Can You Trust Your VPN Provider…?

It may be true for AirVPN, but I haven't checked. With pfSense, I have a firewall on my VPNs, just like you (I trust) have a firewall on your ISP connection. BolehVPN used to let you choose whether to have ports open (aka forwarded to the exit server) or closed, but I don't see that now on their services page. You could ask their support.

Privacy-centric providers like Cryptohippie and iVPN have all ports closed, and no provision (as far as I know) for opening them. Xerobank (RIP) did too. Mullvad has ports closed by default, but lets you open selected ports.

 

OK, so it varies by server? Is that documented somewhere for BolehVPN? And for AirVPN?

 

is there any info on boleh's website/forums specifying on which servers the ports are open/closed? or should we try and find out for ourselves with each server?

 

yes, i do have a fw.


i'm not a file-sharer, i hardly need an open port for that matters. so i might consider subscribing to cryptohippie. but i don't see any info on their website about subscription plans. isn't this the url of their website? http://cryptohippie.com/index.php

aamof, i'll be using vpn service mostly (99.9% of time) for s-hd us/uk web streaming (hulu, netflix, etc). in this case, dns leak or occasional connection drops wouldn't be a serious issue for me. at the end of the day, i won't be using vpn service for privacy or secrecy. only, open ports would impose a security risk for me. right?

i could even go for hma.

in this case, which vpn service provider would be the best bet for me among previously mentioned ones? (for hulu, netflix, etc.)

 

I'd say try AirVPN, BolehVPN and Mullvad, and see which is fastest for you.

Do use a firewall

 

Regarding ports - with AirVPN, you can select up to twenty ports for forwarding. You pick available ports, and they are reserved for you. Otherwise, nothing is forwarded. I do not file share, but I have a few webcams and two servers on my local network that I need to access from the Internet. On the AirVPN web-based control panel, I have five ports reserved. When you select them, you can choose UDP, TCP, or both. The ports you reserve follow you to whichever VPN server you select. It's very flexible, and very secure, because you choose exactly what get through to you.

As for disconnects - personally, I have never experienced what Taliscicero has described. My connection to their servers have been rock-solid. However, I do not use their client software. I use DD-WRT and my network is secured via its firewall. No DNS or IP leaks. Having a firewall means I can choose any VPN provider and I only need to change certificates, keys, VPN server IP address, and a few other options. I like that flexibility. I'm not tied to anybody's client software. Taliscicero has had issues with Air's client software "secretly" disconnecting. Again, I can't comment as I don't use anybody's client software. If their client software is behaving as he describes, that is unacceptable and needs to be corrected ASAP.

However, Taliscicero has flat out accused AirVPN of being incompetent liars. He is certainly welcome to his opinion. I disagree with it. In my opinion, AirVPN works incredibly well, is fast, is completely transparent about their capacity, server status, number of users per server, and their policies. The people who run Air seem totally committed to providing a reliable, secure service (but it is certainly possible they need to fix their client software). There have been instances where data centers have questioned them regarding the types of traffic traversing their servers, and Air has yanked those servers immediately. They even share their correspondence with said data centers to show that they stand up for what they believe in. Bottom line - I'm a happy customer, and I trust them.

I've tried Boleh, and functionally, I see no difference. Again, for me, switching to Boleh (or anyone else) just means some configuration changes in DD-WRT and I'm off and running. Boleh seems nice and fast, and I like their policies and customer service as well.

 

I portscanned their servers manually.

 

All that tells you is that they have those ports open, potentially for anyone who selects them. It says nothing about what ports from your client are forwarded.

Right?

 

thank you. i'll give boleh a try. mullvad is not an option for me for they have no uk servers.
best regards

 

Of course.

I like how Air allows you to reserve specific ports.

When I wrote to Boleh to ask them about how many ports I could choose for forwarding and if they were reserved for specific users, their answer was:

Chris, Oct 05 14:19 (MYT)

Give the FullyRouted Luxembourg, Sweden and Swiss servers a try. Only these have all ports 1024-65536 open.
If you have any further questions then please just reply to re-open the ticket.

Yours faithfully, BolehVPN Support Team

 

it seems so, and security-wise, that sounds no good.

 

Same goes for Boleh, see my post above. They basically said "Sure just pick any port, they're all open."

And THAT is why you use a firewall and YOU control what enters your network and what doesn't.

 

all ports open? oh my. that's not any good now, is it?

 

so with air, if you choose to have no open ports and keep all closed, the connection between you and air will have no holes then, right?
if so, is it possible for someone to open any one of those reserved ports whenever they want to and close them after they're done with them?
did i get that right? you reserve some ports on servers but they remain closed. and whenever you need them to be open, you forward those specific ports, and after you re done with them, you close those ports?
but even if it's like that, how about the ports opened by other users? would they affect the connection between you and air servers?

 

Sure, it's no issue at all. I use a firewall.

How else do you think you'd be able to access anything on your network if you run a server?

 

It won't have any ports forwarded to you. But regardless, you should use a firewall. And if you need or want ports forwarded to you, YOU control where those packets end up on your network.

 

sorry, my bad. now i get what you mean.

 

Just to be clear, the direct security threat from having all ports open on a VPN exit server is to the VPN server itself. If the route from the VPN server to clients is firewalled by default, traffic initiated from the VPN exit server (or beyond) will be blocked. That's basically the same situation that you're in with an ISP that has no forwarded ports. For ISPs, as I understand it, the goal is preventing customers from running servers. With business accounts, you get static IP and all ports forwarded, so you definately need a firewall, just as you need a firewall when you have ports forwarded to VPN exit servers.

 

but wouldn't it impose a security risk on our connection with that server at the end of the day? like exposing us to mitm attacks or similar?
sorry if i'm outa context here.
i'm just trying to clarify things for myself.

 

Well, if you're in the business of providing open ports for users that are torrenting, you must have them open. That may be why the more privacy/security-focused VPNs don't enable port forwarding. It's to protect their servers, not necessarily their customers.

@Taliscicero

Would you mind scanning iVPN's servers and telling us which ports are open? They don't enable port forwarding, as far as I know.

 

I already have before. I believe only port 22 is open and the rest closed from what I remember, and no port forwarding. I was getting terrible speeds with iVPN so much so I had to cancel my account, iVPN kinda tried to help but not really and anything I did on my end did not work. I was only getting 2-3/Mbps down with iVPN over UDP. I thought it was my problem until BolehVPN gave 20+/Mbps UDP speeds. iVPN is very short staffed, only one person and all they said was change the MTU size which did nothing, they had no idea other then that. I was lucky they were nice enough to refund me and did not complain. I do think the support is very lacking though and they made promises of a new client to stop leaks about 8 months ago and every time the deadline comes no new client. I have a feeling that iVPN is owned by only one or two guys, I have only even seen or spoken to one of them.

Its not a risk, just use a firewall. Its only risk is slightly less theoretical server security if the admin has not set up the servers correctly which they have, and you benefit from more speeds. BolehVPN also has servers like the Netherlands ones who have the ports blocked and not open.

 

thanks for the clarification. btw, when you and mirimir say firewall, it's firewall software you're referring to, right?
because, afair, vpn connections create a tunnel between the server and you which bypasses your router's fw, which is a requirement for vpn's to do their work. right?

 

I think Mirimir uses pfSense. I myself use GDATA firewall on default maximum automatic firewall configuration. I use GDATA for its firewall because it has very strong rules on maximum without me having to constantly deal with pop-ups. You can use any software firewall though, as long as it detects attacks and stealth's your ports.

 

I'm starting to like OpenWRT. It's much lighter. And the webGUI (luci) seems usable.

 

so it's not a good idea to use router's fw only.
a software fw is a must with vpn's, right?