✨ Feature Suggestion | Warnings for VPNs using insecure port forwarding policy #1442

New Issue

2019-10-29T17:01:54Z

pilsnerbeer commented

2019-10-29 17:01:54 +00:00

(Migrated from github.com)

Description:

I believe some VPNs described in the privacytools.io recommended VPN list may have insecure implementations of port forwarding and users who want to use the port-forwarding feature should be warned about it.

The problem description:
IVPN, for example, will assign a forwarded port to your account and will not change it until you stop using it for 14 days. This cannot be changed by default. The staff has the port number associated with your account (fact), which potentially ties your network activity down to your person. Quick example: If you're connected to a P2P/torrent network & downloading/uploading using your assigned port, an authority can come over to the VPN provider and ask for the account details of whoever was using the forwarded port at that time and get the account data. This wouldn't be possible knowing just the address itself but since your port is assigned to you and you only (and the provider keeps logs of it), it very easily ties it to you. Another issue is that a user can potentially be tracked by finding out when and if he/she is connected to the VPN by another entity.

IVPN will claim that it doesn't store anything that could be used to identify a customer, however I believe this isn't quite correct.

Perfect Privacy VPN tackles this issue by deriving three ports from your internal VPN IP.
From FAQ:

The ports for the default forwarding are always 1XXXX for the first forwarding, 2XXXX for the second and 3XXXX for the third. The XXXX is determined by the last 12 bits of the internal IP address.

Example: Your internal IP is 10.0.203.88. Converting to binary this is 00001010 00000000 11001011 01011000. Converting the last 12 bit 101101011000 to decimal results in 2904. So the forwarded ports will be 12904, 22904 and 32904.

The following bash script for Linux calculates the ports. It expects the internal IPv4 address as the first argument.

#!/bin/bash
[[ "$#" -eq 1 ]] || exit 1

IPv4_ADDR=${1}
IFS='.' read -ra ADDR <<< "$IPv4_ADDR"
function d2b() {
    printf "%08d" $(echo "obase=2;$1"|bc)
}
port_bin="$(d2b ${ADDR[2]})$(d2b ${ADDR[3]})"
port_dec=$(printf "%04d" $(echo "ibase=2;${port_bin:4}"|bc))
for i in 1 2 3; do
    echo "$i$port_dec"
done

These three ports change with every established connection, which makes it much harder for anybody to track an individual and his/her activities.

With a insecure port-forwarding system, anybody can scan the IP and find out who's doing what and correlate the activities across all servers, because (IVPN, for example) will only assign 1 port across the whole platform.

In the above examples I only used IVPN & Perfect Privacy because I only tried those. I do not have information about other providers at this time

sorry if I missed something

## Description: I believe some VPNs described in the privacytools.io recommended VPN list may have insecure implementations of port forwarding and users who want to use the port-forwarding feature should be warned about it. **The problem description:** IVPN, for example, will assign a forwarded port to your account and will not change it until you stop using it for 14 days. This cannot be changed by default. The staff has the port number associated with your account (fact), which potentially ties your network activity down to your person. Quick example: If you're connected to a P2P/torrent network & downloading/uploading using your assigned port, an authority can come over to the VPN provider and ask for the account details of whoever was using the forwarded port at that time and get the account data. This wouldn't be possible knowing just the address itself but since your port is assigned to you and you only (and the provider keeps logs of it), it very easily ties it to you. Another issue is that a user can potentially be tracked by finding out when and if he/she is connected to the VPN by another entity. IVPN will claim that it doesn't store anything that could be used to identify a customer, however I believe this isn't quite correct. ![Screenshot_5](https://user-images.githubusercontent.com/36133540/67789533-6e963980-fa74-11e9-87f5-f7c658eaa4c9.png) ________ Perfect Privacy VPN tackles this issue by deriving three ports from your internal VPN IP. From FAQ: The ports for the default forwarding are always 1XXXX for the first forwarding, 2XXXX for the second and 3XXXX for the third. The XXXX is determined by the last 12 bits of the internal IP address. Example: Your internal IP is 10.0.203.88. Converting to binary this is 00001010 00000000 11001011 01011000. Converting the last 12 bit 101101011000 to decimal results in 2904. So the forwarded ports will be 12904, 22904 and 32904. The following bash script for Linux calculates the ports. It expects the internal IPv4 address as the first argument. ``` #!/bin/bash [[ "$#" -eq 1 ]] || exit 1 IPv4_ADDR=${1} IFS='.' read -ra ADDR <<< "$IPv4_ADDR" function d2b() { printf "%08d" $(echo "obase=2;$1"|bc) } port_bin="$(d2b ${ADDR[2]})$(d2b ${ADDR[3]})" port_dec=$(printf "%04d" $(echo "ibase=2;${port_bin:4}"|bc)) for i in 1 2 3; do echo "$i$port_dec" done ``` These three ports change with every established connection, which makes it much harder for anybody to track an individual and his/her activities. With a insecure port-forwarding system, anybody can scan the IP and find out who's doing what and correlate the activities across all servers, because (IVPN, for example) will only assign 1 port across the whole platform. ![ports](https://user-images.githubusercontent.com/36133540/67790328-df8a2100-fa75-11e9-9fc4-0a3972944c6f.png) In the above examples I only used IVPN & Perfect Privacy because I only tried those. I do not have information about other providers at this time sorry if I missed something

This repo is archived. You cannot comment on issues.