Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    VPN blocked?

    Forum Feedback
    13
    53
    3215
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bafonso last edited by

      Hi, I cannot access this forum through my PIA VPN setup on my pfsense router.. are you guys blocking VPNs from accessing the forum?

      1 Reply Last reply Reply Quote 0
      • B
        bafonso last edited by

        Using my PIA VPN on my laptop directly at a coffee shop works, so I wonder what's happening when it gets routed through pfsense at home...

        1 Reply Last reply Reply Quote 0
        • johnpoz
          johnpoz LAYER 8 Global Moderator last edited by johnpoz

          You would need to post the IP your coming from if you want someone to check if blocked.. I can tell you for example TOR exit blocked, because of all the spam.

          There is the thing - there are blocks in the forum I can check, and then there are blocks at the firewall, that I can not check. Since its a VPN IP from PIA, I don't see why you should have an issue posting it. But since there are many users of PIA here, I wouldn't think the forums would be blowing up if we were blocking their whole netblock or AS, etc.

          Post or PM this IP you were blocked from and be happy to check the forum listing of blocked. Can tell you if we got spam from that IP, I might have personally put it on a block..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

          1 Reply Last reply Reply Quote 0
          • B
            bafonso last edited by

            I totally understand the reasons for blocking IP ranges, etc. I was just curious if it was a VPN-wide block for some reason. Once I'm home I will try and PM you the IP if the situation still persists. It's true I've had PIA vpn blocked due to user's abusing it... :(

            1 Reply Last reply Reply Quote 0
            • johnpoz
              johnpoz LAYER 8 Global Moderator last edited by johnpoz

              I am not aware of on purpose blocking any specific VPNs - I am only ware that they were blocking tor because of the huge amount of spam coming from it.

              But its quite possible an IP got blocked.. Can not say I would even remove it even if that was the case. But be happy to the check the listing I can, and make sure someone else that has access can check the firewall rules which I do not have access to as a lowly mod ;)

              Can tell you there was 1 hit on blocked IPs in the forum setting this morning.. Maybe that was you - I can not see which IP was blocked only that one of them on the list was blocked. Send me the IP and will check if on the list or listed as a netblock, etc.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

              1 Reply Last reply Reply Quote 0
              • T
                tagit446 last edited by

                I'm not sure if it is related or not but there are times when I cannot access the forum. I don't remember exactly but during the times I have no access the browser seems to get stuck at "establishing secure connection". I've experienced this randomly over the past year and I do use ExpressVPN. At times of no access I cannot load forum.netgate.com in Google Chrome, Edge, or FireFox.

                This happened last week and lasted 3 days. Also was happening early this afternoon but is a none issue this evening. No changes to the firewall between times of working and not working. Checked and firewall is not blocking.

                I do want to note that during times of no access to forum.netgate.com I can still load netgate.com without issue.

                Next time I experience this I will try bypassing the VPN and see if the site loads.

                1 Reply Last reply Reply Quote 0
                • johnpoz
                  johnpoz LAYER 8 Global Moderator last edited by

                  They are currently blocking IPs that get put on block lists...

                  I can tell you that one of the IPs in your multiple that have connected - that one of them on the block list..

                  VPNs that share IPs are going to have issues - because some idiot spams with that IP... The next user to get it will be blocked from posting on forums that use that database..

                  The IP in question started with 104.194, look
                  104.194.x.x reported as spam58 times, discovered Nov 11, 2018, last activity Nov 12, 2018 05:38:42.

                  Not sure what people expect using such services? It's like people want to pay money to having shitty blocked service - so what their ISP that they pay for internet can not see that they go to pfsense forums.. Just freaking nuts..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                  1 Reply Last reply Reply Quote 0
                  • Rico
                    Rico LAYER 8 Rebel Alliance last edited by

                    https://forum.netgate.com/topic/137638/posts-being-marked-as-spam-on-my-lan

                    -Rico

                    2x Netgate XG-7100 | 11x Netgate SG-5100 | 6x Netgate SG-3100 | 2x Netgate SG-1100

                    1 Reply Last reply Reply Quote 0
                    • T
                      tagit446 last edited by

                      Can confirm it was my VPN address stopping access to this forum. Creating a rule to bypass VPN and go out WAN fixed the issue.

                      @johnpoz said in VPN blocked?:

                      Not sure what people expect using such services? It's like people want to pay money to having shitty blocked service - so what their ISP that they pay for internet can not see that they go to pfsense forums.. Just freaking nuts..

                      I have nothing to hide and don't do anything even remotely questionable online. I simply wish to remain as private as possible online and don't feel anyone has a need to track me or steal my data. If a website needs my info, they can ask for it and if there service is worth it to me I will give them my info. The VPN encrypts my connection and gives me a different IP which to me is just another layer of protection just like pfSense to me is a layer of protection.

                      I also don't see how your forums use of a spam database is much different when it is blocking none offending users just because of there IP. Sure, VPN's redistribute IP's and someone abused the IP I now have and now I get punished for having it in the form of no access but every time I get disconnected from my crappy ISP and then reconnected I get a new IP that someone else used to have so its not all that different.

                      I've used different forums for many years, even moderated a couple and my experience is that those who are intent on spamming or abusing a forum tend to register, post nothing relevant to the forums topics and just spam.

                      I can understand the use of a spam database to protect against possible abuse of those trying to register on this forum with the sole intent of spamming, but why even run the IP check on those with an already established account with post related to the forums topics?

                      Surely it wouldn't be all that hard to code this site in a way that only does the IP check for new registrations and perhaps even those that are registered but have no post yet? Again, why do the IP check on those that are registered already and have relevant post that haven't been marked as spam?

                      Gertjan 1 Reply Last reply Reply Quote 0
                      • johnpoz
                        johnpoz LAYER 8 Global Moderator last edited by johnpoz

                        You have to have a specific rep level for it not to mark your posts as spam, when coming from a known spammer IP. Write high quality posts that people give thumbs up to and you won't have to worry about the spam blocking.. Its pretty low, like 3 or 5..

                        don't feel anyone has a need to track me or steal my data

                        You do understand the IP your coming from is just a tiny part of info right.. And your just handing all your info off to some vpn service as well as giving them money.. Because ?? So you want to be so private, so you use cash only? Wear a mask to hide yourself from all the camera's doing facial recognition... Have no cell phone because that is tracking your every move.. Don't drive a car because all the scanners are seeing your lic plate, or paying tolls, etc. etc..

                        Users think oh a vpn makes me secure - no it doesn't... Just saying.. But hey its your money and your connection.. If you like it slower and more issues to give you that false sense of security have fun ;)

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                        T 1 Reply Last reply Reply Quote 1
                        • T
                          tagit446 @johnpoz last edited by

                          @johnpoz said in VPN blocked?:

                          You have to have a specific rep level for it not to mark your posts as spam, when coming from a known spammer IP. Write high quality posts that people give thumbs up to and you won't have to worry about the spam blocking.. Its pretty low, like 3 or 5..

                          Myself and the OP never said the problem was with post getting marked as spam, it was not being able to access the forum. The site would not even load for me with no warning as to why.

                          As far as getting thumbs up for high quality post, I guess those will be slow coming for those of us here in the pfSense learning stage because it seems you will not get a thumbs up for asking questions but instead seems the thumbs up come when helping someone through a problem which is of course understandable. I actually did have a few post marked as helpful before the forum was changed.

                          Personally, I'm still learning pfSense and don't have the confidence yet to answer most of the questions being asked in this forum. I actually really like helping others, that's my nature but until I gain more knowledge I'm afraid I won't be of much help to anyone here unless the question is super basic. Hopefully in the future I will have learned enough to help out.

                          You do understand the IP your coming from is just a tiny part of info right.. And your just handing all your info off to some vpn service as well as giving them money.. Because ?? So you want to be so private, so you use cash only? Wear a mask to hide yourself from all the camera's doing facial recognition... Have no cell phone because that is tracking your every move.. Don't drive a car because all the scanners are seeing your lic plate, or paying tolls, etc. etc..

                          I did say "private as possible online" but thanks for spinning it like I'm somehow blissfully ignorant to all the other ways in which my privacy is being encroached upon.

                          Users think oh a vpn makes me secure - no it doesn't... Just saying.. But hey its your money and your connection.. If you like it slower and more issues to give you that false sense of security have fun ;)

                          I may be a master certified expert in my own field but I will readily admit I have much to learn when it comes to online security. My knowledge is only as good as what I've learned so far and there is a lot to learn. Instead of going through the trouble of trying to point out what you think is my obvious stupidity, why not instead enlighten us vpn users as to why a vpn doesn't make us any safer?

                          Everything I have read so far suggest that they do make us safer. If I am being unwittingly duped, I would like to know why so that I am not paying for a service I don't need. Please share what you know so that I can have a better understanding. No need to rub my nose in the fact that I know less than you on this subject. Your statement is confusing to me because the vpn support is built into pfSense. Is the built in support for a vpn service just a byproduct and never really meant to be used in this way?

                          Grimson 1 Reply Last reply Reply Quote 0
                          • Grimson
                            Grimson Banned @tagit446 last edited by Grimson

                            @tagit446 said in VPN blocked?:

                            Is the built in support for a vpn service just a byproduct and never really meant to be used in this way?

                            https://www.netgate.com/docs/pfsense/book/vpn/index.html RTFM, and yes VPNs are intended to connect business offices and allow secure remote access.

                            Ask yourself the following question: What makes a random VPN provider more trustworthy than your local ISP, especially if they are located in a different country and/or if all you know about them comes from a website.

                            T 1 Reply Last reply Reply Quote 1
                            • Derelict
                              Derelict LAYER 8 Netgate last edited by

                              @tagit446 Should known spam source addresses, which have been flagged due to recent, active spam activity be "whitelisted" so you can connect to this forum via your VPN service?

                              You are sharing source IP addresses with all of the yahoos using that service. If I were you I'd get used to some inconvenience there.

                              Chattanooga, Tennessee, USA
                              The pfSense Book is free of charge!
                              DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              T 1 Reply Last reply Reply Quote 0
                              • T
                                tagit446 @Grimson last edited by

                                @grimson said in VPN blocked?:

                                https://www.netgate.com/docs/pfsense/book/vpn/index.html RTFM, and yes VPNs are intended to connect business offices and allow secure remote access.

                                Ask yourself the following question: What makes a random VPN provider more trustworthy the your local ISP, especially if they are located in a different country and/or if all you know about them comes from a website.

                                Wow ok, "RTFM".. had to look that one up. Did you really have to put that in there like that, why so hostile its not like you know me? To much damn hate talk in the world, even among strangers. No wonder its all going to sh*t they way it is. No one sees the value in civility anymore.

                                ISP's are known for doing questionable things and don't even try to be transparent. They don't encrypt my connection and most certainly log everything I do on the web, in some circumstances, some ISP's are even known to redirect their users traffic.

                                Hypothetically speaking, but for example lets say I visit a website critical of police brutality or government or visit a website that teaches how to make pipe bombs so that I can blow up an annoying stump in my back yard. Say this information is flagged and now my government thinks I'm a terrorist, what do you suppose could happen there? Heck I remember many years ago, maybe a year after 9/11 my wife worked with a guy who made a critical comment about Bush out of frustration on a random forum. Within a week this poor fellow was visited by government officials questioning his motives for what he had wrote. So yeah, I don't need some company tracking, snooping, logging everything I do and make false assumptions about who I am or what possible intentions I may or may not have just because of what I looked at on the web.

                                At least the vpn I chose appears to be transparent and has good reviews from places I consider to be reputable. I spent several months considering the use of a vpn and the same amount of time deciding on which one to use. I know there are cons such as added cost, slightly slower connections and dos by those blocking vpn's but at the same time they encrypt my connection and claim to not log any user traffic.

                                If myself and thousands of others are being mislead about vpn services and how they supposedly protect us (or not protect us), then please by all means explain or at least point us in the direction to a reputable source for further reading in regards to how we are being mislead by such services.

                                Grimson 1 Reply Last reply Reply Quote 0
                                • T
                                  tagit446 @Derelict last edited by tagit446

                                  @derelict said in VPN blocked?:

                                  @tagit446 Should known spam source addresses, which have been flagged due to recent, active spam activity be "whitelisted" so you can connect to this forum via your VPN service?

                                  You are sharing source IP addresses with all of the yahoos using that service. If I were you I'd get used to some inconvenience there.

                                  I just don't get these responses I'm getting, are you all trying to say I'm suspected of being a spammer here or some where else due to my vpn IP? Yes it is a shared IP but so is my ISP IP.

                                  Again, I get the use of a spam reporting database. I just don't understand why you have chose to implement it the way you have. You all seem aware that good people can end up with a bad IP. What if I got an IP from my ISP that had been reported for spamming? I would not even be able to load this site to find out why. At the very least why not redirect to a page explaining why the site won't load and a contact if that user believes he/she is being wrongly blocked. The only other choice for me would be to reboot my modem or router to get a new IP which I guess would probably be faster than reaching out to someone. A message as to why the block is happening though would still be nice.

                                  I'll be honest, in the year and a half that I have used a vpn the only inconveniences I've encountered are not having access to this forum at times while using my vpn, amazon prime videos not working on my tv and an online game not working due to closed ports on the vpn. Policy based routing due to pfSense fixed each of those issues however.

                                  EDIT: I've used some sites such as Amazon that will block a user from logging in when their IP has changed. While attempting to log in with my credentials, before giving access it will send an email with a verification code. I can grab that code from my email and then enter it in the form Amazon provides. Once entered the log in continues as normal.

                                  Could something like this be implemented on this website instead the non-loading blank webpage? At least that way good people with bad IP's aren't getting blocked from accessing their accounts here. I went through a lot of trouble shooting trying to figure out why this site wouldn't load each time I was blocked. How many others is this happening to aswell.

                                  I had no idea I was being blocked due to my vpn IP, at least not until this thread. Just before regaining access and seeing the post from the OP I had rebooted my pfSense box and got a new IP that was luckily not blocked.

                                  Again, the problem is loading this website with a bad IP, not a problem posting or logging in.

                                  EDIT2: Thinking about this more, why are spam related IP's even getting blocked from loading the forums webpage? Unless they can log into the website.. what can they do to harm the website.. especially this one? After all you are Netgate so I have to assume your server security is better then most.

                                  1 Reply Last reply Reply Quote 0
                                  • johnpoz
                                    johnpoz LAYER 8 Global Moderator last edited by johnpoz

                                    @tagit446 said in VPN blocked?:

                                    Yes it is a shared IP but so is my ISP IP.

                                    No - where did you get that Idea... Are you behind a carrier grade nat? My IP has been the same since I moved to this ISP.. Before my IP was the same for years and years with comcast.. So all the IP tells a website is hey that IP is owned by XYZ... Hey that IP is prob in City ABC.. Its not shared at all.

                                    They are blocked from accessing the forum is because they are blocking it at the firewall not just inside the forum software as well.. Yeah more secure from the spammers ;)

                                    If you want to use some VPN service that allows any and all to use their IPs for shit like spamming - then guess what.. Your prob going to find some sites that don't like that IP.. Or for that matter might get so fed up playing wack a mole that they just block the netblock..

                                    And guess what if you were behind a carrier grade nat and sharing IPs - and some yahoo that had your IP yesterday decided it was fun to spam.. And get his IP listed 58 times ;) Then yeah you get that IP your going to have issues..

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                                    T 1 Reply Last reply Reply Quote 0
                                    • T
                                      tagit446 @johnpoz last edited by

                                      @johnpoz said in VPN blocked?:

                                      No - where did you get that Idea... Are you behind a carrier grade nat?

                                      I'm really not sure what my ISP uses. In my location we only have one choice for internet and that is Bonded ADSL+ through Consolidated Communications. They took over FairPoint Communications in my state about a year ago.

                                      My ISP modem is bridged and I establish the PPPoE connection through the pfsense router. The service here is pretty bad really. As I've mentioned, I'm still learning pfSense so at times I'll reboot the router after making changes and sometimes the modem. Each time either one reboots I see my public IP has changed on the pfSense router homepage.

                                      @johnpoz said in VPN blocked?:

                                      They are blocked from accessing the forum is because they are blocking it at the firewall not just inside the forum software as well.. Yeah more secure from the spammers ;)

                                      Thanks for this, it makes sense now and finally answers mine and the OP's original question.

                                      At least as far as spammer IP's go it seems like it would be enough to block them with the website software and not the firewall since a spammer can't spam a website unless they are logged in. Doing the blocking at the website would give more verification options or at least allow a webpage to be displayed as to why a block is happening. In the end though, its not my sandbox and all I can do is make suggestions. If you don't care, why should I.

                                      I now know why the site wouldn't load for me and I can and have worked around that. My only real concern now is for those that haven't figured it out yet and will probably spend alot of time trying to diag the problem. After all, they won't be able to get here to ask for help because the site will not even load for them. I wonder how many new pfSense users will just give up on it because they are using a vpn and can't load this site to ask for help when they are stuck.

                                      I won't say anymore on the above subject but I would still like to know why using a vpn service only gives a false sense of security. Like I said before, I don't want to pay for something I don't need and don't like being duped. You seem to be in the know, so please share what you know.

                                      johnpoz 1 Reply Last reply Reply Quote 0
                                      • Derelict
                                        Derelict LAYER 8 Netgate last edited by Derelict

                                        I would still like to know why using a vpn service only gives a false sense of security.

                                        Because you are just transferring the ability to sniff your traffic from your ISP to your VPN provider.

                                        You exit to the internet in-the-clear at some point.

                                        A VPN is great for encrypting your traffic across something like a local open wifi hotspot, hotel network, or between two private sites.

                                        The VPN providers have done a pretty good job convincing a lot of people that they are necessary to protect against evil ISPs.

                                        Chattanooga, Tennessee, USA
                                        The pfSense Book is free of charge!
                                        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                        1 Reply Last reply Reply Quote 1
                                        • Grimson
                                          Grimson Banned @tagit446 last edited by

                                          @tagit446 said in VPN blocked?:

                                          Wow ok, "RTFM".. had to look that one up.

                                          Good now continue to look things up before you talk about them. Make this a habit.

                                          ISP's are known for doing questionable things and don't even try to be transparent. They don't encrypt my connection and most certainly log everything I do on the web, in some circumstances, some ISP's are even known to redirect their users traffic.

                                          An with a VPN your VPN provider can do exactly the same. And while you know who and where your ISP is located, and what laws it has to follow, you can't say the same about some random VPN provider on the web. So ask yourself again, what makes that VPN provider more trustworthy than your ISP.

                                          Say this information is flagged and now my government thinks I'm a terrorist, what do you suppose could happen there?

                                          And continuously running an encrypted tunnel to an endpoint in a different country will not trigger red flags with such a government agency? Heck if I where a government agency tasked with monitoring internet usage I would spin up a few VPN providers and make them known with nice reviews on the net. Then people would not only route their traffic through my servers, they would actually pay me for monitoring them.

                                          You need to understand that a VPN encrypts only the communication between your client the server from you VPN provider, that server then can do the same stuff your afraid your ISP might do. If your VPN provider then also managed to get you to install their custom CA certificate on your PC, and some try to do that if you run their client directly on the PC, they can even MITM your otherwise encrypted https traffic.

                                          1 Reply Last reply Reply Quote 0
                                          • johnpoz
                                            johnpoz LAYER 8 Global Moderator @tagit446 last edited by johnpoz

                                            @tagit446 said in VPN blocked?:

                                            The service here is pretty bad really

                                            Is it really - or is your VPN?? Why would you add the latency and issues of a vpn on top of questionable service ISP? Only thing the VPN can ever do is make your traffic slower.. Since you have to travel over the isp connection to get to the vpn.. Now you have the added latency going to wherever that is just to possible come back 1 mile from the exit of your isp connection. Maybe - or completely wrong direction from where you want to go to get to xyz.com which adds latency.

                                            Your already using a PPPoE connection which adds overhead, so lets put a vpn tunnel inside another tunnel.. Yeah GREAT performance is what everyone will scream ;)

                                            You can do what you want - just don't complain when the IP you choose to use gets blocked, and don't complain when your connection is crap.. And your pocket book is lighter because you think you need to pay the "I'm more secure" stupid tax ;)

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                                            1 Reply Last reply Reply Quote 0
                                            • Gertjan
                                              Gertjan @tagit446 last edited by Gertjan

                                              @tagit446 said in VPN blocked?:

                                              The VPN encrypts my connection

                                              I'm do not want to add another brick against the "why a VPN" wall, but like to add :
                                              Today, nearly all sites (mail, ssh, etc) use SSL/TLS by default, so the end-to-end privacy is been taken care of out of the box.
                                              Rests the "having another IP" advantage. That's up to you ....

                                              Drop by on this forum when it get's hit - as it did on a recent past - by these 'foreign language' spammers. The entire forum was getting spammed with dozens of messages, nearly every week, or more often.
                                              These days : didn't saw them any more (or the admins are became very, very reactive !).
                                              You, @bafonso , showed that there are side effect for some of us.
                                              One thing is pretty sure : your are using the same VPN as spammers - here, or some where else - did. Not your fault, these things happen ;)

                                              No "help me" PM's please. Use the forum.

                                              1 Reply Last reply Reply Quote 0
                                              • RyanM
                                                RyanM last edited by

                                                Ok, this thread has kind of gone all over the place. I will record my VPN IP address next time I can't connect. I am reasonably sure the VPN IP was blocked since clicking the "restart" icon on VPN until I can connect works. Sometimes I have to restart once, other times it takes 5 or 6 times and then I can connect.

                                                I am using PIA.

                                                In response to "why VPN traffic to pfSense/Netgate?", because I VPN all of my traffic by default. I do have bypass rules for Netflix and AWS, and yes I could add a bypass for pfSense/Netgate, but I figured I would ask about the blocking before adding a bypass rule.

                                                Maybe I am being paranoid, but I don't trust websites to not track me. This is partially about my ISP, and partially about trackers on the internet. This was a large part of the reason I setup a pfSense router was to VPN most of my traffic.

                                                1 Reply Last reply Reply Quote 0
                                                • johnpoz
                                                  johnpoz LAYER 8 Global Moderator last edited by

                                                  @ryanm said in VPN blocked?:

                                                  but I don't trust websites to not track me

                                                  You think the only way they track you is via your IP?? hehehhee how cute ;)

                                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                                  If you get confused: Listen to the Music Play
                                                  Please don't Chat/PM me for help, unless mod related
                                                  2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                                                  1 Reply Last reply Reply Quote 0
                                                  • Rico
                                                    Rico LAYER 8 Rebel Alliance last edited by

                                                    You trust some random VPN provider more than your ISP? You should change your ISP then...

                                                    -Rico

                                                    2x Netgate XG-7100 | 11x Netgate SG-5100 | 6x Netgate SG-3100 | 2x Netgate SG-1100

                                                    1 Reply Last reply Reply Quote 0
                                                    • RyanM
                                                      RyanM last edited by

                                                      @johnpoz a VPN is just part of the solution. I also use a couple of browser extensions to attempt to block tracking, and make use of incognito/private browsing fairly regularly. I would be interested in hearing any other recommendations on how to protect my privacy online.

                                                      @Rico I don't have many options in my area, and for the most part I do trust my ISP but I don't see what the downside to using a VPN is other than cost. My understanding is that PIA is a reasonably well-respected VPN provider, but if I am misinformed, I would love to hear more.

                                                      1 Reply Last reply Reply Quote 0
                                                      • Rico
                                                        Rico LAYER 8 Rebel Alliance last edited by

                                                        The downside is, your VPN Provider got all the keys to decrypt your whole traffic if he want to.

                                                        -Rico

                                                        2x Netgate XG-7100 | 11x Netgate SG-5100 | 6x Netgate SG-3100 | 2x Netgate SG-1100

                                                        Gertjan 1 Reply Last reply Reply Quote 0
                                                        • Gertjan
                                                          Gertjan @Rico last edited by Gertjan

                                                          @rico said in VPN blocked?:

                                                          The downside is, your VPN Provider got all the keys to decrypt your whole traffic if he want to.

                                                          -Rico

                                                          Well : the VPN will decrypt the entire tunnel, that's for sure. They have to ☺
                                                          But, all SSL traffic inside the tunnel will stay safe. Most of all site traffic - web browsing and mail are all safe these days. And if you insist, DNS can be make safe also, this means : you decide who sees your DNS traffic.

                                                          No "help me" PM's please. Use the forum.

                                                          1 Reply Last reply Reply Quote 0
                                                          • RyanM
                                                            RyanM last edited by

                                                            @Gertjan I don't want to get too far off topic, but can you point me at a resource to read about making DNS safe? This is around SSL encrypted requests to your DNS provider correct? I moved to using CloudFlare's DNS (1.1.1.1 and 1.0.0.1) in my pfSense configuration. Is there a way to force the SSL version on pfSense?

                                                            JeGr 1 Reply Last reply Reply Quote 0
                                                            • RyanM
                                                              RyanM last edited by

                                                              Here is an IP that appears to be blocked: 91.207.175.100

                                                              FWIW, I am connecting to the PIA US-California instance (us-california.privateinternetaccess.com:1198). In my experience, this instance seems to not be blocked on as many sites (e.g. Macys.com, Craigslist.org, etc.).

                                                              1 Reply Last reply Reply Quote 0
                                                              • johnpoz
                                                                johnpoz LAYER 8 Global Moderator last edited by johnpoz

                                                                @ryanm said in VPN blocked?:

                                                                91.207.175.100

                                                                http://stopforumspam.com/ipcheck/91.207.175.100

                                                                Blocked!
                                                                You sure that is suppose to be US... Shows as Romania on that site.. But its also on a shit ton of other blacklists as well!

                                                                To be honest how do people think that the shared IPs they get using some vpn is not going to be blocked all over the net... Since people just do shit while on them, since they they think they are hiding ;)

                                                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                                                If you get confused: Listen to the Music Play
                                                                Please don't Chat/PM me for help, unless mod related
                                                                2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                                                                1 Reply Last reply Reply Quote 0
                                                                • RyanM
                                                                  RyanM last edited by

                                                                  Thank you for checking @johnpoz. Should I bother with trying to get it unblocked? Or just continue to "restart" the VPN client until I get an IP that is not blocked?

                                                                  I think the IP Address is owned by a European company called M247 Europe SRL, I am not sure why that site is showing it as Romania. However, the location of the VPN IP shows up as Los Angeles, CA and this is in line what latency I see to servers in that area and geolocation type services (e.g. Google Maps, Weather.com, etc.).

                                                                  1 Reply Last reply Reply Quote 0
                                                                  • johnpoz
                                                                    johnpoz LAYER 8 Global Moderator last edited by

                                                                    Their abuse email is to m247.ro

                                                                    Its a RIPE controlled IP space..

                                                                    Dude its on WAY more than just the spam database - look it up, its on a LOT of black lists..

                                                                    If you want to route your traffic through a vpn that is up to you - just policy route so going to pfsense is just off your wan and then you will be fine.

                                                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                                                    If you get confused: Listen to the Music Play
                                                                    Please don't Chat/PM me for help, unless mod related
                                                                    2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • RyanM
                                                                      RyanM last edited by

                                                                      Yeah, I think you are right. I will probably just start adding rules to route traffic through WAN when it is blocked. Thanks.

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • A
                                                                        andrew528 last edited by

                                                                        you interested me

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • JeGr
                                                                          JeGr LAYER 8 Moderator @RyanM last edited by

                                                                          @ryanm said in VPN blocked?:

                                                                          @Gertjan I don't want to get too far off topic, but can you point me at a resource to read about making DNS safe? This is around SSL encrypted requests to your DNS provider correct? I moved to using CloudFlare's DNS (1.1.1.1 and 1.0.0.1) in my pfSense configuration. Is there a way to force the SSL version on pfSense?

                                                                          You know, that pfSense 2.4.4+ has a configuration for using DNS over TLS already implemented?
                                                                          -> Services / DNS Resolver
                                                                          => Use SSL/TLS for outgoing DNS Queries to Forwarding Servers

                                                                          after setting that the DNS servers configured in System/General will be used for DNSoverTLS via port 853.

                                                                          But that adds the problem/discussion about having too many traffic/services centralized giving that (few) companies (too?) much power. Especially as - on their end - they could actually look what you're asking via their service (as the traffic leaves their hosts/network). Same with VPN. You connect safely to their servers but from there it goes to your target location. So the VPN provider could log/track you, too. It all boils down to trust and if centralized services are really that much better then decentralized approaches (DNS resolving instead of forwarding).

                                                                          Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                                                                          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                                                                          RyanM 1 Reply Last reply Reply Quote 1
                                                                          • RyanM
                                                                            RyanM @JeGr last edited by

                                                                            @jegr thank you. Yes, I had found this setting and enabled it. I also moved from CloudFlare to Quad9. Not sure who is really "better" or more privacy conscious.

                                                                            It is not that I have anything to hide, but I also have no reason to share either.

                                                                            I remember hearing an innovator speak on privacy & security. He spoke about how encryption should be strong, and on by default. He mentioned how some could make the argument "Why do you need to encrypt? What do you have to hide?", but he likened it to traditional mail. If you send a letter in an envelope, no one asks "Why do you need to put that letter in an envelope? What are you trying to hide?" because it has become the default and is not considered divergent behavior.

                                                                            I would be very interested in a blog series or forum threads specific to security. Am I overlooking something that already exists?

                                                                            Gertjan JeGr 2 Replies Last reply Reply Quote 0
                                                                            • Gertjan
                                                                              Gertjan @RyanM last edited by

                                                                              @ryanm said in VPN blocked?:

                                                                              "Why do you need to put that letter in an envelope?

                                                                              With the difference that you send all your letters in envelops to one identified intermediate facility, that knows very well who you are, they have your return address. This facility opens your envelop and reads it all out loud, with the world as it audience.
                                                                              Remember, after Quad9 or comparable, if not cached, root servers, tld servers and domain servers are still questioned as before.
                                                                              Think about it : the data path didn't change much. But in this case you're being served by a company that pays taxes. The classic path serves you with an infrastructure (root servers) being financed by your taxes.
                                                                              As with the classic postal services : the local path, the post men that walks just in front of your door is being removed from the equitation. It's the guy you probably already know - and the other way around.

                                                                              No "help me" PM's please. Use the forum.

                                                                              RyanM 1 Reply Last reply Reply Quote 0
                                                                              • JeGr
                                                                                JeGr LAYER 8 Moderator @RyanM last edited by

                                                                                I also moved from CloudFlare to Quad9. Not sure who is really "better" or more privacy conscious.

                                                                                Between those two? I'd go with Cloudflare.

                                                                                He spoke about how encryption should be strong, and on by default.

                                                                                Agreed like HTTPS. But as many DNS servers don't support DNSoverTLS or DNSoverHTTPS or other encrypted features yet (a pity) that comparison is flawed as you send all traffic encrypted to e.g. Quad9 (sponsered by quite a few interesting parties...) and the Q9 servers as forward target then do the DNS resolving for you. So they know what you're searching. If you do DNS resolving by yourself in pfSense via unbound, the unbound daemon resolves it from the root servers upwards to the authoritative DNS so in essence asks exactly the right server who serves the domain for every call (and then caches it for your later use) instead of relying on a single source like quad9 to do that (and know all DNS queries coming from you). That's why quite a few DNS folks out there found the hype of centralized DoT (DNSoverTLS) to be quite debatable.

                                                                                Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                                                                                If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                                                                                1 Reply Last reply Reply Quote 0
                                                                                • RyanM
                                                                                  RyanM @Gertjan last edited by

                                                                                  @gertjan so it really depends on how much you trust the one handling your envelope/DNS request.

                                                                                  By your reasoning, what is stopping the postman from opening and reading your mail. Nothing, but it is a relatively easy measure to put in place that provides a reasonable level of protection/privacy, but not full protection/privacy. The same could be said about DNS providers. Find one that appears to be trustworthy and use DNS over TLS/SSL and this will provide you with a reasonable level of protection/privacy for the effort involved.

                                                                                  The same could be said about VPN providers. Yes, it provides some level of privacy/protection in general, but the provider would still have the ability to see all of that data, and comes down to how trustworthy they are.

                                                                                  Is this fair/accurate?

                                                                                  @JeGr wait, so I want to make sure I follow what you were saying. So if I want to use DNS over TLS/SSL, I am running all of my lookup requests through 1 service, and they would have the ability to know what domains I am requesting. Correct? And it would just depend on how much I "trust" them with that data.

                                                                                  Conversely, it sounds like I could use unbound to lookup requests from the root servers. So the root servers would know what I am requesting from them, but not all of my queries. So they only see a piece of my traffic. Is that the idea?

                                                                                  1 Reply Last reply Reply Quote 0
                                                                                  • johnpoz
                                                                                    johnpoz LAYER 8 Global Moderator last edited by

                                                                                    @ryanm said in VPN blocked?:

                                                                                    t I am requesting from them, but not all of my queries. So they only see a piece of my traffic. Is that the idea?

                                                                                    If you do query minimization that yeah that would be true... So you would only ask the ROOTs for the NS of the tld your looking for say .com, then you would ask the .com NS hey I am looking for domain.com, you would only ask the domain.com NS for host.domain.com

                                                                                    Problem is that this sort of minimization breaks down and you will find that multiple things will fail to resolve.. Mostly because of odd ball cname configurations for the domain, etc.

                                                                                    If you are sending dns over tls to some service - then yes that service sees everything you ask for, you just handed them your surfing habits on a silver platter.. I am sure they are thankful ;)

                                                                                    And yes your vpn provider is going to see everything as well.. The thing I don't get is how come you distrust the company you actually pay for service so much, that your willing to pay for some other service that just because they say they don't log you trust them more?? makes Zero Sense to Me!!!

                                                                                    If your going to take this distrust model to its extreme - then you should only be using burner phones that you bought with cash.. And use of CC is just plain out the window because they see all your transactions. And to be honest you can not even go outside because their are camera's everywhere and more than likely your paying tolls electronically as well..

                                                                                    Be it Doh or Dot, you should really understand exactly before you go jumping on any such bandwagon if you ask me.. Keep in mine that your https traffic doesn't hide where you are going either because the domain your going to is going to be in the SNI in the clear..

                                                                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                                                                    If you get confused: Listen to the Music Play
                                                                                    Please don't Chat/PM me for help, unless mod related
                                                                                    2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                                                                                    RyanM 1 Reply Last reply Reply Quote 0
                                                                                    • First post
                                                                                      Last post