There has been a vulnerability dubbed “Port Fail” revealed by Perfect Privacy that allows an attacker to reveal a person’s true IP address where the VPN provider has port forwarding enabled. This affected some of the largest VPN providers in the world including Ovpn.to, nVPN, and Private Internet Access (PIA). We would like to assure our customers that this is not a problem with our particular setup.
First of all, for the vast majority of the servers that we have, we utilize a shared IP system with port forwarding disabled. Although this had raised some complaints from users who wanted ‘open port’ status, we decided to in the interests of security, keep it locked down for most of our configurations. With this latest vulnerability, it appears that our ‘paranoia’ was justified.
To cater to those who required open port status, we maintained our Fully Routed Luxembourg Dedicated IP configurations which would allow port forwarding, however the method we used in implementing is not subject to the Port Fail vulnerability. In our configuration, each user is assigned a dedicated IP automatically via DHCP that is only used by him during the session (but is recyclable). A range of ports are open for each IP and therefore can be forwarded directly to the user but because each user is using his own dedicated IP, the vulnerability doesn’t work as the Port Fail vulnerability requires the attacker to be on the same IP as the target. Furthermore, communications between clients is locked down in our firewall and we are performing additional checks to ensure this.
However, there are drawbacks to our Fully Routed Luxembourg Dedicated IP approach in that for any particular session, only one user is using a particular exit IP which makes it easier for a 3rd party to attribute an outgoing connection to an incoming one. Although we maintain a no log policy, this combined with the fact that open ports in general means less security, we recommend using our other server configurations for those who who require more privacy or if you really need the open port, to regularly reconnect to our VPN to get new IPs assigned. All other servers employ interface/IP crowding which increases the total number of users sharing the same IP, and combined with encryption significantly increases your privacy.
BolehVPN isn’t vulnerable to the Port Fail vulnerability. However if privacy is of paramount importance, we do not recommend users to use the Fully Routed Luxembourg Dedicated IP servers unless you require open port status.