Port forwarding is a big deal. Mullvad is very well respected, and so is their advocacy of privacy, but once the setup ports expire I'll be forced to pick another provider, not as safe and certainly not as cheap either—I think many others are on the same boat too. Up until now if you needed a VPN with this feature there weren't any better alternatives. Another day cursing at networking, I guess.
Presumably whichever provider you pick will be experiencing the same abuse problems and will eventually discontinue offering this feature as well.
You should probably rethink how you expose your service. If your service is a web service, maybe consider running it as a Tor hidden service, and pointing your non-Tor-using users to a Tor web gateway?
How do you guys deal with abuse? Just wondering because it seems like it has been a massive headache for mullvad so I wonder if they are targeted by abusers more than other services.
Not OP, but it's the only way I can host a webserver off my home connection, as my ISP blocks ports upstream.
After this was announced, I discussed using tailscale with my friends who use the server; some are technical enough to be able to install the client, others have devices that tailscale can't be installed on, so a tailscale subnet router would have to be set up for those devices. If it's what I have to do, I'll do it, but it's so much simpler just being able to have a publicly addressable IP with an open port.
Tailscale has a beta feature called "funnel". As of now, it only supports 80 and 443, and does not support custom domains - though you could presumably add your own cname.
Tailscalar here: your own CNAME won't work because of how the routing logic in funnel works. When tailscaled sets up a funnel with the control plane, it uses the derived DNS name from your tailnet (eg: pneuma.shark-harmonic.ts.net for the machine pneuma on the tailnet shark-harmonic.ts.net). As far as I understand there's no issue currently tracking this work.
Tailscale Funnel does allow you to use any TLS-wrapped protocol (IE: one where the client does TLS and the server can optionally listen over plain TCP), but I'm not sure it would really meet the same goal as port forwarding in Mullvad does (for one you could use any non-TLS or UDP protocol with Mullvad port forwards, IE: Minecraft server hosting, Minecraft doesn't use TLS afaik). It's great for HTTPS though. I'm not sure how the bandwidth limits would add up over time for something more interactive like Minecraft.
Either way, Funnel does do some things well, but it's not a generic replacement for Mullvad port forwards.
Funnel has come in handy for me a number of times. Though I now wonder if the abuse experienced by Mullvad will be realized by Tailscale as well. Perhaps compounded by an exodus of Mullvad (ab)users seeking alternatives.
You can try Cloudflare for that. They support tunnel to let you initiate connection to their cloud. It should not require any port forwarding to make it work.
I had to stop using Mullvad because so many of their IP ranges were blocked or throttled by various services, it was borderline unusable as a daily driver. Unfortunately there isn't a good way for them to protect the reputation of their IPs when they don't collect any information that could be used to identify abusive customers, by design.
Maybe retiring port forwarding will help, but their IP ranges aren't going to be removed from every shitlist out there overnight.
To be fair, I use subscribed ProtonVPN. Same exact issues.
Cloudflare gives me captchahell with infinite "click on fire hydrants or vans or bicycles or stoplights".
Amazon just pretends to "site error".
Numerous sites like Tiktok, JLwaters, my state's data portal, and others just give me a 403 forbidden.
Other sites just load a <html></html> blank document on my VPN.
And Proton is actually kind of hard to get port forwarding turned on. You can do it by adding a suffix to the OpenVPN name, or by generating a wireguard with port forwarding on.
But again, I don't think it's anything to do with port forwarding per se. The current web demands deanonymization. And naturally "abuse" is blamed, even when attached to legit accounts with legit historical purchases etc.
Even without a VPN, the built-in tracking protection in Firefox trips Cloudflare’s bot detection every time. It’s a not-so-subtle FU for taking any steps to protect your privacy online.
> The current web demands deanonymization. And naturally "abuse" is blamed
I used to work at a smallish mom-and-pop website host (do those even exist anymore?) that also offered email services. Our PF firewall just straight-up blocked huge swaths of IPv4 CIDRs because it was 99% email spam and exploit scanners. We had no ability whatsoever to fight it any other way. I don't recall even a single complaint from any of our customers.
> And Proton is actually kind of hard to get port forwarding turned on. You can do it by adding a suffix to the OpenVPN name, or by generating a wireguard with port forwarding on.
Regrettably, I suspect this does nothing for abusers, who are motivated, and instead impacts only "legitimate" customers.
I deliberately chose Mullvad because their IPs are on those blacklists.
My impression is that the only way for an established, non-tiny VPN provider to have clean IPs is if they're buying residential proxys. My impression is that the only way to make the residential proxy business work at scale is either malware or unwanted misleading bundled crapware. I don't feel comfortable benefiting from a service that, at best, relies on tricking less tech savvy people into installing crapware.
There are ways to get residential proxies in a more ethical way these days. Some apps/extensions are now offering money for network access/network usage and they are open about what they are doing. They pay you with cash in exchange for your network, no covert VPN or sneaky SDK in unrelated apps.
I think even the more ethically dubious providers are shifting towards that model. Which makes sense since they have to pay anyways.
I doubt port forwarding had anything to do with this. These IPs are on blacklists because they are used by robots and scammers to make requests, not because they are used to host malware.
yes. Cloudflare seems to be aggressively blocking Mullvad and Tor and I am sure others. It started a few months ago. Meta has been blocking them for some time also. The other side of this problem is so many domains are sitting behind Cloudflare.
It's not without reason. VPN providers are (by the nature of their business) home to all sorts of shady business. Sucks that some innocent people get hassle from it, but IP reputation systems are nothing if not damn effective at preventing abuse.
I don't use them but an alternative provider. The benefit of not collecting info is still worth the hassle. I usually have no problems to access anything aside the rare cloudflare prompt that they believe me to be a robot.
Dam, really liked these guys but this makes it about useless for torrent seeding. I wish they would have considered alternatives like only allowing port forwarding for some of their IPs. I don't care about IP reputation.
Exactly. For torrenting it doesn't need to access web services. It just needs to be able to connect to peers. Having a port forwarding IP block would make everyone happy.
Torrent peers are too random so it's hard to restrict for IPs.
If the problem is hosting malicious websites, they may able to provide limited port forwarding. Browsers' restricted port can't be used by browser so it's a way to avoid web hosting I believe. A problem is that there are only 80 ports now (for Chromium). https://chromium.googlesource.com/chromium/src.git/+/refs/he...
I would happily pay more for an account with port forwarding enabled. Maybe charging more for port forwarding enabled accounts could help offset the increased trouble caused by port forwarding abusers. It might even push some of them to other providers. Either way, this thread is evidence enough that port forwarding is a feature that people want.
Not in need of fowarding, and a happy mullvad customer but that does sound like a good compromise. Although I think that still may attract a lot of attention from authorities etc
Really a shame, especially for torrent users. The other good alternatives are double the monthly price at 10$/month in the case of IVPN (if you want port forwarding that is) and ProtonVPN. Unless you want to commit for a year or two and pay all in advance, which is meh but the discount may be worth it.
For torrenting at least one of the peers has to be accessible for outside world, either by having white IP, by using NAT with port forwarding, or by using IPv6-to-IPv4 shenanigans. If both peers are behind NAT, they cannot download data from each other.
If you're an active seeder, it makes sense to configure your machine so that it is accessible for all the peers, including ones behind NAT. If you're just a leecher though, it makes little difference.
Why not use a seedbox? Download torrent to the seedbox and then ftp home. This way you get the upload from a server which if you're on a private tracker (which you should be) you'll get good upload speeds, easy to hit the default seed requirements, and you'll get full download speed when you want to use it locally.
I recognize this is probably similar to asking about how to get into fight club, but any tips on how to find a private tracker? I assume it involves becoming part of a community, but I don’t even know where to start looking for the communities!
Cost. If you've already got an old, cheap server lying around, then having an 8 TB box at home is very cheap. Say, $15 a month for Mullvad + power usage. Reputable seedboxes seem to be in the range of ~$60 a month for 8TB of storage. Obviously, if you want to scale beyond that, it's as simple as adding another 8 TB drive to your box at home, whereas a cloud seedbox would nearly double in price.
Mostly because I haven't been able to find a seedbox service I trust as much as mullvad. It's impossible to tell which ones will flip to copyright authorities as soon as a little bit of pressure is applied.
You don't even need to ftp it, you can run the client at home and it would connect to the seedbox through the swarm (or you can manually add a peer if needed)
Mullvad isn't stopping port forwarding because of copyright issues. It's because you can use their IPs to host highly illegal websites and they can't connect your account to the content and suspend it.
These days, free and open source software clients are table stakes for a VPN to be considered trustworthy. The fact that PIA silently stopped releasing source code after previously promising to do so is a major red flag.
For torrenting, port forwarding is only marginally important - for torrents which have very few peers and you can connect to none of them.
It's also risky because mullvad certainly has records of forwarded ports and can out you if they receive a properly worded subpoena. There is also a chance those records would be present in their backups even after you deleted the forwarded ports.
I have a separate command for port forwarded torrent client and only use it when absolutely necessary, which is almost never.
Pity. I never used them, but I know the pain of not having an externally reachable IP. My Lte provider (the only one in my area with "unlimited" plans) has basically all of its tens of thousands of users on a single IP. So I've been using a vpn terminated in Aws to access for example Ip cameras and other stuff at home while I'm away. I can't wait until we finally get ubiquitous ipv6. Probably not in my lifetime(because security). I've been waiting for it for last 20 years.
All of those happen on VPNs period, not just with port forwarding.
Dealing with annoyed law enforcement, hosting providers, and IP reputation is 99% of the value of a VPN. The other 1% is just setting up a VPN server to open proxy everything (which there are scripts on github that can do it in 2mins). Of course its not really preserving privacy much unless there are multiple users...
Any significantly shared connection will have at least one person abusing it and causing most of the problems, the logical conclusion would be to ban the few abusers but if mullvad truely doesn't log/retain billing data as they claim, permanent banning would be difficult as a new account could just be created.
I don't see why they couldn't do some kind of compromise like an account has to be of certain age/spend to use port forwarding. They do keep mappings of ports to account, so its not like they don't know which accounts are abusing. Getting banned would then be more expensive for the abusers.
> Unfortunately port forwarding also allows avenues for abuse, which in some cases can result in a far worse experience for the majority of our users.
Let me rephrase that.
> Unfortunately port forwarding also allows people to get the value for the money they pay us, which in some cases can result in our service not functioning like a gym membership, where we aren't used for much but many users continue to pay for us (sadly many services block traffic coming from us which makes a lot of simpler uses of a VPN fail as well). We'll aggressively defend against chargebacks.
As far as I’m aware Mullvad doesn’t have a method of automatic recurring payments. So they can’t operate on the gym model. Only users who want to use it pay for it repeatedly.
The new gym model is annual payments. (Gyms use them too.) And chargebacks are very relevant there. Which they avoid by getting people to use other payment methods. But they also take credit cards.
Edit: Ooh, they charge the same whether you sign up monthly or annually. Not too shabby.
So basically, Mullvad is saying that you can use its VPN aeevice as a client to reach services but not host a service yourself (especially in a home network behind NAT or CGNAT) and have others connect to it via the VPN.
The most commonly used scenario for port forwarding would be torrenting, where users forward ports so that they can be “connectable” (i.e., accept incoming connections from the Internet).
Unfortunately was only a matter of time, this happens to every VPN provider who offers port forwarding eventually - widespread abuse by script kiddies and such to host RAT C&C servers.
Because a least one person has to have forwarded ports for them to form a direct connection. [0]
This will degrade torrent performance and make torrenting worse, routers normally have uPnP enabled these days so we forget about it, but this will make it so you can’t connect to any other users who are also using Mullvad, for one.
From what I understand, uPnP took off for a while, but started to become much less common about a decade ago because of the security issues it caused. I think most routers come with it disabled by default now. (If you know of any surveys indicating otherwise, I'd be curious to read them.)
Part of it is that hole punching became a standard feature for new protocols, so the need to forward ports has been reduced.
You need to be able to accept incoming connections to be able to fully participate in the network. Last time I seriously looked into this, BitTorrent clients didn't support any sort of NAT hole punching (and they often work over TCP in any case). Try running a client with and without a forwarded port and you will see massive difference in the number of peer connections.
Transmission has supported UPnP and NAT-PMP for many years. Although it doesn't always work as reliably as having a client with directly routable address(es), it does exist and works okay.
In order to download a file via Torrent, someone has to upload it, and when using Torrent via VPN, the file cannot be uploaded without port forwarding.
Uploading can still happen even without open ports. The open port part is that someone has to initiate the connection after the connection is established anyone can send anything in any direction.
Actually, the initial seeder with a closed port can upload if someone else has an open port. Generally a lack of port forwarding means you can only connect to others who do have port forwarding.
I've paid with my card though. It's possible to refund those, and PayPal.
It's a very sudden move on the Mullvad part that impacts a lot of their customers. If the torrent speed drops down as much as I think it will I won't be very happy...
They used to allow refunds for cryptocurrency payments but there's probably opportunity for abuse there since the payment method is practically anonymous to them.
They offer refunds within 30 days of purchase as a matter of course, provided you paid with a method that can actually be refunded. Seems like you're out of luck if you paid longer than 30 days ago, though.
That specifies "an account that has an active subscription" and they only seem to be using the term "subscription" in the ToS for auto-renewing plans.
>If you wish to subscribe to the service, you can sign up for a PayPal subscription. With a subscription, €5 is automatically deducted from your PayPal account each month.
Otherwise they just talk about "using" or "paying". It has also been absolutely possible to a) add new port forwards if you have paid for Mullvad b) pay for Mullvad when you have port forwards, so those ToS wouldn't make sense if they referred to all Mullvad accounts.
Shame, I'd been greatly enjoying Mullvad and their stance on privacy, but port forwarding is a must for some of the services I run. Anyone have a good suggested alternative?
I'm curious: if you have a forwarded port on your vpn that anyone can send traffic to, assuming that someone can observe the encrypted traffic going out of the vpn provider, couldn't they send various traffic "shape" to the port and try to find the same pattern in the encrypted traffic to figure out who you are?
Yes, if you can observe incoming and outgoing traffic you can trivially use timing attacks. That being said, If you have that capability, mullvad isn't going to keep you save anyway. As the folks over at PerfectPrivacy succinctly put it: If you have a whole NSA Team after you it's game over anyway.
I port forward via ec2. Had to learn iptables (which apparently are now deprecated) and set up openvpn (these days I’d probably do wiregaurd). Works fine for my personal website, and paying in advance the cost is maybe $3/mo, didn’t realize it was remotely controversial.
This feels a bit like the Dropbox comment. Sure, open source tools exist that enable you to do things yourself. However there’s a large market for less-technical people (prosumers) who might pay for a lot of that complexity to be simplified.
eh except I'm not saying I don't get why people need VPNs, I totally get that and have used several. The Dropbox comment was saying Dropbox is redundant. I don't feel that way at all about VPNs and didn't say anything like that.
I'm just saying there are workarounds that mean we don't have to be beholden to the Mullvads of the world if they drop this feature. I think we're basically one good blog post away from a situation where most people who need port forwarding can set it up themselves via ec2. If they prefer VPNs, and can find some that do port forwarding, more power to them.
Recently I watch the Scotties Tournament of Hearts[1].
I paid for a monthly subscription to the Canadian streaming provider (TSN), since I live in Canada.
For whatever reason, there was no international streaming provider. (It has been on ESPN in previous years.)
The ads on the TSN stream were horrific. They put a full 25% of the active play of every game (the first thrower in every end) in a muted PIP box so they could play more full-screen ads.
TSN decided to offer a stream of the playoff games to non-Canadian viewers who had no way of watching, and since pay-for TSN is geoblocked to Canada, they made that stream free, and geoblocked it to not play in Canada.
The international stream was also free of commercial breaks. Instead of commercials it just showed miscellaneous cameras between ends, and showed the entire ends without putting a quarter of them in a PIP box.
So obviously, my experience was much better by streaming the international stream rather than the local stream that I paid for.
To have a fixed internet point of presence, when frequently travelling. Otherwise, all kinds of services start complaining that you're logging in from a new location.
I have had multiple problems with ISPs throttling/prioritizing traffic, such as games. In one case I had ping times to the steam servers that were so bad the game DC'd about every 5 minutes. Popped everything into a VPN endpoint in my own city and suddenly everything worked smoothly and flawlessly. And this wast not a high bandwidth game by any means. This has happened multiple times.
Also, hosting stuff at my house. Multiple times had ISPs that appeared to be degrading incoming connections where once again popping everything into a VPN tunnel fixed any problems. (for example when I set up a streaming website from my house with a webcam of our kittens to watch from work. Stream kept getting interrupted randomly until I routed it through a VPN)
I tend to use VPS based solutions rather than commercial VPN providers, but I've done both.
I would like to watch Japanese commercials and trailers for things i'd like to watch -- but Japanese publishers are big on region locking on the streaming sites, so I circumvent the issues with VPNs.
Questionable? Maybe; but I don't really feel personally beholden to copyright/trademark law that isn't preventing a loss anywhere -- in many cases when I watch these trailers I make purchases based upon them, so if anything the corporations that region-lock their YouTube videos away from other markets are doing more damage than I -- the extra diligent customer.
If you need an absolutely vanilla answer : I VPN into a network node that can access other nodes that only host their services to the local network. That's also a big advantage, and as far as I know it doesn't step on any legal toes.
That said, I never actually got incoming connections over UDP working properly anyway through these ports, even though they were supposed to be supported.
Might be the most trustworthy option available if you need multiple ports associated with an account... IVPN only supports one port. ProtonVPN may be OK if you're okay with getting a new random port every connection.
I wrote something tangentially related, but for single user.
"gofwd" is a cross-platform TCP port forwarder with Duo 2FA and Geographic IP integration. Its use case is to help protect services when using a VPN is not possible. Before a connection is forwarded, the remote IP address is geographically checked against city, region (state), and/or country. Distance (in miles) can also be used. If this condition is satisfied, a Duo 2FA request can then be sent to a mobile device. The connection is only forwarded after Duo has verified the user.
Also, does this mean they just aren’t going to allow fully routable ipv6 because of “abuse” or whatever (one of the promises of ipv6 whenever it’s realized probably shortly before the heat death of the universe is preciously what mullvad claims to be the cause of trouble)
Everyone having a unique globally routable IPv6 address might be less private/anonymous. Less ability to blend with the crowd. Personally I wouldn't mind ULA on a commercial VPN.
You don't need port forwarded to use bittorrent. Clients connected to the network exchange information with each other. Magnet links or torrent files provide the information needed to get in touch with peers to make the initial connection.
You don't need port forwarded to use bittorrent. Clients connected to the network exchange information with each other. Magnet links or torrent files provide the information needed to get in touch with peers to make the initial connection.
This is off topic but how can Mullvad be a no log vpn and still operate without impunity? What about Uber illegal stuff like csam or terrorist stuff etc?
Compare it for example to a company operating taxis that can be hailed on the street and be paid in cash on arrival. The company does not log any details about its passengers, nor does it inspect their luggage or inquire about their reason to travel. How can the taxi company still operate with impunity? What about passengers using them for uber illegal stuff, like transporting drugs, illegal arms, or for escaping from law enforcement?
You can still put the taxi driver on the stand. Most cabs are even equipped with cameras now.
This is more comparable to a taxi company which makes driver take a pill to forget all details on arrival. That would be harder to defend, after the first incident of "why was this car in my driveway last night? - we couldn't tell you!"
Generally it's not illegal to host services that could potentially be used for those things (as basically any online service with user generated content could be used for that), but it's illegal to not act once you have received complaints about it and not acted. Presumably, Mullvad does act when they get noticed about their service being used in those manners.
Do you think if VPNs became illegal in America that it would have any effect on terrorism or child abuse? People who don't care about violating little children don't care about violating the law.
Port forwarding is a big deal. Mullvad is very well respected, and so is their advocacy of privacy, but once the setup ports expire I'll be forced to pick another provider, not as safe and certainly not as cheap either—I think many others are on the same boat too. Up until now if you needed a VPN with this feature there weren't any better alternatives. Another day cursing at networking, I guess.
Presumably whichever provider you pick will be experiencing the same abuse problems and will eventually discontinue offering this feature as well.
You should probably rethink how you expose your service. If your service is a web service, maybe consider running it as a Tor hidden service, and pointing your non-Tor-using users to a Tor web gateway?
Yes, again the extreme abusers of a service ruin it for the rest.
windscribe is a no-log VPN that still provides port forwarding features, if you're looking for an alternative
(full disclosure this is my place of work)
A no-log vpn that refuses to publish their no-log audit and got caught lying about encrypting traffic after a seizure of servers in Ukraine.
Yes, I will trust you with my traffic and money /s
How do you guys deal with abuse? Just wondering because it seems like it has been a massive headache for mullvad so I wonder if they are targeted by abusers more than other services.
1 reply →
does it accept cash in an envelope?
1 reply →
You reckon you'll be seeing the abuse Mullvad used to see on their service on yours instead now?
What's the usecase that makes it so important for you out of interest?
Not OP, but it's the only way I can host a webserver off my home connection, as my ISP blocks ports upstream.
After this was announced, I discussed using tailscale with my friends who use the server; some are technical enough to be able to install the client, others have devices that tailscale can't be installed on, so a tailscale subnet router would have to be set up for those devices. If it's what I have to do, I'll do it, but it's so much simpler just being able to have a publicly addressable IP with an open port.
5 replies →
Assuming torrenting and seeding.
Tailscale has a beta feature called "funnel". As of now, it only supports 80 and 443, and does not support custom domains - though you could presumably add your own cname.
Tailscalar here: your own CNAME won't work because of how the routing logic in funnel works. When tailscaled sets up a funnel with the control plane, it uses the derived DNS name from your tailnet (eg: pneuma.shark-harmonic.ts.net for the machine pneuma on the tailnet shark-harmonic.ts.net). As far as I understand there's no issue currently tracking this work.
Tailscale Funnel does allow you to use any TLS-wrapped protocol (IE: one where the client does TLS and the server can optionally listen over plain TCP), but I'm not sure it would really meet the same goal as port forwarding in Mullvad does (for one you could use any non-TLS or UDP protocol with Mullvad port forwards, IE: Minecraft server hosting, Minecraft doesn't use TLS afaik). It's great for HTTPS though. I'm not sure how the bandwidth limits would add up over time for something more interactive like Minecraft.
Either way, Funnel does do some things well, but it's not a generic replacement for Mullvad port forwards.
3 replies →
Funnel has come in handy for me a number of times. Though I now wonder if the abuse experienced by Mullvad will be realized by Tailscale as well. Perhaps compounded by an exodus of Mullvad (ab)users seeking alternatives.
This feature alone is what kept me using IPredator for years.
You can try Cloudflare for that. They support tunnel to let you initiate connection to their cloud. It should not require any port forwarding to make it work.
I had to stop using Mullvad because so many of their IP ranges were blocked or throttled by various services, it was borderline unusable as a daily driver. Unfortunately there isn't a good way for them to protect the reputation of their IPs when they don't collect any information that could be used to identify abusive customers, by design.
Maybe retiring port forwarding will help, but their IP ranges aren't going to be removed from every shitlist out there overnight.
To be fair, I use subscribed ProtonVPN. Same exact issues.
Cloudflare gives me captchahell with infinite "click on fire hydrants or vans or bicycles or stoplights".
Amazon just pretends to "site error".
Numerous sites like Tiktok, JLwaters, my state's data portal, and others just give me a 403 forbidden.
Other sites just load a <html></html> blank document on my VPN.
And Proton is actually kind of hard to get port forwarding turned on. You can do it by adding a suffix to the OpenVPN name, or by generating a wireguard with port forwarding on.
But again, I don't think it's anything to do with port forwarding per se. The current web demands deanonymization. And naturally "abuse" is blamed, even when attached to legit accounts with legit historical purchases etc.
Even without a VPN, the built-in tracking protection in Firefox trips Cloudflare’s bot detection every time. It’s a not-so-subtle FU for taking any steps to protect your privacy online.
4 replies →
> The current web demands deanonymization. And naturally "abuse" is blamed
I used to work at a smallish mom-and-pop website host (do those even exist anymore?) that also offered email services. Our PF firewall just straight-up blocked huge swaths of IPv4 CIDRs because it was 99% email spam and exploit scanners. We had no ability whatsoever to fight it any other way. I don't recall even a single complaint from any of our customers.
3 replies →
> And Proton is actually kind of hard to get port forwarding turned on. You can do it by adding a suffix to the OpenVPN name, or by generating a wireguard with port forwarding on.
Regrettably, I suspect this does nothing for abusers, who are motivated, and instead impacts only "legitimate" customers.
ProtonVPN supports port forwarding? Had no clue!
1 reply →
Re: Captchas: Have you had any luck with PrivacyPass? https://www.hcaptcha.com/privacy-pass
1 reply →
I deliberately chose Mullvad because their IPs are on those blacklists.
My impression is that the only way for an established, non-tiny VPN provider to have clean IPs is if they're buying residential proxys. My impression is that the only way to make the residential proxy business work at scale is either malware or unwanted misleading bundled crapware. I don't feel comfortable benefiting from a service that, at best, relies on tricking less tech savvy people into installing crapware.
There are ways to get residential proxies in a more ethical way these days. Some apps/extensions are now offering money for network access/network usage and they are open about what they are doing. They pay you with cash in exchange for your network, no covert VPN or sneaky SDK in unrelated apps.
I think even the more ethically dubious providers are shifting towards that model. Which makes sense since they have to pay anyways.
4 replies →
I doubt port forwarding had anything to do with this. These IPs are on blacklists because they are used by robots and scammers to make requests, not because they are used to host malware.
yes. Cloudflare seems to be aggressively blocking Mullvad and Tor and I am sure others. It started a few months ago. Meta has been blocking them for some time also. The other side of this problem is so many domains are sitting behind Cloudflare.
It's not without reason. VPN providers are (by the nature of their business) home to all sorts of shady business. Sucks that some innocent people get hassle from it, but IP reputation systems are nothing if not damn effective at preventing abuse.
Isn’t it possible for Cloudflare customers to turn off the captcha, or at the very least prevent infinite captchas?
2 replies →
I don't use them but an alternative provider. The benefit of not collecting info is still worth the hassle. I usually have no problems to access anything aside the rare cloudflare prompt that they believe me to be a robot.
Dam, really liked these guys but this makes it about useless for torrent seeding. I wish they would have considered alternatives like only allowing port forwarding for some of their IPs. I don't care about IP reputation.
Exactly. For torrenting it doesn't need to access web services. It just needs to be able to connect to peers. Having a port forwarding IP block would make everyone happy.
Torrent peers are too random so it's hard to restrict for IPs.
If the problem is hosting malicious websites, they may able to provide limited port forwarding. Browsers' restricted port can't be used by browser so it's a way to avoid web hosting I believe. A problem is that there are only 80 ports now (for Chromium). https://chromium.googlesource.com/chromium/src.git/+/refs/he...
I would happily pay more for an account with port forwarding enabled. Maybe charging more for port forwarding enabled accounts could help offset the increased trouble caused by port forwarding abusers. It might even push some of them to other providers. Either way, this thread is evidence enough that port forwarding is a feature that people want.
Not in need of fowarding, and a happy mullvad customer but that does sound like a good compromise. Although I think that still may attract a lot of attention from authorities etc
Really a shame, especially for torrent users. The other good alternatives are double the monthly price at 10$/month in the case of IVPN (if you want port forwarding that is) and ProtonVPN. Unless you want to commit for a year or two and pay all in advance, which is meh but the discount may be worth it.
Why would this affect torrenting, isn't this only for explicitly added port forwards? Or am I missing something?
For torrenting at least one of the peers has to be accessible for outside world, either by having white IP, by using NAT with port forwarding, or by using IPv6-to-IPv4 shenanigans. If both peers are behind NAT, they cannot download data from each other.
If you're an active seeder, it makes sense to configure your machine so that it is accessible for all the peers, including ones behind NAT. If you're just a leecher though, it makes little difference.
7 replies →
It wouldn't be very helpful in preventing abuse if you could still forward ports through UPnP.
Torrenting requires an open port accessible from peers for good speeds
Why not use a seedbox? Download torrent to the seedbox and then ftp home. This way you get the upload from a server which if you're on a private tracker (which you should be) you'll get good upload speeds, easy to hit the default seed requirements, and you'll get full download speed when you want to use it locally.
I recognize this is probably similar to asking about how to get into fight club, but any tips on how to find a private tracker? I assume it involves becoming part of a community, but I don’t even know where to start looking for the communities!
46 replies →
Cost. If you've already got an old, cheap server lying around, then having an 8 TB box at home is very cheap. Say, $15 a month for Mullvad + power usage. Reputable seedboxes seem to be in the range of ~$60 a month for 8TB of storage. Obviously, if you want to scale beyond that, it's as simple as adding another 8 TB drive to your box at home, whereas a cloud seedbox would nearly double in price.
I don't really desire the added complexity of having my files somewhere else.
10 replies →
> Why not use a seedbox?
Mostly because I haven't been able to find a seedbox service I trust as much as mullvad. It's impossible to tell which ones will flip to copyright authorities as soon as a little bit of pressure is applied.
You don't even need to ftp it, you can run the client at home and it would connect to the seedbox through the swarm (or you can manually add a peer if needed)
5 replies →
It would be better to look into a dedicated seedbox for torrents.
The companies offering those have experience dealing with copyright cartels.
Mullvad isn't stopping port forwarding because of copyright issues. It's because you can use their IPs to host highly illegal websites and they can't connect your account to the content and suspend it.
2 replies →
I wouldn't even go all the way to a dedicated seedbox. I'm using a shared one, gets the job done and only costs $12 a month.
1 reply →
Pia has port forwarding and is half the price of mullvad
Many Mullvad customers migrated from there to Mullvad in the first place after Kape Tech bought them.
Kape Tech , at the time, had a less than stellar reputation. I haven't followed it much since that time.
Private Internet Access stopped releasing source code for recent versions of its clients.
Details: https://news.ycombinator.com/item?id=35642700
These days, free and open source software clients are table stakes for a VPN to be considered trustworthy. The fact that PIA silently stopped releasing source code after previously promising to do so is a major red flag.
1 reply →
I am pretty sure you can get a deal with NordVPN. Just search youtube for someone you follow Nordvpn and sponsor.
NordVPN doesn't offer port forwarding. https://support.nordvpn.com/FAQ/1047408432/Do-you-offer-port...
Can't have a place on the internet without some Nord shilling.
For torrenting, port forwarding is only marginally important - for torrents which have very few peers and you can connect to none of them.
It's also risky because mullvad certainly has records of forwarded ports and can out you if they receive a properly worded subpoena. There is also a chance those records would be present in their backups even after you deleted the forwarded ports.
I have a separate command for port forwarded torrent client and only use it when absolutely necessary, which is almost never.
If you’re concerned about records, port forwarding isn’t that relevant. Lookup nat binding records, which is how ISPs keep track of users behind nat.
2 replies →
Pity. I never used them, but I know the pain of not having an externally reachable IP. My Lte provider (the only one in my area with "unlimited" plans) has basically all of its tens of thousands of users on a single IP. So I've been using a vpn terminated in Aws to access for example Ip cameras and other stuff at home while I'm away. I can't wait until we finally get ubiquitous ipv6. Probably not in my lifetime(because security). I've been waiting for it for last 20 years.
Probably this was the reason for the warrant they received earlier this month [1].
[1] https://news.ycombinator.com/item?id=35638917
According to TFA, it's because of multiple reasons, not just one search warrant:
> This has led to law enforcement contacting us, our IPs getting blacklisted, and hosting providers cancelling us.
All of those happen on VPNs period, not just with port forwarding.
Dealing with annoyed law enforcement, hosting providers, and IP reputation is 99% of the value of a VPN. The other 1% is just setting up a VPN server to open proxy everything (which there are scripts on github that can do it in 2mins). Of course its not really preserving privacy much unless there are multiple users...
Any significantly shared connection will have at least one person abusing it and causing most of the problems, the logical conclusion would be to ban the few abusers but if mullvad truely doesn't log/retain billing data as they claim, permanent banning would be difficult as a new account could just be created.
I don't see why they couldn't do some kind of compromise like an account has to be of certain age/spend to use port forwarding. They do keep mappings of ports to account, so its not like they don't know which accounts are abusing. Getting banned would then be more expensive for the abusers.
1 reply →
> Unfortunately port forwarding also allows avenues for abuse, which in some cases can result in a far worse experience for the majority of our users.
Let me rephrase that.
> Unfortunately port forwarding also allows people to get the value for the money they pay us, which in some cases can result in our service not functioning like a gym membership, where we aren't used for much but many users continue to pay for us (sadly many services block traffic coming from us which makes a lot of simpler uses of a VPN fail as well). We'll aggressively defend against chargebacks.
As far as I’m aware Mullvad doesn’t have a method of automatic recurring payments. So they can’t operate on the gym model. Only users who want to use it pay for it repeatedly.
The new gym model is annual payments. (Gyms use them too.) And chargebacks are very relevant there. Which they avoid by getting people to use other payment methods. But they also take credit cards.
Edit: Ooh, they charge the same whether you sign up monthly or annually. Not too shabby.
Mullvad used to have a "how to" guide for torrenting on VPN. But now it 404s: https://mullvad.net/en/help/bittorrent/
According to wayback machine, they deleted the page sometime mid 2021. Here's an archived version of the page: https://web.archive.org/web/20210513051214/https://mullvad.n...
So basically, Mullvad is saying that you can use its VPN aeevice as a client to reach services but not host a service yourself (especially in a home network behind NAT or CGNAT) and have others connect to it via the VPN.
The most commonly used scenario for port forwarding would be torrenting, where users forward ports so that they can be “connectable” (i.e., accept incoming connections from the Internet).
I would argue consoles might be more common. Xbox live still likes to see port 3074 forwarded for open NAT.
This seems like a signal that it’s the beginning of the end. We all knew popularity would be their demise.
Hopefully a competitor will start up and attract less attention for a while until we have to do it all over again.
How? Port forwarding isn’t a major factor in VPN selection and usage for most people, right?
Well, yeah, it is
Horrible news but I can't blame them
> This has led to law enforcement contacting us, our IPs getting blacklisted, and hosting providers cancelling us.
Unfortunately was only a matter of time, this happens to every VPN provider who offers port forwarding eventually - widespread abuse by script kiddies and such to host RAT C&C servers.
Why don’t they just cancel the script kiddies and keep offering it to all other customers?
They could play whackamole cancelling abusive accounts, but that would require keeping logs to enable such activity.
Which mullvad specifically want to avoid doing - their whole jam is not having logs.
This will be the end for me, after being a constant customer since 2018. I absolutely need this feature and will have to find another product.
This is really going to hit folks who were trying to host stuff behind cgnat. I suppose a cheap vps will have to do instead.
I like how blunt they are about this. No excuses. “Some people are ruining it for all of you, so you can’t have the good things any more”.
Why does this affect torrent users?
Because a least one person has to have forwarded ports for them to form a direct connection. [0]
This will degrade torrent performance and make torrenting worse, routers normally have uPnP enabled these days so we forget about it, but this will make it so you can’t connect to any other users who are also using Mullvad, for one.
[0]https://superuser.com/questions/1053414/how-does-port-forwar...
> routers normally have uPnP enabled these days
From what I understand, uPnP took off for a while, but started to become much less common about a decade ago because of the security issues it caused. I think most routers come with it disabled by default now. (If you know of any surveys indicating otherwise, I'd be curious to read them.)
Part of it is that hole punching became a standard feature for new protocols, so the need to forward ports has been reduced.
1 reply →
You need to be able to accept incoming connections to be able to fully participate in the network. Last time I seriously looked into this, BitTorrent clients didn't support any sort of NAT hole punching (and they often work over TCP in any case). Try running a client with and without a forwarded port and you will see massive difference in the number of peer connections.
Transmission has supported UPnP and NAT-PMP for many years. Although it doesn't always work as reliably as having a client with directly routable address(es), it does exist and works okay.
I think I might be doing that already, as this is the first I've heard of this. Unless Mullvad was automatically opening a port for me.
Is it possible a lot of average torrenters are already not port forwarding?
> NAT hole punching
Could we just throw a STUN service in front of this, then?
So you're saying there's a chance
1 reply →
In order to download a file via Torrent, someone has to upload it, and when using Torrent via VPN, the file cannot be uploaded without port forwarding.
Uploading can still happen even without open ports. The open port part is that someone has to initiate the connection after the connection is established anyone can send anything in any direction.
Actually, the initial seeder with a closed port can upload if someone else has an open port. Generally a lack of port forwarding means you can only connect to others who do have port forwarding.
Port forwarding is the reason I use mullvad, time to switch.
Fyi there are plenty of commercial/foss solutions in this sort of "port forwarding service" space https://github.com/anderspitman/awesome-tunneling
RIP torrenting on Mullvad. It's been a nice 2 years, and I am upset by this change.
No mention of refunds? That's quite a significant change to the service.
Cant refund a gift card purchase, or anything else where you’ve deliberately not saved the customer payment details. Privacy has drawbacks.
I've paid with my card though. It's possible to refund those, and PayPal.
It's a very sudden move on the Mullvad part that impacts a lot of their customers. If the torrent speed drops down as much as I think it will I won't be very happy...
1 reply →
They used to allow refunds for cryptocurrency payments but there's probably opportunity for abuse there since the payment method is practically anonymous to them.
Nope but they could add 10% of time credit or something. Especially to those who had port forwarding configured in the last year or so.
They offer refunds within 30 days of purchase as a matter of course, provided you paid with a method that can actually be refunded. Seems like you're out of luck if you paid longer than 30 days ago, though.
https://mullvad.net/en/help/refunds/
Not for vouchers or crypto as per their official policy.
To be fair, the terms and conditions say they stopped offering port forwarding two years ago https://web.archive.org/web/20210430072429/https://mullvad.n...
That specifies "an account that has an active subscription" and they only seem to be using the term "subscription" in the ToS for auto-renewing plans.
>If you wish to subscribe to the service, you can sign up for a PayPal subscription. With a subscription, €5 is automatically deducted from your PayPal account each month.
Otherwise they just talk about "using" or "paying". It has also been absolutely possible to a) add new port forwards if you have paid for Mullvad b) pay for Mullvad when you have port forwards, so those ToS wouldn't make sense if they referred to all Mullvad accounts.
1 reply →
Shame, I'd been greatly enjoying Mullvad and their stance on privacy, but port forwarding is a must for some of the services I run. Anyone have a good suggested alternative?
Just tried AirVPN. Works good.
Yes, the potential for abuse is quite a lot... from the rather harmless Torrent user up to running C&C servers for botnets.
I'm curious: if you have a forwarded port on your vpn that anyone can send traffic to, assuming that someone can observe the encrypted traffic going out of the vpn provider, couldn't they send various traffic "shape" to the port and try to find the same pattern in the encrypted traffic to figure out who you are?
Yes, if you can observe incoming and outgoing traffic you can trivially use timing attacks. That being said, If you have that capability, mullvad isn't going to keep you save anyway. As the folks over at PerfectPrivacy succinctly put it: If you have a whole NSA Team after you it's game over anyway.
I port forward via ec2. Had to learn iptables (which apparently are now deprecated) and set up openvpn (these days I’d probably do wiregaurd). Works fine for my personal website, and paying in advance the cost is maybe $3/mo, didn’t realize it was remotely controversial.
This feels a bit like the Dropbox comment. Sure, open source tools exist that enable you to do things yourself. However there’s a large market for less-technical people (prosumers) who might pay for a lot of that complexity to be simplified.
And it breaks original purpose to use VPN: "privacy"
5 replies →
eh except I'm not saying I don't get why people need VPNs, I totally get that and have used several. The Dropbox comment was saying Dropbox is redundant. I don't feel that way at all about VPNs and didn't say anything like that.
I'm just saying there are workarounds that mean we don't have to be beholden to the Mullvads of the world if they drop this feature. I think we're basically one good blog post away from a situation where most people who need port forwarding can set it up themselves via ec2. If they prefer VPNs, and can find some that do port forwarding, more power to them.
Why do individuals use a VPN, other than to do questionable activities?
Not trolling, genuinely curious.
Recently I watch the Scotties Tournament of Hearts[1].
I paid for a monthly subscription to the Canadian streaming provider (TSN), since I live in Canada.
For whatever reason, there was no international streaming provider. (It has been on ESPN in previous years.)
The ads on the TSN stream were horrific. They put a full 25% of the active play of every game (the first thrower in every end) in a muted PIP box so they could play more full-screen ads.
TSN decided to offer a stream of the playoff games to non-Canadian viewers who had no way of watching, and since pay-for TSN is geoblocked to Canada, they made that stream free, and geoblocked it to not play in Canada.
The international stream was also free of commercial breaks. Instead of commercials it just showed miscellaneous cameras between ends, and showed the entire ends without putting a quarter of them in a PIP box.
So obviously, my experience was much better by streaming the international stream rather than the local stream that I paid for.
[1] https://en.wikipedia.org/wiki/Scotties_Tournament_of_Hearts
- There are countries, and ISPs in some countries, that block or throttle access to commonly used websites.
- You can get cheaper rates on some travel expenses, such as car rentals, by changing your IP to one in a different geo.
To have a fixed internet point of presence, when frequently travelling. Otherwise, all kinds of services start complaining that you're logging in from a new location.
My local ISP throttles YouTube.
VPN bypasses that entirely, despite my traffic traveling to another continent on the other hemisphere.
All depends on who it is that is deciding what is questionable and what is not.
What’s an example of an activity you’d consider debatable on whether or not it’s “questionable”?
2 replies →
I have had multiple problems with ISPs throttling/prioritizing traffic, such as games. In one case I had ping times to the steam servers that were so bad the game DC'd about every 5 minutes. Popped everything into a VPN endpoint in my own city and suddenly everything worked smoothly and flawlessly. And this wast not a high bandwidth game by any means. This has happened multiple times.
Also, hosting stuff at my house. Multiple times had ISPs that appeared to be degrading incoming connections where once again popping everything into a VPN tunnel fixed any problems. (for example when I set up a streaming website from my house with a webcam of our kittens to watch from work. Stream kept getting interrupted randomly until I routed it through a VPN)
I tend to use VPS based solutions rather than commercial VPN providers, but I've done both.
TL;DR: ISPs are shifty and untrustworthy.
I would like to watch Japanese commercials and trailers for things i'd like to watch -- but Japanese publishers are big on region locking on the streaming sites, so I circumvent the issues with VPNs.
Questionable? Maybe; but I don't really feel personally beholden to copyright/trademark law that isn't preventing a loss anywhere -- in many cases when I watch these trailers I make purchases based upon them, so if anything the corporations that region-lock their YouTube videos away from other markets are doing more damage than I -- the extra diligent customer.
If you need an absolutely vanilla answer : I VPN into a network node that can access other nodes that only host their services to the local network. That's also a big advantage, and as far as I know it doesn't step on any legal toes.
To access my home network?
Ohhhh too bad. It was useful for torrents.
That said, I never actually got incoming connections over UDP working properly anyway through these ports, even though they were supposed to be supported.
But I can understand the reasoning yeah.
fyi AirVPN still support port forwarding https://airvpn.org/faq/port_forwarding/
AirVPN looks sketchy
I've been a customer since 2016 and they've been excellent. They also recently added wireguard support which is nice.
Reddit has a big comparison table if you're curious: https://old.reddit.com/r/VPN/comments/m736zt/vpn_comparison_...
Might be the most trustworthy option available if you need multiple ports associated with an account... IVPN only supports one port. ProtonVPN may be OK if you're okay with getting a new random port every connection.
1 reply →
It does, but it works. Been using it for 3 years.
it doesn't looks sketchy to me. why it looks sketchy to you?
I wrote something tangentially related, but for single user.
"gofwd" is a cross-platform TCP port forwarder with Duo 2FA and Geographic IP integration. Its use case is to help protect services when using a VPN is not possible. Before a connection is forwarded, the remote IP address is geographically checked against city, region (state), and/or country. Distance (in miles) can also be used. If this condition is satisfied, a Duo 2FA request can then be sent to a mobile device. The connection is only forwarded after Duo has verified the user.
https://github.com/jftuga/gofwd
Well bummer.
I'll be applying for a refund.
I've just done so. I might rejoin but I'll look for alternatives first.
Also, does this mean they just aren’t going to allow fully routable ipv6 because of “abuse” or whatever (one of the promises of ipv6 whenever it’s realized probably shortly before the heat death of the universe is preciously what mullvad claims to be the cause of trouble)
Everyone having a unique globally routable IPv6 address might be less private/anonymous. Less ability to blend with the crowd. Personally I wouldn't mind ULA on a commercial VPN.
Can you still accept incoming connections on IPs that are behind the VPN?
That requires port forwarding
Normally it doesn't, but I guess Mullvad have a user untouchable firewall in place then.
Hide.me supports port forwarding with uPnP
If I don't torrent how does this affect me
It doesn't affect web browsing via their service, for example. If you only do that, then you're not affected.
[dead]
Can someone explain to me why they need port forwarding functionality through a VPN?
Torrents. As in you don't want your whole traffic to go through a VPN, but you may be in one of those places where a torrent client is a must.
Routing your whole traffic doesn't help. The IP on the other side isn't just used by you.
The problem is inbound connections. If both peers are behind NAT they can't connect.
You don't need port forwarded to use bittorrent. Clients connected to the network exchange information with each other. Magnet links or torrent files provide the information needed to get in touch with peers to make the initial connection.
3 replies →
I want a VPN for privacy.
And I run services through it that I want access to from outside my subnet.
Torrents need a port open and forwarded.
You don't need port forwarded to use bittorrent. Clients connected to the network exchange information with each other. Magnet links or torrent files provide the information needed to get in touch with peers to make the initial connection.
3 replies →
[dead]
This is off topic but how can Mullvad be a no log vpn and still operate without impunity? What about Uber illegal stuff like csam or terrorist stuff etc?
Compare it for example to a company operating taxis that can be hailed on the street and be paid in cash on arrival. The company does not log any details about its passengers, nor does it inspect their luggage or inquire about their reason to travel. How can the taxi company still operate with impunity? What about passengers using them for uber illegal stuff, like transporting drugs, illegal arms, or for escaping from law enforcement?
You can still put the taxi driver on the stand. Most cabs are even equipped with cameras now.
This is more comparable to a taxi company which makes driver take a pill to forget all details on arrival. That would be harder to defend, after the first incident of "why was this car in my driveway last night? - we couldn't tell you!"
1 reply →
Generally it's not illegal to host services that could potentially be used for those things (as basically any online service with user generated content could be used for that), but it's illegal to not act once you have received complaints about it and not acted. Presumably, Mullvad does act when they get noticed about their service being used in those manners.
Do you think if VPNs became illegal in America that it would have any effect on terrorism or child abuse? People who don't care about violating little children don't care about violating the law.