43 comments

[ 1.9 ms ] story [ 86.1 ms ] thread
Title: AzireVPN added port-forwarding support

A potential option for Mullvad refugees?

Why are there Mullvad refugees?
Here's the thing. The most likely reason Mullvad got rid of fixed forwarded ports is that it could be used to de-anonymize their users.

TFA seems to offer a solution for that problem with "Experience uncompromising privacy with AzireVPN's Blind Operator! Your port stays confidential as we don't store or log assigned ports in any database. Thanks to our secure Blind Operator backend, your assigned port remains private."

Ultimately you have to take their word that it works as well as described.

No, they got rid of it for security/liability/reputation reasons as port forwarding makes it attractive for botnets.

Port forwarding doesn't assist in deanonymization. Ultimately you either trust your VPN or you don't.

Mullvad had to keep a record of which port maps to which account ID and LE could subpoena that. Mullvad's whole shtick is that even if LE has 100% of the data they have, you won't be deanonymized.
Which is why Mullvad used to not allow auto-billing if you had portforwarding. If you wanted to use portforwarding, which Mullvad had for years, you needed to pay in advance for how much you wanted to use it. They didn’t need to keep any of your information on file, including payment stuff. Just that a particular account is paid up until a certain date. Linking a port to an account ID is possible, but there is nothing that needs to be kept about the owner of an account id either. So even LE can’t really do much with that information.
Port forwarding, or really just having any ports open at all, can definitely be used as part of fingerprinting.
Mullvad, like many VPN's, only gives (gave) you a single port. And you're free to change that port number as often as you like if you want to avoid being fingerprinted.

But fingerprinting isn't deanonymization anyways. And this is stretching the idea of "fingerprinting" in the first place -- a single port number provides the same amount of information as an IP address. With a VPN you can rotate both as often or as little as you like.

Small correction: Mullvad gave you 5 ports per account that you could assign (per VPN server city) to any of your 5 public keys in an arbitrary manner. E.g. 3 for one + 2 for another.
> Ultimately you have to take their word that it works as well as described.

Compared with what other options?

Mullvad does not support port forwarding. You can try to defend it all you want, but if someone needs port forwarding and your alternative does not support port forwarding then you need to find another alternative or your point is moot.

IMO Mullvad is the most technologically advanced VPN provider in the industry. Mullvad decided to get rid of port forwarding entirely (knowing full well the impact it would have on their revenue) instead of trying to implement the special measures that TFA spends two whole paragraphs describing.
Could you point to some info on why Mullvad is the most technologically advanced VPN?
On the home page they have a comparison table with other VPN providers, including Mullvad. One of the comparisons is "Require no Personal Data on sign up" and it's a green checkmark for both themselves and Mullvad. Yet when I click sign up, I get asked for a username, an optional email, and password. To imply this is on the same level as Mullvad, where you're already done when you click sign up, feels a bit disingenuous.
Nah, that’s just semantics at this point.

Mullvad runs the “random user generator” function for you and just gives you a random number. This lets you run that random generator yourself. If you’re concerned about personal information, the final result is the same.

Mullvad makes it so that you can’t even accidentally give them information they don’t need. This leaves it up to your own discretion. I don’t think it’s disingenuous.

>Nah, that’s just semantics at this point.

You talking about the green checkmark?

He's talking about the distinction - anybody concerned with privacy should probably be capable of producing or otherwise finding a random username and password.
I don't think such important data should be left up to the user's discretion by a supposedly privacy-focused company.

If they're okay with allowing users to enter a personal username, email address, and a password that's probably not unique, and if the attitude is "privacy-concerned people should just know xyz" then I have to wonder what other things they apply this attitude to

> Service (A): pick a random username

> Service (B): click 'here' to generate a random username

(A) is claiming to not require any "personal data". (B) is claiming to not require any "personal data".

I'd agree with both A and B's statement. Neither of them are "disingenuous". (B) makes it bulletproof for the stupidest of the stupidest of users. If you use the username "DreadPirateRoberts" across all online services you use. Then act surprised because someone was able to correlate DPR between service X and service Y, It's not service X or Y's fault. You're just a dumbass. Mullvad didn't want to be even remotely in that business. Whether or not their users are bonafide dumbasses or not, they said "fuck it, you morons don't even get to pick your usernames". Which I'm honestly all for. People are stupid and will often and frequently (including the original DPR) get themselves into trouble by being stupid. But I don't see anything that's disingenuous as OP put it about them marking themselves as "don't require personal information"

The comparison table is also just wrong, mullvad does have own servers, and mullvad also has RAM-only servers, and the price is also kind of misleading.

Mullvad is always €5, Azire is only €5 if you pay an entire year upfront.

This would make me not choose them.

Mullvad has both rented and owned, same for RAM or storage. Azire went 100%, I think this is what they're trying to highlight.

However a downside is that they'll be quite limited in reacting quickly and ramping up their network, which may happen if they get a significant inflow of users.

> mullvad also has RAM-only servers

What is that supposed to mean? You could have a rack full of PXE-booting machines - or SAN-based storage and technically be honest calling them “RAM-only”.

Are you being serious?
I tried it myself and I agree with the reply--it's really not a problem. The email is optional and they provide a "smash keyboard" button to enter a random username. If you don't enter an email, that's it; there's no personal information.
(comment deleted)
The most interesting thing to me about this is that apparently they offer an HTTP API for their VPN service. But I haven't been able to find any documentation for it.

Are there any VPN providers that offer an OAuth2 API that would let you set up VPN tunnels on behalf of users?

Why is it important they use OAuth2 specifically?
It's not other than OAuth2 is the de facto standard for doing this sort of thing, for better or for worse.

You could use a different protocol but developers are less likely to integrate with it.

I wish more VPN services offered multihop. I know of Mullvad (no more port forwarding), Perfect Privacy (slow), NordVPN (no port forwarding afaik)

Who else offers multihop+port forwarding?

Another multi-hop would be the open source tinc-vpn [1] software. It performs dynamic mesh routing in user space. The trade-off is that you and/or your friends would need to run each hop. Some hacker groups did this in the past but they would grow their circle of trust too big and didn't last. It worked great for me for decades and routed around numerous internet outages. It's not as performant as Wireguard but I see no reason the lead developer could not integrate it into wg for the tun device.

[1] - https://www.tinc-vpn.org/

It is worth noting that not all implementations of multihop are the same. For example, if multihop is using a dedicated port on the entry node (e.g. connecting to any Mullvad server on port 3438 will give you a multihop through that server to se-sto-wg-001), someone can who observe your traffic to the entry server (e.g., your ISP) can immediately figure out the exit server because entry port<->exit server mapping is public. Double-tunneling (i.e. having a VPN connection inside an outer VPN connection) doesn't have the same problem but reduces MTU.
The mullvad app does multihop in a more secure way than what their help page says for manual wireguard, but it's not documented anywhere else so you have to read the source code of the app. I wish they would make that more clear or add documentation for the more secure way.
IVPN does, which is where I went after Mullvad. Considerably more expensive though.
Tor.

But running Tor inside a VPN or a VPN inside Tor has unique risk profiles you should be aware of.

Mullvad move is cost cutting move .. no technology behind it , You need public IP's to forward and it is expansive