VPN blocked?

Derelict

I would still like to know why using a vpn service only gives a false sense of security.

Because you are just transferring the ability to sniff your traffic from your ISP to your VPN provider.

You exit to the internet in-the-clear at some point.

A VPN is great for encrypting your traffic across something like a local open wifi hotspot, hotel network, or between two private sites.

The VPN providers have done a pretty good job convincing a lot of people that they are necessary to protect against evil ISPs.

Grimson

@tagit446 said in VPN blocked?:

Wow ok, "RTFM".. had to look that one up.

Good now continue to look things up before you talk about them. Make this a habit.

ISP's are known for doing questionable things and don't even try to be transparent. They don't encrypt my connection and most certainly log everything I do on the web, in some circumstances, some ISP's are even known to redirect their users traffic.

An with a VPN your VPN provider can do exactly the same. And while you know who and where your ISP is located, and what laws it has to follow, you can't say the same about some random VPN provider on the web. So ask yourself again, what makes that VPN provider more trustworthy than your ISP.

Say this information is flagged and now my government thinks I'm a terrorist, what do you suppose could happen there?

And continuously running an encrypted tunnel to an endpoint in a different country will not trigger red flags with such a government agency? Heck if I where a government agency tasked with monitoring internet usage I would spin up a few VPN providers and make them known with nice reviews on the net. Then people would not only route their traffic through my servers, they would actually pay me for monitoring them.

You need to understand that a VPN encrypts only the communication between your client the server from you VPN provider, that server then can do the same stuff your afraid your ISP might do. If your VPN provider then also managed to get you to install their custom CA certificate on your PC, and some try to do that if you run their client directly on the PC, they can even MITM your otherwise encrypted https traffic.

johnpoz

@tagit446 said in VPN blocked?:

The service here is pretty bad really

Is it really - or is your VPN?? Why would you add the latency and issues of a vpn on top of questionable service ISP? Only thing the VPN can ever do is make your traffic slower.. Since you have to travel over the isp connection to get to the vpn.. Now you have the added latency going to wherever that is just to possible come back 1 mile from the exit of your isp connection. Maybe - or completely wrong direction from where you want to go to get to xyz.com which adds latency.

Your already using a PPPoE connection which adds overhead, so lets put a vpn tunnel inside another tunnel.. Yeah GREAT performance is what everyone will scream ;)

You can do what you want - just don't complain when the IP you choose to use gets blocked, and don't complain when your connection is crap.. And your pocket book is lighter because you think you need to pay the "I'm more secure" stupid tax ;)

Gertjan

@tagit446 said in VPN blocked?:

The VPN encrypts my connection

I'm do not want to add another brick against the "why a VPN" wall, but like to add :
Today, nearly all sites (mail, ssh, etc) use SSL/TLS by default, so the end-to-end privacy is been taken care of out of the box.
Rests the "having another IP" advantage. That's up to you ....

Drop by on this forum when it get's hit - as it did on a recent past - by these 'foreign language' spammers. The entire forum was getting spammed with dozens of messages, nearly every week, or more often.
These days : didn't saw them any more (or the admins are became very, very reactive !).
You, @bafonso , showed that there are side effect for some of us.
One thing is pretty sure : your are using the same VPN as spammers - here, or some where else - did. Not your fault, these things happen ;)

RyanM

Ok, this thread has kind of gone all over the place. I will record my VPN IP address next time I can't connect. I am reasonably sure the VPN IP was blocked since clicking the "restart" icon on VPN until I can connect works. Sometimes I have to restart once, other times it takes 5 or 6 times and then I can connect.

I am using PIA.

In response to "why VPN traffic to pfSense/Netgate?", because I VPN all of my traffic by default. I do have bypass rules for Netflix and AWS, and yes I could add a bypass for pfSense/Netgate, but I figured I would ask about the blocking before adding a bypass rule.

Maybe I am being paranoid, but I don't trust websites to not track me. This is partially about my ISP, and partially about trackers on the internet. This was a large part of the reason I setup a pfSense router was to VPN most of my traffic.

johnpoz

@ryanm said in VPN blocked?:

but I don't trust websites to not track me

You think the only way they track you is via your IP?? hehehhee how cute ;)

Rico

You trust some random VPN provider more than your ISP? You should change your ISP then...

-Rico

RyanM

@johnpoz a VPN is just part of the solution. I also use a couple of browser extensions to attempt to block tracking, and make use of incognito/private browsing fairly regularly. I would be interested in hearing any other recommendations on how to protect my privacy online.

@Rico I don't have many options in my area, and for the most part I do trust my ISP but I don't see what the downside to using a VPN is other than cost. My understanding is that PIA is a reasonably well-respected VPN provider, but if I am misinformed, I would love to hear more.

Rico

The downside is, your VPN Provider got all the keys to decrypt your whole traffic if he want to.

-Rico

Gertjan

@rico said in VPN blocked?:

The downside is, your VPN Provider got all the keys to decrypt your whole traffic if he want to.

-Rico

Well : the VPN will decrypt the entire tunnel, that's for sure. They have to
But, all SSL traffic inside the tunnel will stay safe. Most of all site traffic - web browsing and mail are all safe these days. And if you insist, DNS can be make safe also, this means : you decide who sees your DNS traffic.

RyanM

@Gertjan I don't want to get too far off topic, but can you point me at a resource to read about making DNS safe? This is around SSL encrypted requests to your DNS provider correct? I moved to using CloudFlare's DNS (1.1.1.1 and 1.0.0.1) in my pfSense configuration. Is there a way to force the SSL version on pfSense?

RyanM

Here is an IP that appears to be blocked: 91.207.175.100

FWIW, I am connecting to the PIA US-California instance (us-california.privateinternetaccess.com:1198). In my experience, this instance seems to not be blocked on as many sites (e.g. Macys.com, Craigslist.org, etc.).

johnpoz

@ryanm said in VPN blocked?:

91.207.175.100

http://stopforumspam.com/ipcheck/91.207.175.100

Blocked!
You sure that is suppose to be US... Shows as Romania on that site.. But its also on a shit ton of other blacklists as well!

To be honest how do people think that the shared IPs they get using some vpn is not going to be blocked all over the net... Since people just do shit while on them, since they they think they are hiding ;)

RyanM

Thank you for checking @johnpoz. Should I bother with trying to get it unblocked? Or just continue to "restart" the VPN client until I get an IP that is not blocked?

I think the IP Address is owned by a European company called M247 Europe SRL, I am not sure why that site is showing it as Romania. However, the location of the VPN IP shows up as Los Angeles, CA and this is in line what latency I see to servers in that area and geolocation type services (e.g. Google Maps, Weather.com, etc.).

johnpoz

Their abuse email is to m247.ro

Its a RIPE controlled IP space..

Dude its on WAY more than just the spam database - look it up, its on a LOT of black lists..

If you want to route your traffic through a vpn that is up to you - just policy route so going to pfsense is just off your wan and then you will be fine.

RyanM

Yeah, I think you are right. I will probably just start adding rules to route traffic through WAN when it is blocked. Thanks.

andrew528

you interested me

JeGr

@ryanm said in VPN blocked?:

@Gertjan I don't want to get too far off topic, but can you point me at a resource to read about making DNS safe? This is around SSL encrypted requests to your DNS provider correct? I moved to using CloudFlare's DNS (1.1.1.1 and 1.0.0.1) in my pfSense configuration. Is there a way to force the SSL version on pfSense?

You know, that pfSense 2.4.4+ has a configuration for using DNS over TLS already implemented?
-> Services / DNS Resolver
=> Use SSL/TLS for outgoing DNS Queries to Forwarding Servers

after setting that the DNS servers configured in System/General will be used for DNSoverTLS via port 853.

But that adds the problem/discussion about having too many traffic/services centralized giving that (few) companies (too?) much power. Especially as - on their end - they could actually look what you're asking via their service (as the traffic leaves their hosts/network). Same with VPN. You connect safely to their servers but from there it goes to your target location. So the VPN provider could log/track you, too. It all boils down to trust and if centralized services are really that much better then decentralized approaches (DNS resolving instead of forwarding).

RyanM

@jegr thank you. Yes, I had found this setting and enabled it. I also moved from CloudFlare to Quad9. Not sure who is really "better" or more privacy conscious.

It is not that I have anything to hide, but I also have no reason to share either.

I remember hearing an innovator speak on privacy & security. He spoke about how encryption should be strong, and on by default. He mentioned how some could make the argument "Why do you need to encrypt? What do you have to hide?", but he likened it to traditional mail. If you send a letter in an envelope, no one asks "Why do you need to put that letter in an envelope? What are you trying to hide?" because it has become the default and is not considered divergent behavior.

I would be very interested in a blog series or forum threads specific to security. Am I overlooking something that already exists?

Gertjan

@ryanm said in VPN blocked?:

"Why do you need to put that letter in an envelope?

With the difference that you send all your letters in envelops to one identified intermediate facility, that knows very well who you are, they have your return address. This facility opens your envelop and reads it all out loud, with the world as it audience.
Remember, after Quad9 or comparable, if not cached, root servers, tld servers and domain servers are still questioned as before.
Think about it : the data path didn't change much. But in this case you're being served by a company that pays taxes. The classic path serves you with an infrastructure (root servers) being financed by your taxes.
As with the classic postal services : the local path, the post men that walks just in front of your door is being removed from the equitation. It's the guy you probably already know - and the other way around.