Inside a VPN service: How NordVPN conducts the business of Internet privacy https://www.zdnet.com/article/insid...pn-conducts-the-business-of-internet-privacy/
I used NordVpn for awhile, until I found that it bypasses (ignores) Windows firewall rules I have created. This was a "kill the app" moment for me. I switched to Mullvad which is super.
Yes. VPN use is a classical example of privacy vs. security. Many still don't fully understand that a VPN in essence creates a secure tunnel connection between the VPN servers and the end device. As such, any local device firewall and its corresponding rules are bypassed. When you use a VPN you are 100% reliant upon the VPN in determination of the safety of network communication arriving at your device. The primary purpose of VPN communication was to secure Wi-Fi communication as noted in this CNET article: https://www.cnet.com/news/how-what3words-pinpoints-every-spot-on-earth-for-better-navigation-q-a/
Huh? It ignores Windows Firewall rules? Did you specifically create rules for the new VPN tunnel network?
That's not exactly true. It's not that the firewall is ignored. It's just that any existing rules on the LAN interface will be ignored. Because, except for the connection with the VPN server, all traffic is now using the VPN tunnel network. And if you want rules on that, you must create them.
Yes. I was rather shocked to find things connecting out that had a WF block rule. Emailed Nord support and got this response: "This is an expected behavior because our while you are connecting through VPN, it is setting our own firewall rules to avoid any possible security leaks." So I tried Perfect Privacy which is nice but expensive. Then Mullvad which is really good and now has many more servers. Mullvad (and PP) honors my WF rules. Also, Nord uses virtual servers but Mullvad uses physical servers. Not sure of the difference but from my research physical is better?
Did your WF block rules apply only to (for example) home networks? If the VPN tunnel got created as a public network, those WF block rules wouldn't apply to it. Hmmm. That might just reflect how their client modifies WF. Maybe Mullvad and PP use their own firewalls, and don't mess with WF. Or maybe they just tweak WF more delicately. It'd be interesting to hear whether AirVPN and IVPN clients honor your WF rules. It's always more secure to use dedicated/physical servers, instead of VPS. But it's also a lot more expensive. That's why VPN services that use only dedicated/physical servers tend to have less locations. Logging everything in VPS is trivial for hosting providers. But logging network traffic for dedicated/physical servers is also trivial for hosting providers. That includes IP addresses of users and destination Internet sites, and any content that's not end-to-end encrypted (that is, not HTTPS or TLS). But some aspects of user traffic would be much harder to log from dedicated/physical servers. Data modification would also be lots harder.
No, the rules were for all types of access. I use WFC to create rules. The first time I really noticed this behavior from Nord was when I clicked on the Windows Store (Windows 10) and was connected. Looked at my rules and my block rule was still in place. Turned Nord off and rule worked (Store blocked), Nord back on and rule ineffective. Started watching with TCPview and none of my block rules were being enforced with Nord. PP did some strange things to the firewall rules, but it did uphold my block rules. Mullvad acts as though it completely honors the Windows firewall and the allow/block rules I have created with WFC. This. NordVPN is relatively inexpensive. PP is very expensive and Mullvad about in the middle. Never tried Air or IVPN, I am quite happy with Mullvad and am not looking for more adventures in VPN land
Actually there is a thread on VPN security here: https://www.wilderssecurity.com/threads/vpn-services-and-its-security.400145/page-2 -EDIT- The most secure VPN of 2018: top picks for the best encryption: https://www.techradar.com/news/the-most-secure-vpns-of-2018-top-picks-for-the-best-encryption
As far as firewall bypass via a VPN connection, its primarily in regards to your router's firewall. Most routers have a feature called "VPN Pass Through" that applies to IPSec, PPTP and L2TP network traffic. In essence, a tunnel is created to allow all such traffic to flow in and out of the router unimpeded. This means router security features such as NAT and statefull inspection along with any existing firewall rules are not being applied. In essence, your router is functioning in bridged mode. Since your router's firewall and its additional security features are not longer functional, you primary defense against network born external threats are disabled. Again, you are 100% reliant on your VPN provider for this protection.
Yes, of course, the perimeter router/firewall must allow the VPN connection. All it can do is allow or block. Because the VPN connection is encrypted. But there should also be a firewall on whatever device is running the VPN client. If you're using pfSense VMs, you create rules there. If you're running the VPN client in your machine or VM, you create firewall rules there. In Linux, iptables. Or in Windows, the built-in firewall. Most importantly, you generally allow only input that's part of established connections. Unless you open ports for servers. You block malformed packets. And you may allow output only for some apps. For example, if you're using Tor, you allow only traffic from the Tor process. So no, you are not "100% reliant on your VPN provider for this protection". It's your machine, and you get to say.
Yes, for extra security it is best to have 2 VMs and host OS (or 3 VMs). One for VPN client, second for OS actually used behind VPN. Host OS is routing and firewalling traffic between first and second VM. Provided you have some more money to spend on devices: 1st router as VPN client, second as router and firewall and there you connect end-points.
Yes, hardware is best. You can do it all with VMs. But there's always the risk of guest-to-host breakouts. Sometimes I split nested VPN chains across two host machines. The end of the chain and workspace VM are isolated. So a guest-to-host breakout can't take down everything. And my VM hosts are all old, bought used. Just maxed with RAM and updated with SSDs. So hardware isolation doesn't cost all that much.
Unlike you (and everyone else here?) I read the article in #3 I realize you were in a rush to promote your favourite VPN provider (perhaps you work for them?) but try not make stuff up on a security forum.
Nope never read it. Published yesterday, really? That's a nice statement about the servers, glad to see it. Sure, I like Mullvad and would recommend them. NordVPN, not with windows 10 because of the Windows firewall issue.
Your post was a direct response to it..... The article was #3 and your response was #4. #2 was over 2 months ago =P
Sure, they say that they "rent dedicated, bare-metal servers from carefully selected server providers". But they don't say that they rent "4,205 servers in 62 countries". And it's a certainty that, if they did, they'd be charging a lot more than a few USD per month. If they really are using dedicated servers, I'm betting that those servers have numerous IP addresses, which use routing tricks to geolocate in those 62 countries. It's not hard to test for that. You just ping each server IP from numerous places, using such services as https://ping.pe/ and https://asm.ca.com/en/ping.php [0] 0) https://www.ivpn.net/privacy-guides/how-to-verify-physical-locations-of-internet-servers
Yep. There is a reason the top 5 services via the ratings "we" here have given earned their positions. Standing among our serious privacy and security advocates is not handed out without examination. Lots of services just stamp VPN on their "contraption" and casual users feel all protected and secure. Quite a mistake if you operate in a world where you need what you think you are getting (but you aren't really).
I used NordVPN for a year (until february this year) But just for the sake of it (and I am a nerd) I ended subscription to try another, PrivateVPN. NordVPN is quite nice with a decent price. I found it keeping most of what it promised. I payed by bitcoin. I have a 300/100 MBit cable at home, I had 200Mbit or more down and at least 50Mbit up every time I checked. Never crawled. They have alot of servers in most of the countries. The mobile app worked nicely abroad on vacation in my phone (France, Great Brittain and South Africa) Not a glitch, perfect on airports. It has some nice features like double VPN. Didnt try the P2P feature though. But, worked so and so with US Netflix (I live in Sweden). Got the connection but it took a long time to load the page and so did loading movies and the quality shifted often and on some occasion the signal was lost. Not very happy about that. I noticed that my new VPN is much more reliable and much more consistent when it came to good picture quality, and loaded the login and movies faster. But if Netflix is not the deal breaker i can recommend it.
Supposedly. If they're really dedicated servers, that seems very unlikely. Because of how much it would cost.
NordVPN Responds to Privacy Sensitive Allegations August 30, 2018 https://torrentfreak.com/nordvpn-responds-to-privacy-sensitive-allegations-180830/
Trusting in someone , or anyone , for that matter for your online privacy is not a good idea. Just assume everything you do, at all times, is not private. I mean the only use, I mean the only use, for a VPN , is to have automatic HTTPS protection for all your internet connections. But since most websites that you send confidential info to a server and from your computer and ISP already have https enabled, why bother with a VPN? The only other reason to use a VPN is to access content online, that you couldn't otherwise access in your country, but if something is already being censored by your government, wouldn't that imply it is already illegal? And therefore not something you should be prying yourself in?
Every single post I've read today from you (17) has been negative. Why talk if you have nothing of substance to add?
