VPN Transparency Project

Tag: mullvad

  • After Influx of New Users from Mullvad, IVPN Will Also End Support for Port Forwarding

    After Influx of New Users from Mullvad, IVPN Will Also End Support for Port Forwarding

    Last month, the revered VPN provider Mullvad announced they were removing port forwarding from their service citing abuse and legal concerns. Now IVPN, another reputable VPN service, has announced they too will be phasing out port forwarding from their offerings.

    In a blog post, IVPN explained that while most of their customers use the port forwarding feature for legitimate purposes, “actions of a few can have undesirable consequences affecting the whole VPN network.” Specifically, they noted an increase in “large scale abuse and sharing of objectionable materials” as well as a “significant influx of new customers” after Mullvad’s policy change. This has put a strain on IVPN’s servers and operations.

    IVPN also cited an increase in law enforcement inquiries and issues with data centers as reasons for removing port forwarding. “We have no insights into how any one specific customer uses IVPN, and that needs to stay that way,” IVPN wrote. “After careful deliberation, we have found no other way to avoid further negative outcomes, but to gradually remove the port forwarding feature from service.”

    One customer asked why IVPN can’t just ban accounts reported for abuse rather than removing port forwarding altogether. IVPN responded that their priority is privacy-focused customers, and port forwarding also enables problematic uses that have strained their service since another major VPN provider banned port forwarding. Simply banning abusive accounts wouldn’t work since new anonymous accounts can be created quickly. IVPN concluded they must choose between offering port forwarding or ensuring a stable service long-term. While inconvenient for some, removing port forwarding seems the prudent choice.

    Port forwarding allows VPN users to access services running behind the VPN like websites, game servers or self-hosted servers. However, as Mullvad and now IVPN have found, it can also be abused for malicious purposes like hosting undesirable or illegal content. This abuse has led to IP addresses getting blacklisted, issues with hosting providers, and a worse experience for most VPN users.

    While some users may be upset with IVPN’s decision, as with Mullvad’s policy change, it seems to be a necessary step to protect the majority of their rule-abiding customers and ensure a stable service. The move may also help IVPN avoid some of the legal and abuse issues Mullvad cited in their announcement last month. Overall, IVPN appears to be making a prudent choice, even if an inconvenient one for some power users.

    So… What now?

    It’s important to acknowledge the legitimate users who relied on port forwarding for activities such as torrenting. For them, this change in policy may seem like an inconvenience or even a setback. However, alternate solutions like seedboxes, which are not plagued by these issues, remain viable options. These dedicated servers can provide high-speed torrenting, bypassing the need for port forwarding and offering an extra layer of privacy to boot.

    That said, the struggle against illegal activities on the internet often resembles a game of cat and mouse. VPN providers like IVPN are caught in the middle, striving to balance the needs and wants of their user base with the necessity of maintaining lawful operations and robust relationships with their data center partners.

    In the face of such challenges, it’s understandable that IVPN prioritizes its role in helping individuals avoid mass surveillance. This mission, to protect the privacy of the many, is fundamental to their service. In this light, the decision to restrict port forwarding — a feature that has been weaponized by a few individuals for illegal operations — becomes a sensible sacrifice for the greater good. It’s a testament to their commitment to privacy, operational stability, and the long-term viability of their service. As users, it’s crucial for us to understand these dynamics, adapt to these changes, and explore alternate solutions that align with our needs.

    Not a new problem

    IVPN’s policy change highlights an ongoing struggle that has persisted since the early days of the internet. There is a delicate balance between privacy and freedom that VPNs and other online services must grapple with.

    On the one hand, VPNs are created to protect users’ privacy and allow them to avoid censorship and mass surveillance. Services like IVPN are necessary to give individuals access to information without oversight or limitations. However, the same privacy and anonymity these tools provide can also be exploited for malicious ends like the spread of illegal or objectionable content.

    This tension is not new or unique to VPNs. It has been an issue since the development of the world wide web. While the internet was designed as an open platform for the free exchange of information and ideas, that openness also enables the spread of misinformation, privacy violations, online harassment, and more.

    There is no easy solution to this dilemma. Companies and policymakers have experimented with various approaches over the years, from self-regulation to restrictive laws and policies. However, enacting limits on privacy or internet freedoms also poses risks if taken too far. It is a question with valid arguments on both sides.

    For services like IVPN, decisions around port forwarding, privacy policies and allowable use come down to finding the right balance for their service and users. Their choice to restrict a feature prone to abuse is one approach to this complex problem. However, it is not without its downsides and there are no perfect or permanent answers. Managing privacy and freedom online remains an ongoing challenge without a simple fix.

  • Mullvad’s Misguided Move into Search and Browsers

    Mullvad’s Misguided Move into Search and Browsers

    Mullvad, a renowned VPN service provider, recently introduced Mullvad Leta, a search engine exclusive to users with a paid Mullvad VPN account. While Mullvad aims to provide additional privacy-focused features, some users may question the effectiveness and purpose of Mullvad Leta. With numerous existing privacy-based search engines available, such as Brave Search, DuckDuckGo, Startpage, and Mojeek, it is worth examining whether Mullvad’s investment in this search feature truly benefits the end user or if it could have been better utilized in other areas, such as server infrastructure or app improvements.

    Mullvad Leta operates by utilizing the Google Search API as a proxy and caching search results. While this approach reduces costs and improves privacy by sharing cached results among users, it is important to note that it doesn’t generate any direct revenue for Mullvad. With so many established privacy-focused search engines available, Mullvad Leta’s value proposition becomes questionable. Users already have access to alternative search engines that offer similar or even more comprehensive privacy features without the need for a paid VPN account.

    The development of Mullvad Leta and the Mullvad Browser raises concerns about the allocation of resources. Rather than investing in these additional features, users may argue that the money and resources could have been better utilized in expanding server infrastructure to enhance speed and coverage in more countries. Additionally, focusing on app improvements and feature parity with the mobile apps would have likely garnered more positive user response and loyalty.

    Existing hardened browsers and Google scrapers/proxies already cater to users seeking enhanced privacy features. By introducing its own browser and search engine, Mullvad appears to be reinventing the wheel and offering solutions for issues that have already been addressed by established players in the market. This approach raises questions about Mullvad’s overall strategy and makes it difficult for users to understand and trust their roadmap.

    Mullvad’s recent endeavors, including engaging with the European Parliament, discussing the Swedish police in their headquarters, and branching out into various features and services, have led to a perception of a lack of focus. Users may find it challenging to discern Mullvad’s overarching strategy and determine where the company’s priorities lie. This lack of clarity can undermine user trust and raise doubts about the effectiveness of their efforts.

    While Mullvad Leta and the Mullvad Browser aim to provide additional privacy features, the existing landscape of privacy-focused search engines and secure browsers raises questions about the necessity and effectiveness of these offerings. Users may argue that resources and investment could have been better utilized in areas such as server infrastructure, app improvements, and feature parity. Mullvad’s approach to expanding into various domains without a clear strategic focus may result in skepticism among users and hinder their ability to trust the company’s direction. Ultimately, users seeking privacy-focused solutions may find more comprehensive alternatives from established players in the market.

  • Mullvad VPN to Remove Port Forwarding Feature, Citing Security Concerns

    Mullvad VPN to Remove Port Forwarding Feature, Citing Security Concerns

    In a move that has drawn attention from the cybersecurity community, Mullvad VPN, a popular provider known for its commitment to privacy, has announced it is discontinuing support for port forwarding. The company cites frequent misuse of this feature, leading to negative experiences for the majority of its users, and more troublingly, garnering unwanted attention from law enforcement agencies.

    Port forwarding is a networking technique that allows remote computers to connect to a specific computer or service within a private local area network (LAN). In the context of a VPN service, port forwarding could be used to enable friends or family to access a service running behind the VPN, such as a legitimate website, a game server, or a self-hosted server.

    However, the darker side of this coin has caught up with Mullvad, prompting the drastic decision to entirely remove the feature. The misuse of port forwarding can open avenues for abuse, with nefarious individuals utilizing this feature to host undesirable content and malicious services. This has resulted in Mullvad’s IP addresses being blacklisted, hosting providers cancelling their services, and law enforcement contacting the company.

    The compromise Mullvad has chosen is a challenging one. On one hand, it protects the majority of its users who may not be using port forwarding, ensuring their VPN experience is not negatively impacted by the actions of a few. On the other hand, it limits the functionality of the service for those users who were using port forwarding for legitimate purposes.

    The removal of the port forwarding feature may be seen as a positive move from a cybersecurity perspective. By eliminating this feature, Mullvad is taking a stand against the potential for misuse and abuse that port forwarding can enable. This could include activities such as operating rogue servers, distributing illegal content, or even hosting phishing sites, all of which can be done by malicious actors who take advantage of port forwarding to hide their activities behind the VPN.

    Nevertheless, the decision also brings with it a negative impact on the versatility of Mullvad’s service. Port forwarding is a useful feature for power users who require remote access to services behind their VPN. This includes scenarios such as running a remote game server, providing access to a self-hosted website, or facilitating peer-to-peer file sharing. By removing this feature, Mullvad could risk alienating a segment of their user base who rely on these capabilities.

    Community Reaction

    On Twitter, several users expressed disappointment and concern about the removal of the port forwarding feature, stating that it was essential for their use of the service, and suggesting that Mullvad could have addressed the problem by limiting port forwarding to certain servers​. Some users, however, appreciated the decision, commending Mullvad for prioritizing the quality of their core product and removing features that could compromise privacy and security​.

    Reddit users also had mixed reactions. Some users understood the decision and saw it as a necessary step to ensure the survival of Mullvad and the privacy it offers. They criticized those who had abused the feature for ruining it for others​2​. Others, however, were skeptical about the effect of the decision on Mullvad’s future, with some predicting that the removal of port forwarding might lead to the end of the VPN provider. They argued that many users chose Mullvad specifically for the port forwarding feature, and that the removal of this feature could cause these users to leave​2​. Some users also suggested that abuse of the service went beyond torrents and included illegal activities like child sexual abuse material (csam) sharing​.

    The sentiment in the Hacker News thread about Mullvad’s decision to remove port forwarding was mixed. Many users expressed understanding and agreement with the decision, seeing it as a necessary measure to maintain service quality and reduce abuse. However, a significant number of users were disappointed, viewing port forwarding as a crucial feature whose removal could affect their experience, particularly for tasks like torrenting. Suggestions were made for alternative solutions, like offering dedicated servers for port forwarding or implementing stricter controls. Some users provided technical insights to highlight the importance of port forwarding, while official replies from Mullvad indicated that this decision was part of a larger strategic roadmap.

    In short, public sentiment towards Mullvad’s decision to remove support for port forwarding is mixed, with some users understanding and supporting the decision, and others criticizing it and expressing concerns about its impact on the service.

    As of now, Mullvad has removed the ability to add new port forwards and plans to remove all existing ports by July 1, 2023. This decision is sure to be felt by users who are actively using this feature. Mullvad has advised those affected to update their services accordingly.

    This development highlights the ever-present tension between security and functionality in the world of digital services. While Mullvad’s decision may limit certain users, it could also be seen as a necessary step to curb abuse and protect the wider user base. As always, the world of cybersecurity and privacy evolves, and providers like Mullvad must continue to navigate these complex waters.

    See also:

  • Code Highlight: Scraping IP’s from Mullvad

    Code Highlight: Scraping IP’s from Mullvad

    We frequently rely on publicly available data such as IP addresses and hostnames to conduct our testing and analysis. Sometime it’s easy to access and sometimes we have to do a little extra work. However, getting access to this data in a structured format can be quite challenging. Enter the Mullvad Extractor – a nifty script that extracts IP addresses and hostnames from the Mullvad VPN servers page.

    Our Project: Extracting VPN Server Data

    Our goal was to extract domain names and IPv4 addresses of VPN servers from the Mullvad website and save them as a CSV file. While this might sound straightforward at first, we encountered a few roadblocks along the way – namely SvelteKit’s lazy loading feature.

    The Challenges: SvelteKit Lazy Loading

    SvelteKit is a fantastic framework for building web applications, but its lazy loading feature presented some challenges when it came to extracting data. The website we were working with loads its content dynamically, meaning that the VPN server information only becomes available in the DOM as users scroll down the page. This behavior complicated our data extraction efforts.

    To work around SvelteKit’s lazy loading, we used JavaScript to simulate scrolling, giving the website enough time to load the data before moving on to the next section. This way, we could extract the required information without missing anything important.

    The Solution: A JavaScript Extravaganza

    1. Asynchronous Functions: Keeping Things Smooth

    To ensure a smooth user experience, we made use of asynchronous functions. By doing so, we avoided blocking the main thread, allowing the browser to remain responsive during the execution of our script.

    The main() function, which is the core of our script, was declared async. We also employed await with the sleep() function to pause execution at specific points, giving the website enough time to load content before continuing.

    For example, we used await sleep(800) before and after clicking on an expandable icon element. This allowed the website to properly load the content before our script continued to process it.

    2. Mutation Observers: Keeping an Eye on Changes

    Since the website we worked with used SvelteKit’s lazy loading, we had to find a way to detect when new content was added to the page. Enter mutation observers!

    Mutation observers allowed us to monitor the DOM for changes and update our extracted data accordingly. By setting up a MutationObserver instance, we were able to observe the container element where new content was added. Whenever new content was loaded, the observer would detect the change, and our script would process the new information.

    This approach proved to be efficient and robust, as it allowed our script to work seamlessly with the website’s dynamic nature.

    3. Sets: A Unique Approach to Data Deduplication

    During the data extraction process, we noticed that our script sometimes captured duplicate entries. To address this issue, we used a JavaScript Set to store unique IP addresses.

    A Set is an ordered collection of unique values, which means it automatically removes duplicates. By adding each IP address to a Set, we ensured that our final extractedData array contained only unique entries.

    Once we had a unique list of IP addresses, we easily converted the data into CSV format and provided a downloadable file for the user.

    Lessons Learned and Limitations

    While our solution successfully extracts the VPN server information, it’s not without its limitations. The script relies on the specific structure of the website, meaning that changes in the site’s layout or classes may break the code. Additionally, the sleep durations used in the script might need to be adjusted if the website’s loading speed changes.

    In conclusion, our script demonstrates how to tackle the challenges of extracting data from a website using SvelteKit’s lazy loading feature. It shows that with a little creativity and perseverance, we can overcome such hurdles and build a solution that works.

    So the next time you find yourself facing a dynamic website that’s trying to keep its data hidden from view, remember our little adventure here and know that you too can conquer the challenge with a bit of JavaScript magic! Happy coding!

    The Code

    function sleep(ms) {
    return new Promise(resolve => setTimeout(resolve, ms));
}

async function main() {
    try {
        await sleep(3000);

        const container = document.querySelector('div[style*="overflow-y: auto"]');
        if (!container) {
            throw new Error('Could not find the container element');
        }

        const expandableIconElements = document.querySelectorAll('.expanding-icon');
        const extractedData = [];

        const observer = new MutationObserver((mutations) => {
            mutations.forEach((mutation) => {
                if (mutation.type === 'childList') {
                    mutation.addedNodes.forEach((node) => {
                        if (node.nodeType === Node.ELEMENT_NODE && node.querySelector('.servers-dl')) {
                            const ipElement = node.querySelector('.servers-dl .dt.no-uppercase + .dd');
                            const domainElement = Array.from(node.querySelectorAll('.servers-dl .dt')).find(el => el.textContent === "Domain name");
                            const domainText = domainElement ? domainElement.nextElementSibling.textContent : "Not found";
                            
                            if (ipElement) {
                                const ip = ipElement.innerText;
                                extractedData.push({ domain: domainText, ip });
                            } else {
                                console.warn('Could not find the IPv4 element in the expanded div:', node);
                            }
                        }
                    });
                }
            });
        });

        observer.observe(container, { childList: true, subtree: true });

        for (let i = 0; i < expandableIconElements.length; i++) {
            const iconElement = expandableIconElements[i];
            const parentElement = iconElement.parentElement;
            if (parentElement) {
                parentElement.scrollIntoView({ behavior: 'smooth', block: 'center' });

                await sleep(800);

                parentElement.click();

                await sleep(800);
            }
        }

        observer.disconnect();

        // Remove duplicate entries from extractedData
        const uniqueData = [];
        const uniqueDomains = new Set();
        for (const data of extractedData) {
            if (!uniqueDomains.has(data.domain)) {
                uniqueDomains.add(data.domain);
                uniqueData.push(data);
            }
        }

        // Convert uniqueData to CSV format
        const headers = Object.keys(uniqueData[0]).join(",");
        const csvData = uniqueData.map(obj => Object.values(obj).join(",")).join("\n");
        const csvContent = `${headers}\n${csvData}`;

        // Create a blob object from the CSV content and download it as a file
        const blob = new Blob([csvContent], { type: "text/csv;charset=utf-8;" });
        const url = URL.createObjectURL(blob);
        const link = document.createElement("a");
        link.setAttribute("href", url);
        link.setAttribute("download", "vpn-servers.csv");
        link.style.visibility = "hidden";
        document.body.appendChild(link);
        link.click();
        document.body.removeChild(link);

        console.log('Data has been downloaded as a CSV file.');
    } catch (error) {
        console.error('An error occurred during script execution:', error);
    }
}

main

    Markus Askildsen

    Guest Writer

    Markus Askildsen is a tech-loving Norwegian with an insatiable appetite for adventure and a passion for the outdoors. Hailing from the stunning landscapes of Scandinavia, he balances his love for hiking with an immersion in cutting-edge technology. As an author, Markus weaves tales of exploration and discovery that inspire readers to embrace the unknown and appreciate the wonders of both the natural world and the digital realm. Whether scaling remote peaks or navigating virtual reality, Markus encourages others to live life to the fullest and never shy away from excitement and beauty just beyond the horizon.

    See Also:
  • 10+ Reasons Why Mullvad Is One of the Most Popular VPNs

    10+ Reasons Why Mullvad Is One of the Most Popular VPNs

    For newcomers, here’s 10 reasons why:

    1. +10 years without scandals or leaks. You don’t want the cool new kid on the block for a VPN.
    2. Part of the very few VPNs with port-forwarding and no logging evidence, both important to torrenting.
    3. Pioneered WireGuard adoption and actually donated to the project.
    4. External audit for both cross-platform app and infrastructure, as well as being open-source.
    5. Accepts bitcoin and have their own node in the blockchain, verifying payment themselves.
    6. Accepts cash payments, just mail it in with your account #.
    7. Complete server transparency and many self-owned servers.
    8. Doesn’t require any information for creating an account, not even e-mail.
    9. No affiliates or paid reviews.
    10. Not selling out to a conglomerate unlike other major VPNs.
    Bonus: