back to article VPN users menaced by port forwarding blunder

Virtual Private Network (VPN) protocols have a design flaw that can be potentially exploited by snoops to identify some users' real IP addresses. VPN provider Perfect Privacy, which discovered the security weakness, has dubbed it "port fail", and says it affects VPNs based on the IPSec (Internet Protocol security) or PPTP ( …

  1. Tom Chiverton 1 Silver badge

    Headline says "all" but it seems to actually require specific features that some providers offer.

  2. Ole Juul

    Who would use this attack?

    "If the attacker has port forwarding activated for his account on the same server, he can find out the real IP addresses of any user on the same VPN server by tricking him into visiting a link that redirects the traffic to a port under his control," the researchers say.

    I suppose this attack would be useful for copyright companies who are just interested in catching whatever they can. It seems to me that an attacker trying to target a single specific person would not find this too useful unless they also knew what commercial VPN their target was using. In any case I sidestep the matter entirely by being the only user with access to my own VPN. That has other disadvantages security wise, but in this case it's a win.

    1. Mark 65

      Re: Who would use this attack?

      Nation state? Just a thought. Maybe spoof a popular website to get the traffic coming your way.

  3. James 51

    Can anyone recommend a good VPN? Preferably one that works across multiple devices on Linux and Windows. Android (or even better, native BB10) support would be a nice bonus.

    1. Ole Juul

      According to Wikipedia OpenVPN works on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, QNX, Mac OS X, and Windows 2000/XP/Vista/7/8. I use it on FreeBSD and Linux. There's not much to running either the client or server - just a very small config file. If you don't want to bother running your own server, or want the added anonymity of being part of a large group, or the luxury of choosing among servers in many different countries, then get a commercial VPN. Most of them support OpenVPN as well as others. Check out the TorrentFreak annual list, but most important, read up very carefully so you understand both what you need and what you get.

    2. Anonymous Coward
      Anonymous Coward

      Which VPN?

      @ James 51

      In answer to your question, I've tried most of the VPN offerings over the past two years since Snowden. I narrowed it down to using Private Tunnel and PureVPN. The one that fits the bill for you in terms of covering Linux, Windows, Android and Blackberry is PureVPN.

      I don't know where they stand in relation to this potential vulnerability, I think it may be based on the OpenVPN client but I'm not 100% sure, but as a well established, multi-platform and good quality VPN provider you could choose a lot worse than PureVPN. If you have the need, it also allows you to choose various VPN protocols as well as the ability to even attach a VPN session to a specific application or browser which is a bonus for those that need it.

      1. James 51

        Re: Which VPN?


      2. davemcwish

        Re: Which VPN?

        I did look at others including Private Tunnel before I made my choice ( I decided against Private Tunnel (and others) given they are more easily subject to US oversight. I'm not sure what is really the one that provide the most anonymity as they are probably mostly as good/bad as each other. IMHO true anonymity would be not to use the internet at all but failing that, the advise in the ISIS/ISIL/Daesh OPSEC guide is a start

        1. Danny 14

          Re: Which VPN?

          something with SSTP?

    3. Anonymous Coward
      Anonymous Coward

      OpenVPN to Private Internet Access. Offers good speed, choice of servers to flit around. Have home connection at router level, OpenVPN app on phone etc.

    4. kyleandrew

      Keeping Out The Creeps

      Witopia is excellent with small price. They have global coverage, live support. Take a look at Tunnel Bear - it is very user friendly - has a free level.

      VPN is essential to mask your data when in public wifi areas and hotel rooms.

  4. fearnothing

    So from the sounds of it, this isn't a bug with the protocol itself, but a bug with how it's being implemented in specific provider environments with multiple users?

  5. Paul Crawford Silver badge

    Firewall rules

    I don't know if it was specifically intended for this port-forward risk, or just the more general issue of a VPN being dropped due to other software bugs or MITM attempts, but the UK Gov security advices on system deployment has a section on setting the firewall to only allow the VPN range of access. For example, see section 8.7 of this:

  6. Anonymous Coward
    Anonymous Coward

    Does anyone still use PPTP?

    1. Danny 14

      sure, why not? It depends on WHAT you are using a VPN for and what you intend getting out of it. Sure, the crypto is weak and can be broken very easily, but for the sake of hiding your IP address a VPN is as good a link from you to your provider as another.

      PPTP is easily cracked but you still need to actually crack it. Unless you have a PC on the same hotspot as the device then how do you plan on getting a PCAP file? Record the internet?

      Whilst PPTP is pretty crap it still have niche applications. If you MUST use PPTP for whatever reason, it might be possible to script a cyclical password changer on VPN disconnect possibly based on an algorithm that you know. Obviously desync issues if you lose track of...... (enough now, use SSTP :) )

  7. kryptylomese

    sshuttle for the win!

    If you are on Linux you can install "sshuttle" which creates a mini VPN without having to install anything at the other end (assuming the other end is Linux also) and does not need escalated privileges at the other end either.

    1. Danny 14

      Re: sshuttle for the win!

      if the other end is Linux just use SSH.

      1. Swarthy

        Re: sshuttle for the win!

        That's actually what SSHuttle is; it relays other services (VNC, etc) through the SSH ports.

      2. Oddb0d

        Re: sshuttle for the win!

        That's basically what sshuttle does, the clue is in the name ;-) It works like ssh port forwarding but without the need to setup the forwarding rules in advance.

        Edit: Swarthy wins.

        1. Danny 14

          Re: sshuttle for the win!

          so why do you need to install something else? Why add bloat? Windows is where you add random software that adds weird rules and software with daemons that do "things".

          1. David Moore

            Re: sshuttle for the win!

            "Why install something else?" is explained quite well here - see the 'theory of operation' section.

            The general gist is that forwarding TCP packets over a TCP session isn't a good idea. Packet loss is needed in order to help define the speed of the connection... in that sort of setup the forwarded session will never experience packet loss - the external 'wrapper' connection will deal with any making the forwarded connection appear perfect. *this is bad* ;-)

            sshuttle does some clever mutliplexing over ssh then disassembles it on the other end, meaning you never do TCP-over-TCP... which is good.

  8. wesgarr

    Best security

    I have also tried almost all of the providers recently. I have found that Slickvpn is the fastest and with their new HYDRA feature, the most secure, imo. I like being able to create multiple hops.

  9. DropBear

    Tried to read the linked explanation and there's a problem because if I did understand it correctly then this is massively brain-dead design. It seems to say that the VPN protects / hides you the user most of the time unless another user asks it to run a port-forwarded server for him - in which case the whole thing flips over and it protects him form you, coincidentally serving your true IP to him. Why on earth should it work that way?!? Why would it do either A <-> X(proxy for A) <-> B or A <-> X(port forward for B) <-> B, considering what it should really do is A <-> X(proxy for A) <-> X(port forward for B) <-> B ?!? Your traffic as a client should never go to / emerge from anywhere other than their end of your tunnel, and it should never seem to originate from anywhere else. Doesn't seem that complicated, really. As a non-VPN-specialist this doesn't make much sense to me, where am I going wrong? Headache -->

  10. Crazy Operations Guy

    The risk with shared systems

    This is the problem with shared systems, they are only as secure as the other people using it. Of course the solution here would be to build out a massive number of tiny VPN servers and only allow a dozen sessions or so through it rather than very large boxes with thousands of sessions. A tuned linux kernel, a couple libraries, and a VPN daemon would fit in a tiny amount of resources (a single core box with 128 MB of RAM and 8 GB of storage would be more than enough)

  11. Aristotles slow and dimwitted horse

    Re VPN

    I trialled the AirVPN service (3 days free trial if you email them asking for it).

    I DDWRT'ed my WDR4300 router as I wanted all devices sat behind the router encrypted as part of my tests - and the DDWRT firmware has the various VPN clients inbuilt. The problem I found is that routers for home use generally don't have the CPU grunt to chew through the AES256 encryption cipher quickly enough, hence the overall speed via VPN seems limited by the router (i.e. 1/5th of the non VPN throughput).

    If anyone can recommend a SOHO or lower cost small business device device that could replace it then I would appreciate it. I was initially looking at a Zyxtel USG or Zywall device or similar...

    1. Down not across

      Re: Re VPN

      If anyone can recommend a SOHO or lower cost small business device device that could replace it then I would appreciate it. I was initially looking at a Zyxtel USG or Zywall device or similar...

      Asus AC-RT87U has dual-core (1GHz) CPU so should have bit more grunt than some of the cheaper SOHO routers, and AsusWRT-Merlin is quite good and is improvement on the stock AsusWRT.

      Alternatively ebay is full of cheap more business class devices (for example Cisco 1801 which has built-in ADSL2 modem). Only 100Mbit/s ethernet so would be a bottleneck on faster VM cable connections). Advanced IP Services supports hardware-based IPSec encryption (inlcuding AES iirc).

      Just to mention couple of options. I'm sure other commentards will offer some good solutions.

  12. Anonymous Coward
    Anonymous Coward

    "if they use port forwarding as their default torrent client port"

    Please parse title.

    An action being used as a port?

    Or should it be "...forwarding of their..." ?

    (Genuine question, not being pedantic here.)

  13. Number6

    The obvious fix for this is that the VPN endpoint IP address should only be used for connecting to the VPN service. Anyone who wants a port-forward needs to have it attached to a different machine/IP to avoid bypassing the tunnel.

  14. IPVanish VPN

    IPVanish VPN

    While the announcement of the Port Fail vulnerability has left some VPN services vulnerable, IPVanish and its users are not affected. IPVanish has, is, and will always be dedicated to our member's security and privacy. We have employed protective measures, including those suggested in the article, to mitigate the “Port Fail” vulnerability. Our NAT protection is free of charge for all subscribers, and requires no additional setup.

    We applaud Perfect Privacy for responsibly disclosing this vulnerability to providers prior to the publication of the vulnerability, and thank them for protecting user privacy and security with us.

  15. kyleandrew

    Surprise - Surprise

    The mechanics of the Security Agencys back door into VPN revealed. So easy.

  16. kyleandrew

    Start Your Own VPN Business Today!

    While VPN may appear mysterious and cloak and dagger in design - it is very easy to setup a dedicated VPN server with easy to source software.

  17. AdrianH

    As long as I don't see a credible reference to an actual study, I don't think I'm going to give in to such claims. Subscribing to a VPN was THE best thing that could have happened to me, specially after surviving some really nasty hack attacks. Now, I can do whatever I want online safely and anonymously, and without any fear.

    The risks highlighted by Perfect Privacy could be limited to some specific brands of VPN and could be, in all probability, linked to certain features offered by the VPN. I've personally tried almost every free VPN out there and didn't feel safe. Now I'm using a Singapore-based Ivacy VPN which gives the same range of features as industry leaders but at a highly competitive price of $36 (1-year). Oh, it was love at first byte! :)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like