especially if it's said by a person that is affiliated with the question.

You have to read the comments of "ibeamcoy" on the thread you posted, he seems to know what he is talking about.

Btw it seems that the PIA Staff are closely monitoring this thread and they chose to stop using Vultr (VPS) after my small

example and replaced it with Leaseweb.

 

But you can't hide it from Google

http://www.merproject.org/logs/%23sailfishos-porters/%23sailfishos-porters.2015-04-19.log.html

108.61.0.0/8 is Vultr.com Germany, now they moved it to Leaseweb

 

;; ANSWER SECTION:

germany.privateinternetaccess.com. 300 IN A    178.162.199.90

germany.privateinternetaccess.com. 300 IN A    178.162.199.95

germany.privateinternetaccess.com. 300 IN A    178.162.205.30

germany.privateinternetaccess.com. 300 IN A    178.162.211.215

 

 

Still, many other nodes are using Vultr, and no, those ranges are not shared between VPS and dedicated servers.

Vultr's parent company do have other ranges, but the netnames are totally different. Vultr's ranges are Low-end-box

kind of service, where you can still pay for a 32GB box, but it will still be a VPS.

The dedicated servers are all maintained by Choopa LLC directly.

 

Here is Vultr London:

 

;; ANSWER SECTION:

uk-london.privateinternetaccess.com. 102 IN A    104.238.169.18

uk-london.privateinternetaccess.com. 102 IN A    104.238.169.103

uk-london.privateinternetaccess.com. 102 IN A    104.238.169.106

uk-london.privateinternetaccess.com. 102 IN A    104.238.169.112

 

And many others.

 

In Sweden they use Xen VPSes from Webexxpurts (Shoutout @bd, a great admin and guy):

 

;; ANSWER SECTION:

sweden.privateinternetaccess.com. 300 IN A    5.157.38.2

sweden.privateinternetaccess.com. 300 IN A    91.108.183.186

sweden.privateinternetaccess.com. 300 IN A    185.3.135.42

sweden.privateinternetaccess.com. 300 IN A    5.153.234.82

 

Should I continue?

 

Fair disclosure:

I have nothing against any provider, everyone seem to aim for a different kind of audience and has a different mission.

I do believe though, that once you test the actual infrastructure of any given provider, and the ToS of the underlying DCs,

you can then choose if this particular VPN provider shares the same best practices that you do, in case you have any.

Here is why I believe that AirVPN will not compromise on transparency, and will not put a shared 1Gbit port on some VPS

provider to boast about the alleged ~4TBp/s. That's all.

Now if they lie to you about the bandwidth, why should you trust them with your logs? Just a thought.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

 

Re VPS usage, PIA staff have commented that all their servers are bare metal. I can't explain why the previous commentor has evidence to the contrary.

 

https://www.privateinternetaccess.com/forum/discussion/comment/27828/

 

Don't believe anything you read on the internet, especially if it's said by a person that is affiliated with the question.

You have to read the comments of "ibeamcoy" on the thread you posted, he seems to know what he is talking about.

Btw it seems that the PIA Staff are closely monitoring this thread and they chose to stop using Vultr (VPS) after my small

example and replaced it with Leaseweb.

 

But you can't hide it from Google

http://www.merproject.org/logs/%23sailfishos-porters/%23sailfishos-porters.2015-04-19.log.html

108.61.0.0/8 is Vultr.com Germany, now they moved it to Leaseweb

 

;; ANSWER SECTION:

germany.privateinternetaccess.com. 300 IN A    178.162.199.90

germany.privateinternetaccess.com. 300 IN A    178.162.199.95

germany.privateinternetaccess.com. 300 IN A    178.162.205.30

germany.privateinternetaccess.com. 300 IN A    178.162.211.215

 

 

Still, many other nodes are using Vultr, and no, those ranges are not shared between VPS and dedicated servers.

Vultr's parent company do have other ranges, but the netnames are totally different. Vultr's ranges are Low-end-box

kind of service, where you can still pay for a 32GB box, but it will still be a VPS.

The dedicated servers are all maintained by Choopa LLC directly.

 

Here is Vultr London:

 

;; ANSWER SECTION:

uk-london.privateinternetaccess.com. 102 IN A    104.238.169.18

uk-london.privateinternetaccess.com. 102 IN A    104.238.169.103

uk-london.privateinternetaccess.com. 102 IN A    104.238.169.106

uk-london.privateinternetaccess.com. 102 IN A    104.238.169.112

 

And many others.

 

In Sweden they use Xen VPSes from Webexxpurts (Shoutout @bd, a great admin and guy):

 

;; ANSWER SECTION:

sweden.privateinternetaccess.com. 300 IN A    5.157.38.2

sweden.privateinternetaccess.com. 300 IN A    91.108.183.186

sweden.privateinternetaccess.com. 300 IN A    185.3.135.42

sweden.privateinternetaccess.com. 300 IN A    5.153.234.82

 

Should I continue?

 

Fair disclosure:

I have nothing against any provider, everyone seem to aim for a different kind of audience and has a different mission.

I do believe though, that once you test the actual infrastructure of any given provider, and the ToS of the underlying DCs,

you can then choose if this particular VPN provider shares the same best practices that you do, in case you have any.

Here is why I believe that AirVPN will not compromise on transparency, and will not put a shared 1Gbit port on some VPS

provider to boast about the alleged ~4TBp/s. That's all.

Now if they lie to you about the bandwidth, why should you trust them with your logs? Just a thought.

Are you sure you put the right link in? Clearly you can hide it from anyone who reads it, and Google too. Not one single IP you speak of here is in that link. (Yes, I checked thoroughly.) The link seems to be an IRC log of a discussion of coding. Nothing at all about networking unless I missed something.

 

And what makes you say "PIA Staff are closely monitoring this thread"? I use PIA, but I am certainly not staff. I am just a loudmouth on the Internet.


Debugging is at least twice as hard as writing the program in the first place.

So if you write your code as clever as you can possibly make it, then by definition you are not smart enough to debug it.

Share this post


Link to post

@zhang888,

 

check out http://bgp.he.net/AS20473#_prefixes and look for london trust media.  those are PIA servers in choopa London.  vultr is indeed in the description for other IP ranges.

 

http://bgp.he.net/AS60485#_prefixes and http://bgp.he.net/AS57858#_prefixes Seems there are different AS for some of the IPs to which sweden resolves.  185.3.135.x are still shown in AS57858 in Estonia, description netroute.  Could that be an error?  The 5.157.38.0/24 range does say virtual in description

 

To propose that PIA moved in 1 day their servers to Leaseweb's datacenter in Germany just because of this thread is silly.

Share this post


Link to post

Thank you for your reply zhang888. I am not sure why this post is currently located in the "reviews" section, I am pretty sure I posted this originally in the "general discussion" where it's more likely to get debate about this issue. If a staff member reads this please move this topic to that forum, thank you.

 

 

Hello!

 

Yes, you posted it in "General & Suggestions" and we moved it here to "Reviews", a more appropriate location since it compares AirVPN with PIA. It is more likely that it gets higher visibility here, not there, and you can see that actually the debate has become hot. We like and we reserve the right to move any thread in any forum section to make the forum more readable.

 

At same time, we are pleased to see that this forum has become an attractive place for several PIA customers. Interestingly, this thread is showing some important information that PIA customers might like to consider carefully.

 

 

As for your points, they are interesting and enlightening. However, it still does not answer the question of "why" they decide to show our real IP address.

 

We show it because we have it. It's a matter of transparency.

 

It is not logged: it is showed in real time and stays in RAM until the client disconnects.

 

Note that contrarily to some of our competitors, we don't keep keys, user data etc. on the VPN servers. All the data are kept in backend servers which never communicates directly with clients, frontends or VPN servers. However, it is obvious that the VPN server knows the IP address a client connection is coming from: how would it communicate with the client otherwise? This is how the Internet works.

 

Additionally, you can hide your real IP address to our VPN servers, by connecting OpenVPN over a proxy (even Tor). And our client Eddie implements all of these options. It is the only free and open source VPN software that allows with a click a connection of OpenVPN over Tor even in OS X and Linux, with no requirements for any additional setup (except running Tor, of course), Virtual Machine etc. Not only these features are not implemented in our competitors software, but in most cases our competitors software, including PIA software, is closed source.

 

Hiding to the user data (that any VPN service has) could be a trick to attract less technically skilled persons, or even gullible people. It can be a marketing strategy. We don't like it and it is not compliant with our mission. https://airvpn.org/mission

 

With PIA I can happily share it with friends or family and they also provide up to 5 connections at once (vs 3 on AirVPN), and there is no way to know who is using the VPN at any given time.

 

If you share the connection with people you blindly trust, your concern is deeply illogical. But from your words it seems that you share your account with people you don't completely trust.

 

In this case, with AirVPN you can share your account with other people and keep control of your account: you just need to provide keys and certificates to the other persons, and keep your password for yourself. Inviolability of your Data Channel encryption is guaranteed by Diffie-Hellman exchange. In this way other people can connect to VPN servers but can't access your user control panel, can't change the password to gain total control of your panel etc. If they occupy all of your slots, you can even force a disconnection to free the slots. They can't forward ports, only you can, so that you can keep under control the most dangerous situations (example: an illegal web site "hosted" behind a VPN server). This is not possible with PIA and this is important with our service, because we have implemented a dynamic remote port forwarding system (with DDNS if you need it) which is "light-years ahead" than PIA system.

 

Anyway, it is important to underline that the account holder will be held responsible for any action of anyone using that account (assuming that PIA ToS allows this practice).

 

Note: As of 2017 AirVPN now supports 5 connections per account. But this has NOT changed our commitment to minimum allocated bandwidth.

 

About 5 connections instead of 3, this is also a consequence of our commitment to minimum allocated bandwidth, which PIA does not provide. When you provide a "best effort" service without any warranty on bandwidth allocation per client, things change radically. Since AirVPN birth we have never used VPS for our VPN servers. We have dedicated servers with redundant uplink ports and bandwidth (with the exception of Hong Kong, where we were forced to accept a sufficient compromise) and PoP with tier 1-2 transit providers. Compare our servers status page with any competitor servers status page https://airvpn.org/status/ Click on the servers name to access plenty of data about them.

 

 

The security of the VPN is hampered simply by the fact this information is displayed and there is no way (that I have discovered) of knowing how it is being stored. All I know is how the request is being made (from Eddie).

 

Please define properly and technically how "the security of the VPN" can be harmed by this: the point of hiding data that are anyway there, during the whole duration of a client session, is nonsensical.

 

The client just shows you the information that the VPN server has got and which it already communicates with (incidentally, very useful for other purposes); the frontend does the same. On top of that, we remind you once again that our client Eddie is free and open source, that it is totally optional to use it, and that, contrarily to the setup of most our competitors, entry-IP address and exit-IP address of VPN servers are different.

 

Kind regards

Share this post


Link to post

One point about the client area showing the client's real IP that must be made is in relation to tor.  If the user wants to make sure that Air does NOT see his/her real IP it's VERY nice to have that client area page so that the user can confirm that Air sees a tor IP.

 

Related to that, if a user connects with SSH or SSL tunnel (which PIA does not have) there is no IP address shown on the client area page.  I assume this is because the VPN server sees the connection coming from another Air IP but staff will have to correct me if I'm wrong.

Share this post


Link to post

One point about the client area showing the client's real IP that must be made is in relation to tor.  If the user wants to make sure that Air does NOT see his/her real IP it's VERY nice to have that client area page so that the user can confirm that Air sees a tor IP.

 

Related to that, if a user connects with SSH or SSL tunnel (which PIA does not have) there is no IP address shown on the client area page.  I assume this is because the VPN server sees the connection coming from another Air IP but staff will have to correct me if I'm wrong.

 

Hello!

 

That's correct, in that case the OpenVPN daemon sees the connection from the local stunnel or sshd.

 

Kind regards

Share this post


Link to post

Are you sure you put the right link in? Clearly you can hide it from anyone who reads it, and Google too. Not one single IP you speak of here is in that link. (Yes, I checked thoroughly.) The link seems to be an IRC log of a discussion of coding. Nothing at all about networking unless I missed something.

 

And what makes you say "PIA Staff are closely monitoring this thread"? I use PIA, but I am certainly not staff. I am just a loudmouth on the Internet.

 

 

*** egrep <egrep!~egrepnix@gateway/vpn/privateinternetaccess/egrepnix> has quit IRC (Ping timeout: 256 seconds) 04:01 *** egrepnix <egrepnix!~egrepnix@108.61.68.155> has joined #sailfishos-porters 04:02 *** egrepnix is now known as egrep 04:02

*** egrep <egrep!~egrepnix@108.61.68.155> has quit IRC (Quit: Brb... switching to wired interwebs.)

 

 

108.61.68.155 - Vultr, the VPS provider from my above.

 

If you want to trust a provider that relies on managed infrastructure of other small companies, this is totally your choice.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

 

Are you sure you put the right link in? Clearly you can hide it from anyone who reads it, and Google too. Not one single IP you speak of here is in that link. (Yes, I checked thoroughly.) The link seems to be an IRC log of a discussion of coding. Nothing at all about networking unless I missed something.

 

And what makes you say "PIA Staff are closely monitoring this thread"? I use PIA, but I am certainly not staff. I am just a loudmouth on the Internet.

 

 

*** egrep <egrep!~egrepnix@gateway/vpn/privateinternetaccess/egrepnix> has quit IRC (Ping timeout: 256 seconds) 04:01 *** egrepnix <egrepnix!~egrepnix@108.61.68.155> has joined #sailfishos-porters 04:02 *** egrepnix is now known as egrep 04:02

*** egrep <egrep!~egrepnix@108.61.68.155> has quit IRC (Quit: Brb... switching to wired interwebs.)

 

 

108.61.68.155 - Vultr, the VPS provider from my above.

 

If you want to trust a provider that relies on managed infrastructure of other small companies, this is totally your choice.

 

That IP is in the range 108.61.64.0/19 the description of which is Choopa, LLC, not vultr http://bgp.he.net/AS20473#_prefixes

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...