_______ __ _______
| | |.---.-..----.| |--..-----..----. | | |.-----..--.--.--..-----.
| || _ || __|| < | -__|| _| | || -__|| | | ||__ --|
|___|___||___._||____||__|__||_____||__| |__|____||_____||________||_____|
on Gopher (inofficial)
URI Visit Hacker News on the Web
COMMENT PAGE FOR:
URI PureVPN IPv6 Leak
AAAAaccountAAAA wrote 2 hours 37 min ago:
I have no idea why it seems to be so hard for VPN providers to get IPv6
right. The technology has been here for ages. Also, unlike physical
ISPs, VPN providers have no other way to differentiate from each other
but getting this sort of things right, so one could except them to be
motivated, but no.
dongcarl wrote 2 hours 42 min ago:
If you can't see your VPN's source code, you can almost safely assume
that they're broken in some way.
rasengan wrote 1 hour 40 min ago:
> If you can't see your VPN's source code, you can almost safely
assume that they're broken in some way.
This is definitely true insofar that you better be able to see client
code. That said, since you cannot see what the server is running,
even if they release their code, you will still end up with a trust
actor or two (vpn operator or sometimes multiple vpn operators in
double hop cases).
Thatâs exactly the reason we introduced deterministic and
verifiable VPN technology on [1] which allows you to actually see the
code the VPN servers are running. Instead of trust in a non
deterministic human actor you can now trust deterministic and
verifiable code.
It is the end of privacy theater! [1] I am a co-founder of VP.NET
URI [1]: https://VP.NET
ses1984 wrote 1 hour 43 min ago:
If you can see it you can also almost safely assume itâs broken in
some way.
varispeed wrote 2 hours 49 min ago:
I encountered this with different VPN provider. Probably many more have
this issue.
jmyeet wrote 3 hours 33 min ago:
I'm surprised at how negative HN as a whole is on VPNs. The argument
seems to go that VPNs don't really give you much privacy. I disagree. I
don't think they give absolutely privacy but there are benefits.
As soon as you use a service in another country, it greatly complicates
anyone trying to pierce that veil. A US shield can be pierced by John
Doe warrants, FISA warratns, pen registers and so on. Some of these
options are open to average citizens who may want to dox you or simply
report your activity to government agencies, which is more relevant now
than it has been in many years.
We've seen several websites pop up to dox people who don't show
sufficient deference to Charlie Kirk's murder. We have an
administration who now seeks to deport people, deny entry to visa
holders and deny visas to people who criticize Israel.
For so many people in the US, citizens and otherwise, an extra level of
privacy has become essentially mandatory.
The US ISP market is dominated by regional monopolies where you have no
other option. ISPs monitor your traffic, not only to sell your data to
data brokers but to decide if you're doing anything "inappropraite"
like using a file-sharing service. How long before that extends to the
content of your speech?
I'm glad people are doing things like xposing IPv6 leaks (as in this
post) and other weaknesses. Some here will taken this as further
evidence that VPNs are of little or no value. I don't. I want to know
who the good providers are.
ashleyn wrote 3 hours 13 min ago:
As surveillance of social media ramps up, either by the government or
by angry mobs, they're rapidly growing to be essential to use any
unencrypted platform.
bongodongobob wrote 3 hours 20 min ago:
It's because the primary function of VPNs isn't privacy, it's to
connect to a remote network and treat it as your LAN. Any privacy or
security stuff is completely orthogonal.
anagogistis wrote 5 hours 32 min ago:
Hi, I'm the author of the blog post and just wanted to say thanks for
the discussion.
I agree that relying solely on desktop VPN clients (especially
closed-source ones) is risky... The network namespaces approach is new
to me, but it looks like a solid way to isolate traffic and avoid these
kinds of leaks entirely. Thanks for the suggestions.
xkcd1963 wrote 5 hours 48 min ago:
What about NordVPN and ExpressVPN are those somewhat trustworthy?
jmyeet wrote 3 hours 40 min ago:
I wouldn't trust either, for different reasons.
Both of them really advertise too much (IMHO) to be trusted. They
rely on introductory pricing and hoping people don't realize and get
billed at a much higher rate, a model I personally hate.
But ExpressVPN has an additional reason: ties between it, its founder
and Israel. There's a BDS argument against right there but
additionally, there are accusations that ExpressVPN traffic is or can
be monitored by Israeli intelligence.
That last one is a risk of many VPNs, which is why you have to be
careful about who the owners are and where the company is
incorporated. I personally prefer VPNs that are located in more
privacy-focused jurisdictions (eg Iceland, Switzerland).
Mullvad is a popular option on HN. I'm also relatively positive on
PrivadoVPN (located in Switzerland). Some Redditors question the
quality of the service. So far it's been fine for me.
AzzyHN wrote 4 hours 5 min ago:
Trustworthy enough to shitpost behind? Sure.
Trustworthy to break some actual laws behind? Absolutely not.
baobun wrote 5 hours 4 min ago:
It boggles me how one can see them as anything but sus after tops 30
minutes of looking into it. You get that all those "top 5 vpn" sites
and youtube recs are sponsored, right?
bitxbitxbitcoin wrote 5 hours 22 min ago:
Define trustworthy? In my experience, no.
mrweasel wrote 5 hours 38 min ago:
Given their need to advertise with pretty much any YouTube channel
willing to take their money, I'd be inclined to question the quality
the likes of NordVPN and SurfShark.
Denatonium wrote 6 hours 13 min ago:
For the love of God, don't use PureVPN! They have been proven in court
to log traffic, despite claiming not to.[1]
URI [1]: https://cyberinsider.com/vpn-logs-lies/
patrakov wrote 5 hours 1 min ago:
They are one of the few VPN providers that give out public IPv4
addresses, and you can even get a static one. So, if you are using
them for having a public IP, not for privacy, please continue doing
so.
joecool1029 wrote 3 hours 49 min ago:
There are better options for that. One of them: [1] (this service
was formerly known as IPredator and run by former
piratebay/piratebyran people)
URI [1]: https://njal.la/
lxgr wrote 4 hours 51 min ago:
Interesting, do you know if they actually assign them to the VPN
interface (rather than just passing through inbound connections to
a public IP to the private IP of the VPN interface)?
That could come in handy for hosting things behind double NAT.
patrakov wrote 4 hours 44 min ago:
They assign it directly to the interface, and letting others
connect to stuff behind CGNAT is indeed my use case.
Two other VPNs working for this purpose are OVPN (+1 for them
using WireGuard, but their Singapore node is slow) and SwissVPN
(limited to only 30 Mbps by contract, but they do provide these
contracted 30 Mbps).
pshirshov wrote 6 hours 27 min ago:
I donwt know any single VPN provider apart from Mullvad with proper v6
implementation.
prism56 wrote 16 min ago:
Pretty sure i've had ipv6 on Proton. How do I check if it's
"proper"?
Dagger2 wrote 17 min ago:
Even Mullvad give out ULA addresses. You can hardly call that a
proper implementation :(
sitzkrieg wrote 3 hours 33 min ago:
mullvad is the only normie vpn worth using. worth every penny
lxgr wrote 4 hours 54 min ago:
Do you know if it's supported using OS-native VPN client
implementations as well (i.e. Wirecard, IKEv2, or maybe OpenVPN), or
only using their official client?
aryan14 wrote 4 hours 17 min ago:
You could run wireguard thru CLI directly instead of jumping
through the mullvad app itself
sva_ wrote 4 hours 52 min ago:
You can download the WireGuard/OpenVPN config files all at once in
their web interface.
lxgr wrote 4 hours 48 min ago:
I've seen that, but I just wasn't sure if that also works for
IPv6.
According to their own docs, it seems to work for at least
OpenVPN:
> Those not using the Mullvad client program can just add the
directive "tun-ipv6" to their OpenVPN configuration file.
sva_ wrote 4 hours 44 min ago:
Yas. When you download the config files you can choose between
IPv4 and IPv6
patrakov wrote 5 hours 3 min ago:
SwissVPN provides a /64.
seany wrote 3 hours 51 min ago:
Do they allow inbound ports?
patrakov wrote 2 hours 48 min ago:
Yes, all inbound ports are open.
ramon156 wrote 5 hours 44 min ago:
Solid dev + OSS ecosystem + Flat rates
I'm satisfied!
ffsm8 wrote 5 hours 27 min ago:
$5/month vs eg $2/month with a long running sub with e.g. PIA
(Chinese owners) though... I wish mullvad provided long running
subs with better prices then what they currently provide.
joecool1029 wrote 3 hours 57 min ago:
Buy a year voucher off Amazon, comes to $4.75/mo. Or be lucky
like me and buy the 6 month for $29 from them and receive a 12
month voucher instead when they grab the wrong one.
baobun wrote 5 hours 8 min ago:
"sub" as in subsidized by your data eh?
bitxbitxbitcoin wrote 5 hours 23 min ago:
Would love a source for Chinese owners of PIA. Last I knew, it
was Israeli owners.
-source, former employee.
c420 wrote 5 hours 0 min ago:
You are correct:
"Kape Technologies is a United Kingdom-based cybersecurity
software company. Kape owns VPN services and cybersecurity
tools, including CyberGhost, Private Internet Access (PIA),
ZenMate, ExpressVPN, and Intego."
URI [1]: https://en.m.wikipedia.org/wiki/Teddy_Sagi#Kape_Techno...
ffsm8 wrote 4 hours 27 min ago:
Yes, I missremembered. It was bought by Isreali after all. I
dont think my point is affected by this however.
And I feel quite illiterate right now. I somehow managed to
misread both your comments twice
HnUser12 wrote 2 hours 30 min ago:
Also Kape was formerly known as Crossrider and had alleged
ties to shady apps in the past.
URI [1]: https://mronline.org/2024/09/13/exposed-how-israel...
rasengan wrote 7 hours 46 min ago:
Separately, PureVPN is one of the providers you canât trust [1]
URI [1]: https://www.makeuseof.com/worst-vpns-you-shouldnt-trust/
lxgr wrote 7 hours 3 min ago:
I'm not surprised, given that I received 140% cashback(!) on their 2
year plan a while ago. Unless the hope is that most users forget to
cancel before it renews, I'm assuming that I'm paying with my
personal information.
It still does the trick for accessing bank and other websites from
abroad (that somehow consider a VPN IP more trustworthy than a
residential ISP in a Western European country, but that's a different
story), but I wouldn't use it for anything sensitive.
I also definitely wouldn't run their client locally, and their
Wireguard configurations are annoyingly only valid for 15 minutes
after creation. (Weirdly, there doesn't seem to be any limitation on
IKEv2.)
greyb wrote 4 hours 30 min ago:
There are many VPNs on TopCashback offering 100%+ cashback. I
assumed most of them were trying to build up user numbers in order
to sell or get acquired, since I can't logically understand why a
VPN would pay so much for an affiliate bonus.
Sophira wrote 6 hours 51 min ago:
Given what you said about not using it for anything sensitive, I'm
assuming you're not actually logging into your bank... right?
lxgr wrote 6 hours 33 min ago:
Everything is TLS-encrypted anyway these days, so the primary
concern is metadata privacy.
When it comes to that, I trust VPN providers about as much as
ISPs (i.e. absolutely not).
rasengan wrote 6 hours 7 min ago:
VP.NET doesn't require any trust at all [1][2]. [1]
[2] I work for VP.NET and can answer any questions regarding
the technology as well!
URI [1]: https://vp.net/l/en-US/blog/Don%27t-Trust-Verify
lxgr wrote 5 hours 40 min ago:
Interesting! But "no trust required" is a strong statement;
don't I need to trust at least Intel? :)
rasengan wrote 3 hours 55 min ago:
You do need to trust Intel as it relates to deterministic
and verifiable SGX hardware. SGX has had issues, but these
are fixed pretty quickly [1]. Creating the isolated layer
like SGX gives you verification of what is running on
VP.NET's servers though, and the code is available to
review and compile yourself so you can verify it is the
same [2].
From a defense in depth standpoint, the more layered and
isolated securities, the better. [1]
URI [1]: https://sgx.fail
URI [2]: https://github.com/vpdotnet/vpnetd-sgx
bitxbitxbitcoin wrote 5 hours 21 min ago:
My advice is never to trust bad intel ;).
IlikeKitties wrote 8 hours 34 min ago:
I strongly suggest that you use something like Network Namespaces
through Vopono[0] or Gluetun[1] if you use a commercial VPN for
"privacy" or "security" aka torrenting and shitposting. Relying on
these clients is always a gamble and if your software (Browser,
Torrentclient, etc.) cannot know you public IP only the internal IP of
the VPN you are also safe against some exploits and misconfigurations a
desktop client won't protect you against.
[0] [1]
URI [1]: https://github.com/jamesmcm/vopono
URI [2]: https://github.com/qdm12/gluetun
Varelion wrote 7 hours 53 min ago:
Wouldn't blocking IPv6 and using a kill-switch prevent leaking?
fulafel wrote 5 hours 42 min ago:
Block IPv4 as well and you're pretty solid.
Denatonium wrote 6 hours 5 min ago:
In the case of PureVPN, the only way of preventing leaks is by
switching to a different provider. There is definitive proof that
they keep logs despite their claims to the contrary. I have linked
to a federal criminal complaint where the FBI requested logs after
the offense and was given them by PureVPN. The relevant portion is
on page 22.
URI [1]: https://www.justice.gov/archives/opa/press-release/file/10...
IlikeKitties wrote 7 hours 38 min ago:
No, not in all cases. Imagine your Browser gets 0-dayed and just
send all IPs it sees to an endpoint.
nikanj wrote 7 hours 54 min ago:
I strongly suggest you disable ipv6, as nothing will break by
disabling it but many things break with it enabled.
mrweasel wrote 5 hours 27 min ago:
That's not really true anymore. I've used a connection with both
IPv4 and 6 for the past two years. There's a number of times where
my stuff magically works, whiles others have issues, because my
traffic is mostly over IPv6. Not once have I had an issue because
my setup is dual stacked.
patrakov wrote 4 hours 49 min ago:
This is still true for ISPs that don't monitor their IPv6
connectivity. I was forced to disable IPv6 recently because of
this: [1] And before you say "change the ISP": Globe is the only
one that does not refuse to provide services to foreigners and
does not lock you up into a 24-month non-cancellable contract,
which is longer than any available non-resident visa.
URI [1]: https://www.reddit.com/r/ipv6/comments/1nf3ytq/how_do_i_...
mrweasel wrote 3 hours 32 min ago:
That's not really an IPv6 issue, but an ISP issue. My old ISP
didn't monitor anything and relies on customers to call them up
and explain that their connection is down. Sometimes tell them
that their connection to entire towns are down, because they
don't know.
I'm fairly fortunate that my ISP not only offers IPv6, but also
knows how to run their network. Denmark has plenty of ISP that
doesn't provide IPv6, don't know how to run a network or some
many cases both.
lxgr wrote 6 hours 59 min ago:
That's not true anymore.
IPv6 allows for more direct connections for services like VoIP or
Tailscale, since UDP hole punching between two firewalled public
IPv6 addresses usually just works, but doesn't between two clients
both behind a "port-restricted cone" or "symmetric" NAT.
As a result, connections have to be relayed, which increases
latency and is just outright infeasible for some non-profit
services that don't have a budget for relaying everyone's traffic.
Anecdotally, I've also heard that you can get better routing via
IPv6 on IPv4-via-NAT-only providers these days, as the provider's
CG-NAT might be topologically farther away than the IPv6 server
you're connecting to.
indigo945 wrote 7 hours 53 min ago:
Alternatively, disable ipv4. The same statement holds true.
ta1243 wrote 7 hours 30 min ago:
Lots of things will break if you disable ipv4, including my work
provided zscaler windows laptop (and not break in the good way
where it fails open when you block traffic to zscaler nodes on
your router)
Very little will break if you disable ipv6
mrweasel wrote 5 hours 26 min ago:
A lot of stuff breaks when you run Zscaler.
ta1243 wrote 3 hours 17 min ago:
Absolutely, yet it's a requirement for many people.
denkmoon wrote 6 hours 10 min ago:
Enterprise malware not doing v6 properly hardly counts, itâs
a good day for them when they donât just bsod your entire
network.
ZiiS wrote 7 hours 49 min ago:
Unfortunately this is not true, loads of cool techy stuff
(Sentry, GitHub) etc still don't work properly on IPv6, less
techy stuff really didn't care at all.
zokier wrote 5 hours 50 min ago:
You can use nat64 to talk to legacy networks. Ipv6-only
networks (with nat64 or 464xlat etc) are becoming increasingly
popular. There is also this new concept called "ipv6-mostly
network" that is getting rolled out:
URI [1]: https://www.ietf.org/archive/id/draft-ietf-v6ops-6mops...
the8472 wrote 8 hours 45 min ago:
network namespaces provide a clean host/vpn split.
URI [1]: https://blog.thea.codes/nordvpn-wireguard-namespaces/
webstrand wrote 4 hours 38 min ago:
I just built the same thing using `systemd-nspawn --directory=/ -b`.
The nice part about using nspawn is that you have access to all of
the normal network configuration tools like systemd-networkd to
configure the devices and networks, rather than using a python
script. It also provides a nice place for running services inside of
the container, since process management is also included.
outsideoftime wrote 9 hours 10 min ago:
also look up tunnel-crack if u want
DIR <- back to front page