Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN blocked?

    Scheduled Pinned Locked Moved Forum Feedback
    53 Posts 13 Posters 13.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GertjanG
      Gertjan @tagit446
      last edited by Gertjan

      @tagit446 said in VPN blocked?:

      The VPN encrypts my connection

      I'm do not want to add another brick against the "why a VPN" wall, but like to add :
      Today, nearly all sites (mail, ssh, etc) use SSL/TLS by default, so the end-to-end privacy is been taken care of out of the box.
      Rests the "having another IP" advantage. That's up to you ....

      Drop by on this forum when it get's hit - as it did on a recent past - by these 'foreign language' spammers. The entire forum was getting spammed with dozens of messages, nearly every week, or more often.
      These days : didn't saw them any more (or the admins are became very, very reactive !).
      You, @bafonso , showed that there are side effect for some of us.
      One thing is pretty sure : your are using the same VPN as spammers - here, or some where else - did. Not your fault, these things happen ;)

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      1 Reply Last reply Reply Quote 0
      • RyanMR
        RyanM
        last edited by

        Ok, this thread has kind of gone all over the place. I will record my VPN IP address next time I can't connect. I am reasonably sure the VPN IP was blocked since clicking the "restart" icon on VPN until I can connect works. Sometimes I have to restart once, other times it takes 5 or 6 times and then I can connect.

        I am using PIA.

        In response to "why VPN traffic to pfSense/Netgate?", because I VPN all of my traffic by default. I do have bypass rules for Netflix and AWS, and yes I could add a bypass for pfSense/Netgate, but I figured I would ask about the blocking before adding a bypass rule.

        Maybe I am being paranoid, but I don't trust websites to not track me. This is partially about my ISP, and partially about trackers on the internet. This was a large part of the reason I setup a pfSense router was to VPN most of my traffic.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          @ryanm said in VPN blocked?:

          but I don't trust websites to not track me

          You think the only way they track you is via your IP?? hehehhee how cute ;)

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • RicoR
            Rico LAYER 8 Rebel Alliance
            last edited by

            You trust some random VPN provider more than your ISP? You should change your ISP then...

            -Rico

            1 Reply Last reply Reply Quote 0
            • RyanMR
              RyanM
              last edited by

              @johnpoz a VPN is just part of the solution. I also use a couple of browser extensions to attempt to block tracking, and make use of incognito/private browsing fairly regularly. I would be interested in hearing any other recommendations on how to protect my privacy online.

              @Rico I don't have many options in my area, and for the most part I do trust my ISP but I don't see what the downside to using a VPN is other than cost. My understanding is that PIA is a reasonably well-respected VPN provider, but if I am misinformed, I would love to hear more.

              1 Reply Last reply Reply Quote 0
              • RicoR
                Rico LAYER 8 Rebel Alliance
                last edited by

                The downside is, your VPN Provider got all the keys to decrypt your whole traffic if he want to.

                -Rico

                GertjanG 1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan @Rico
                  last edited by Gertjan

                  @rico said in VPN blocked?:

                  The downside is, your VPN Provider got all the keys to decrypt your whole traffic if he want to.

                  -Rico

                  Well : the VPN will decrypt the entire tunnel, that's for sure. They have to ☺
                  But, all SSL traffic inside the tunnel will stay safe. Most of all site traffic - web browsing and mail are all safe these days. And if you insist, DNS can be make safe also, this means : you decide who sees your DNS traffic.

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • RyanMR
                    RyanM
                    last edited by

                    @Gertjan I don't want to get too far off topic, but can you point me at a resource to read about making DNS safe? This is around SSL encrypted requests to your DNS provider correct? I moved to using CloudFlare's DNS (1.1.1.1 and 1.0.0.1) in my pfSense configuration. Is there a way to force the SSL version on pfSense?

                    JeGrJ 1 Reply Last reply Reply Quote 0
                    • RyanMR
                      RyanM
                      last edited by

                      Here is an IP that appears to be blocked: 91.207.175.100

                      FWIW, I am connecting to the PIA US-California instance (us-california.privateinternetaccess.com:1198). In my experience, this instance seems to not be blocked on as many sites (e.g. Macys.com, Craigslist.org, etc.).

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by johnpoz

                        @ryanm said in VPN blocked?:

                        91.207.175.100

                        http://stopforumspam.com/ipcheck/91.207.175.100

                        Blocked!
                        You sure that is suppose to be US... Shows as Romania on that site.. But its also on a shit ton of other blacklists as well!

                        To be honest how do people think that the shared IPs they get using some vpn is not going to be blocked all over the net... Since people just do shit while on them, since they they think they are hiding ;)

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • RyanMR
                          RyanM
                          last edited by

                          Thank you for checking @johnpoz. Should I bother with trying to get it unblocked? Or just continue to "restart" the VPN client until I get an IP that is not blocked?

                          I think the IP Address is owned by a European company called M247 Europe SRL, I am not sure why that site is showing it as Romania. However, the location of the VPN IP shows up as Los Angeles, CA and this is in line what latency I see to servers in that area and geolocation type services (e.g. Google Maps, Weather.com, etc.).

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            Their abuse email is to m247.ro

                            Its a RIPE controlled IP space..

                            Dude its on WAY more than just the spam database - look it up, its on a LOT of black lists..

                            If you want to route your traffic through a vpn that is up to you - just policy route so going to pfsense is just off your wan and then you will be fine.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • RyanMR
                              RyanM
                              last edited by

                              Yeah, I think you are right. I will probably just start adding rules to route traffic through WAN when it is blocked. Thanks.

                              1 Reply Last reply Reply Quote 0
                              • A
                                andrew528
                                last edited by

                                you interested me

                                1 Reply Last reply Reply Quote 0
                                • JeGrJ
                                  JeGr LAYER 8 Moderator @RyanM
                                  last edited by

                                  @ryanm said in VPN blocked?:

                                  @Gertjan I don't want to get too far off topic, but can you point me at a resource to read about making DNS safe? This is around SSL encrypted requests to your DNS provider correct? I moved to using CloudFlare's DNS (1.1.1.1 and 1.0.0.1) in my pfSense configuration. Is there a way to force the SSL version on pfSense?

                                  You know, that pfSense 2.4.4+ has a configuration for using DNS over TLS already implemented?
                                  -> Services / DNS Resolver
                                  => Use SSL/TLS for outgoing DNS Queries to Forwarding Servers

                                  after setting that the DNS servers configured in System/General will be used for DNSoverTLS via port 853.

                                  But that adds the problem/discussion about having too many traffic/services centralized giving that (few) companies (too?) much power. Especially as - on their end - they could actually look what you're asking via their service (as the traffic leaves their hosts/network). Same with VPN. You connect safely to their servers but from there it goes to your target location. So the VPN provider could log/track you, too. It all boils down to trust and if centralized services are really that much better then decentralized approaches (DNS resolving instead of forwarding).

                                  Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                                  If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                                  RyanMR 1 Reply Last reply Reply Quote 1
                                  • RyanMR
                                    RyanM @JeGr
                                    last edited by

                                    @jegr thank you. Yes, I had found this setting and enabled it. I also moved from CloudFlare to Quad9. Not sure who is really "better" or more privacy conscious.

                                    It is not that I have anything to hide, but I also have no reason to share either.

                                    I remember hearing an innovator speak on privacy & security. He spoke about how encryption should be strong, and on by default. He mentioned how some could make the argument "Why do you need to encrypt? What do you have to hide?", but he likened it to traditional mail. If you send a letter in an envelope, no one asks "Why do you need to put that letter in an envelope? What are you trying to hide?" because it has become the default and is not considered divergent behavior.

                                    I would be very interested in a blog series or forum threads specific to security. Am I overlooking something that already exists?

                                    GertjanG JeGrJ 2 Replies Last reply Reply Quote 0
                                    • GertjanG
                                      Gertjan @RyanM
                                      last edited by

                                      @ryanm said in VPN blocked?:

                                      "Why do you need to put that letter in an envelope?

                                      With the difference that you send all your letters in envelops to one identified intermediate facility, that knows very well who you are, they have your return address. This facility opens your envelop and reads it all out loud, with the world as it audience.
                                      Remember, after Quad9 or comparable, if not cached, root servers, tld servers and domain servers are still questioned as before.
                                      Think about it : the data path didn't change much. But in this case you're being served by a company that pays taxes. The classic path serves you with an infrastructure (root servers) being financed by your taxes.
                                      As with the classic postal services : the local path, the post men that walks just in front of your door is being removed from the equitation. It's the guy you probably already know - and the other way around.

                                      No "help me" PM's please. Use the forum, the community will thank you.
                                      Edit : and where are the logs ??

                                      RyanMR 1 Reply Last reply Reply Quote 0
                                      • JeGrJ
                                        JeGr LAYER 8 Moderator @RyanM
                                        last edited by

                                        I also moved from CloudFlare to Quad9. Not sure who is really "better" or more privacy conscious.

                                        Between those two? I'd go with Cloudflare.

                                        He spoke about how encryption should be strong, and on by default.

                                        Agreed like HTTPS. But as many DNS servers don't support DNSoverTLS or DNSoverHTTPS or other encrypted features yet (a pity) that comparison is flawed as you send all traffic encrypted to e.g. Quad9 (sponsered by quite a few interesting parties...) and the Q9 servers as forward target then do the DNS resolving for you. So they know what you're searching. If you do DNS resolving by yourself in pfSense via unbound, the unbound daemon resolves it from the root servers upwards to the authoritative DNS so in essence asks exactly the right server who serves the domain for every call (and then caches it for your later use) instead of relying on a single source like quad9 to do that (and know all DNS queries coming from you). That's why quite a few DNS folks out there found the hype of centralized DoT (DNSoverTLS) to be quite debatable.

                                        Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                                        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                                        1 Reply Last reply Reply Quote 0
                                        • RyanMR
                                          RyanM @Gertjan
                                          last edited by

                                          @gertjan so it really depends on how much you trust the one handling your envelope/DNS request.

                                          By your reasoning, what is stopping the postman from opening and reading your mail. Nothing, but it is a relatively easy measure to put in place that provides a reasonable level of protection/privacy, but not full protection/privacy. The same could be said about DNS providers. Find one that appears to be trustworthy and use DNS over TLS/SSL and this will provide you with a reasonable level of protection/privacy for the effort involved.

                                          The same could be said about VPN providers. Yes, it provides some level of privacy/protection in general, but the provider would still have the ability to see all of that data, and comes down to how trustworthy they are.

                                          Is this fair/accurate?

                                          @JeGr wait, so I want to make sure I follow what you were saying. So if I want to use DNS over TLS/SSL, I am running all of my lookup requests through 1 service, and they would have the ability to know what domains I am requesting. Correct? And it would just depend on how much I "trust" them with that data.

                                          Conversely, it sounds like I could use unbound to lookup requests from the root servers. So the root servers would know what I am requesting from them, but not all of my queries. So they only see a piece of my traffic. Is that the idea?

                                          1 Reply Last reply Reply Quote 0
                                          • johnpozJ
                                            johnpoz LAYER 8 Global Moderator
                                            last edited by

                                            @ryanm said in VPN blocked?:

                                            t I am requesting from them, but not all of my queries. So they only see a piece of my traffic. Is that the idea?

                                            If you do query minimization that yeah that would be true... So you would only ask the ROOTs for the NS of the tld your looking for say .com, then you would ask the .com NS hey I am looking for domain.com, you would only ask the domain.com NS for host.domain.com

                                            Problem is that this sort of minimization breaks down and you will find that multiple things will fail to resolve.. Mostly because of odd ball cname configurations for the domain, etc.

                                            If you are sending dns over tls to some service - then yes that service sees everything you ask for, you just handed them your surfing habits on a silver platter.. I am sure they are thankful ;)

                                            And yes your vpn provider is going to see everything as well.. The thing I don't get is how come you distrust the company you actually pay for service so much, that your willing to pay for some other service that just because they say they don't log you trust them more?? makes Zero Sense to Me!!!

                                            If your going to take this distrust model to its extreme - then you should only be using burner phones that you bought with cash.. And use of CC is just plain out the window because they see all your transactions. And to be honest you can not even go outside because their are camera's everywhere and more than likely your paying tolls electronically as well..

                                            Be it Doh or Dot, you should really understand exactly before you go jumping on any such bandwagon if you ask me.. Keep in mine that your https traffic doesn't hide where you are going either because the domain your going to is going to be in the SNI in the clear..

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                                            RyanMR 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.