2

An anonymous VPN service will typically assign the same public IP address to many VPN users. This procedure ensures that a connection cannot be traced back to the VPN subscriber: behind the veil of the VPN’s public IP are perhaps hundreds of potential clients. This statement assumes the VPN provider does not keep any logs, and assumes the trace occurs after the connection has terminated. The VPN provider’s entire scope of knowledge is limited to a subscriber’s credentials.

Some VPN providers offer a service known as remote port forwarding. Some providers claim it is a way to operate a server behind the VPN, or forward traffic for BitTorrent. The remote port forward will pass inbound connections into the VPN’s public IP onto the VPN subscriber that requested the port forward. The VPN provider’s scope of knowledge now includes a link tying a specific port to a specific subscriber.

Doesn’t this practice eviscerate the point of a shared-IP system, wherein multiple subscribers are assigned the same public IP to promote anonymity?

This DMCA takedown notice was sent to a popular anonymous VPN service, and their response is indicated at the bottom of the page. The VPN provider reset port forwards pertaining to this particular notice, while also claiming that nothing could identify a single account. How can this be true? A basic tenant of port forwarding is that the port must be unique. Multiple users cannot share the same port forward rule on the same public IP. Even if the provider’s port forwarding rule list is “provider wide” as opposed to “server wide,” what are the odds that multiple subscribers happen to be forwarding the same port out of a range of over 65,000 available ports?

Perhaps there is no rule list at all; perhaps the port forward instruction is coming from the subscriber’s client when it connects to the service, and upon disconnect there is no evidence remaining that the port forward existed. Even if this is true, the purpose of port forwarding is often to engage in serving content. Web servers, FTP servers, p2p, torrent seeding, etc. All these activities are typically best served with maximum uptime. The subscriber is likely not disconnecting their VPN session regularly, instead they are keeping the connection alive as long as possible. Perhaps for weeks or months at a time. The VPN provider’s knowledge, while a port-forwarding subscriber is connected, now includes a VPN IP to subscriber IP relationship, due to the port forwarding rule. This pierces the VPN veil and singles out a specific subscriber (worse – their public IP as well).

How, then, can anonymous VPN providers offer this service and yet promote anonymity? Is it possible to remain anonymous while utilizing a VPN’s remote port forward service?

Jesse
  • 121
  • 3
  • VPN services does not imply anonymity. Might want to check out [this related answer](http://security.stackexchange.com/questions/72679/differences-between-using-tor-browser-and-vpn/72729#72729). – RoraΖ Mar 26 '15 at 13:14
  • @raz I am framing my question to pertain only to "anonymous VPN" services, as in services that claim to not keep any logs whatsoever and records no personal information about the subscriber. Examples include Proxy.sh, iVPN, and Mullvad, among others. The VPN provider can only know who is connecting while the connection is active, assuming there are no logs. – Jesse Mar 26 '15 at 13:53

1 Answers1

1

VPN providers surely keep track of your connections to their services. They probably don't track your trafic inside the tunnel, giving you the anonymity.

Remote port forwarding only applies for incoming external connections and therefore doesn't remove your anonymity for your outgoing trafic.

But, if you use remote port forwarding to handle illegal connections (like allowing remote peers to connect to your local, illegal, server/service), then, as the "remote port forwarding" is statically assigned to you, if authorities ask the VPN provider about your informations ("who is using the remote port forwarding XXXX ?"), they will be able to provide them.

Check the privacy policies of your VPN provider to ensure that they will keep your informations private, even if you do illegal stuff. I'm quite sure it will not be the case, as they won't want to endorse your responsibility.

  • I am asking specifically about anonymous VPN providers; the providers that claim (and let's assume their claims are true) to keep no logs whatsoever and have no knowledge of the subscriber's personal information. Assuming the anonymity is intact, how can anonymous VPN providers claim to offer remote port forwarding that does not identify single accounts? – Jesse Mar 26 '15 at 13:59
  • Remote port forwarding is linked in a database to associate the port number to a connection. There's necessarily a way to find out who owns/holds the static remote port. – Benjamin MALYNOVYTCH Mar 26 '15 at 14:07
  • 1
    Port allocation may change: one user may release a port, and it can subsequently be opened by another user. If the VPN provider has indeed no log, they cannot tell if it was the same user or another one which was using the port at the date and time given by the DMCA Notice, so they cannot legally blame any user. – WhiteWinterWolf Mar 26 '15 at 15:41