Port forwarding is a big deal. Mullvad is very well respected, and so is their advocacy of privacy, but once the setup ports expire I'll be forced to pick another provider, not as safe and certainly not as cheap either—I think many others are on the same boat too. Up until now if you needed a VPN with this feature there weren't any better alternatives. Another day cursing at networking, I guess.
Presumably whichever provider you pick will be experiencing the same abuse problems and will eventually discontinue offering this feature as well.
You should probably rethink how you expose your service. If your service is a web service, maybe consider running it as a Tor hidden service, and pointing your non-Tor-using users to a Tor web gateway?
How do you guys deal with abuse? Just wondering because it seems like it has been a massive headache for mullvad so I wonder if they are targeted by abusers more than other services.
Not OP, but it's the only way I can host a webserver off my home connection, as my ISP blocks ports upstream.
After this was announced, I discussed using tailscale with my friends who use the server; some are technical enough to be able to install the client, others have devices that tailscale can't be installed on, so a tailscale subnet router would have to be set up for those devices. If it's what I have to do, I'll do it, but it's so much simpler just being able to have a publicly addressable IP with an open port.
Not a dyndns or router issue. My ISP blocks ports upstream, so there's no way to open a port on my home IP. I use the VPN to get an open port on a Mullvad IP and tunnel it to my web server.
I'm in the same boat as you, also used Mullvad port forwarding for this because all I can get where I live is mobile 4G internet which is 1) behind NAT, so I share IP with many other ISP customers and 2) changes IP very frequently.
A while back however I just locked down all ports on my "server" (really just an old computer in my home) and instead setup a CloudFlare Tunnel[1] on it. All it really does is instead of CloudFlare forwardning HTTP requests to your server, your server connects to CloudFlare and uses that connection for bi-directional communication of HTTP request/responses. I have an nginx web server listening on a UNIX socket that the local cloudflared daemon will forward traffic to, but nginx is not needed and you could instead set up an individual tunnel for each domain/subdomain you have, but I personally just re-use the same tunnel for everything.
Works really well even though I'm behind NAT, the public IP changes, or network goes down briefly; the cloudflared daemon just reconnects. No DNS updates needs to propagate either. I can understand though if some people are reluctant to using CloudFlare, but for me this is a lovely feature they have - and it's free.
Tailscale has a beta feature called "funnel". As of now, it only supports 80 and 443, and does not support custom domains - though you could presumably add your own cname.
Tailscalar here: your own CNAME won't work because of how the routing logic in funnel works. When tailscaled sets up a funnel with the control plane, it uses the derived DNS name from your tailnet (eg: pneuma.shark-harmonic.ts.net for the machine pneuma on the tailnet shark-harmonic.ts.net). As far as I understand there's no issue currently tracking this work.
Tailscale Funnel does allow you to use any TLS-wrapped protocol (IE: one where the client does TLS and the server can optionally listen over plain TCP), but I'm not sure it would really meet the same goal as port forwarding in Mullvad does (for one you could use any non-TLS or UDP protocol with Mullvad port forwards, IE: Minecraft server hosting, Minecraft doesn't use TLS afaik). It's great for HTTPS though. I'm not sure how the bandwidth limits would add up over time for something more interactive like Minecraft.
Either way, Funnel does do some things well, but it's not a generic replacement for Mullvad port forwards.
You could use zrok.io. Its an open source alternative to ngrok which you can self host (thus pick you own CNAME etc) as well as supporting TCP/UDP tunneling as of 0.4 release - https://blog.openziti.io/the-road-ahead-for-zrok
Funnel has come in handy for me a number of times. Though I now wonder if the abuse experienced by Mullvad will be realized by Tailscale as well. Perhaps compounded by an exodus of Mullvad (ab)users seeking alternatives.
You can try Cloudflare for that. They support tunnel to let you initiate connection to their cloud. It should not require any port forwarding to make it work.
I had to stop using Mullvad because so many of their IP ranges were blocked or throttled by various services, it was borderline unusable as a daily driver. Unfortunately there isn't a good way for them to protect the reputation of their IPs when they don't collect any information that could be used to identify abusive customers, by design.
Maybe retiring port forwarding will help, but their IP ranges aren't going to be removed from every shitlist out there overnight.
To be fair, I use subscribed ProtonVPN. Same exact issues.
Cloudflare gives me captchahell with infinite "click on fire hydrants or vans or bicycles or stoplights".
Amazon just pretends to "site error".
Numerous sites like Tiktok, JLwaters, my state's data portal, and others just give me a 403 forbidden.
Other sites just load a <html></html> blank document on my VPN.
And Proton is actually kind of hard to get port forwarding turned on. You can do it by adding a suffix to the OpenVPN name, or by generating a wireguard with port forwarding on.
But again, I don't think it's anything to do with port forwarding per se. The current web demands deanonymization. And naturally "abuse" is blamed, even when attached to legit accounts with legit historical purchases etc.
Even without a VPN, the built-in tracking protection in Firefox trips Cloudflare’s bot detection every time. It’s a not-so-subtle FU for taking any steps to protect your privacy online.
The goal is privacy, but the side effect is that you appear exactly as any spam/scraping bot out there. So website owners block this scenario and are fine that it'll likely exclude a minority of visitors who try to browse the web with maximum privacy.
True, but it still is a flaw with services like cloudflare and I don't believe their users know how many people actually get blocked. There are quite a few people that are familiar with these issues and it isn't only the technically affine.
Users of cloudflare-ish services (site owners) may see a joyful dashboard counter that expresses "we blocked 9000 nefarious attempts this month" instead.
Of course without the big fat asterisk of "actually, we have no idea what our false positive ratio is. So they could be 9000 prospective customers that we blocked."
And then the customer will think "oh wow good service, all those baddies blocked, better stay in the warm embrace of this service or who knows what will happen to my site".
This is being improved by CF - if you have any "managed challenge" firewall rules on the CF dashboard, which is 'browser detection and Captcha if potential bot', it will show a Captcha Solve Rate, so hopefully site owners will adjust their firewall rule settings till the CSR is under 10% or so.
> The current web demands deanonymization. And naturally "abuse" is blamed
I used to work at a smallish mom-and-pop website host (do those even exist anymore?) that also offered email services. Our PF firewall just straight-up blocked huge swaths of IPv4 CIDRs because it was 99% email spam and exploit scanners. We had no ability whatsoever to fight it any other way. I don't recall even a single complaint from any of our customers.
Nobody had a complaint to lodge because none of the emails were legitimate, or they had no means of contacting them because the were completely blocked, presumably.
> And Proton is actually kind of hard to get port forwarding turned on. You can do it by adding a suffix to the OpenVPN name, or by generating a wireguard with port forwarding on.
Regrettably, I suspect this does nothing for abusers, who are motivated, and instead impacts only "legitimate" customers.
Sure does. And it's easier with Wireguard than OVPN.
I never successfully got an OpenVPN set up with proper port forwarding. It would appear to, and then just up and fail.
With Wireguard, I set the port automatically with UPnP (Soulseek and torrents). Have it set up there, and works like a champ.
You'll have to log in, go to Wireguard configs, set port forwarding and a P2P VPN, and download. Then do the usual with /etc/Wireguard and start it up. That's it.
I deliberately chose Mullvad because their IPs are on those blacklists.
My impression is that the only way for an established, non-tiny VPN provider to have clean IPs is if they're buying residential proxys. My impression is that the only way to make the residential proxy business work at scale is either malware or unwanted misleading bundled crapware. I don't feel comfortable benefiting from a service that, at best, relies on tricking less tech savvy people into installing crapware.
There are ways to get residential proxies in a more ethical way these days. Some apps/extensions are now offering money for network access/network usage and they are open about what they are doing. They pay you with cash in exchange for your network, no covert VPN or sneaky SDK in unrelated apps.
I think even the more ethically dubious providers are shifting towards that model. Which makes sense since they have to pay anyways.
I'm skeptical even those services properly inform users about the risks and downsides. I also suspect those services turn a blind eye to resellers violating their consent policies
I think the experiences of people operating open relays suggest that would be a foolish assumption.
If you tell a police search team you have plausible deniability they will seize all your tech and investigate you. If you're actually guilty there's a decent chance there will be other incriminating evidence. If you're innocent this will be unpleasant, expensive, and they might end up finding what they think is evidence against you anyway
I doubt port forwarding had anything to do with this. These IPs are on blacklists because they are used by robots and scammers to make requests, not because they are used to host malware.
yes. Cloudflare seems to be aggressively blocking Mullvad and Tor and I am sure others. It started a few months ago. Meta has been blocking them for some time also. The other side of this problem is so many domains are sitting behind Cloudflare.
It's not without reason. VPN providers are (by the nature of their business) home to all sorts of shady business. Sucks that some innocent people get hassle from it, but IP reputation systems are nothing if not damn effective at preventing abuse.
Yes, but I don't know which rules are responsible. It could be the bot management product but it could also be custom or default firewall rules. I think it's a combination of both. I don't know if the goal was to deliberately block certain exit points or if that was a side effect of some common settings meant to block bots or generic abuse.
I don't use them but an alternative provider. The benefit of not collecting info is still worth the hassle. I usually have no problems to access anything aside the rare cloudflare prompt that they believe me to be a robot.
Dam, really liked these guys but this makes it about useless for torrent seeding. I wish they would have considered alternatives like only allowing port forwarding for some of their IPs. I don't care about IP reputation.
Exactly. For torrenting it doesn't need to access web services. It just needs to be able to connect to peers. Having a port forwarding IP block would make everyone happy.
Torrent peers are too random so it's hard to restrict for IPs.
If the problem is hosting malicious websites, they may able to provide limited port forwarding. Browsers' restricted port can't be used by browser so it's a way to avoid web hosting I believe. A problem is that there are only 80 ports now (for Chromium). https://chromium.googlesource.com/chromium/src.git/+/refs/he...
I would happily pay more for an account with port forwarding enabled. Maybe charging more for port forwarding enabled accounts could help offset the increased trouble caused by port forwarding abusers. It might even push some of them to other providers. Either way, this thread is evidence enough that port forwarding is a feature that people want.
Not in need of fowarding, and a happy mullvad customer but that does sound like a good compromise. Although I think that still may attract a lot of attention from authorities etc
Really a shame, especially for torrent users. The other good alternatives are double the monthly price at 10$/month in the case of IVPN (if you want port forwarding that is) and ProtonVPN. Unless you want to commit for a year or two and pay all in advance, which is meh but the discount may be worth it.
For torrenting at least one of the peers has to be accessible for outside world, either by having white IP, by using NAT with port forwarding, or by using IPv6-to-IPv4 shenanigans. If both peers are behind NAT, they cannot download data from each other.
If you're an active seeder, it makes sense to configure your machine so that it is accessible for all the peers, including ones behind NAT. If you're just a leecher though, it makes little difference.
It will affect leeching torrents that don't have a ton of seeders. No forwarding could render a torrent unusable that would otherwise download just fine if you had an open port.
This isn't completely correct. At least one peer in the entire swarm needs to be accessible. Holepunching (BEP 55) can assist in the rest (albeit it's not ideal).
is this an issue only for magnet/DHT transfers? or does it apply to torrents that have an associated tracker too? i would have expected in the latter case that two NAT’d clients could connect to the tracker, and then the tracker could help them hole-punch a direct peer-to-peer connection.
Try to extrapolate. If nobody has an open port to which a connection can be established, how will the network work?
Trackers don't enable hole-punching, existing peer connections do[0]. And hole-punching is hardly a reliable measure to base your network on, if NAT or connection-tracking is implemented in an address-/port-dependent manner[1] then hole-punching becomes more complicated or fails, especially for TCP.
It does apply to all torrents. As far as I know, by default torrent trackers provide no facilities for hole punching.
However, if you have a tracker in a sense of "community of people dedicated to file sharing", there will be guides on how to do a proper setup even behind carrier-grade NAT. For example, one of the trackers I know suggested using Teredo (IPv6-to-IPv4) tunneling to do the hole punching.
Why not use a seedbox? Download torrent to the seedbox and then ftp home. This way you get the upload from a server which if you're on a private tracker (which you should be) you'll get good upload speeds, easy to hit the default seed requirements, and you'll get full download speed when you want to use it locally.
I recognize this is probably similar to asking about how to get into fight club, but any tips on how to find a private tracker? I assume it involves becoming part of a community, but I don’t even know where to start looking for the communities!
Been so long since I've even been in the community that I don't know any of the smaller forums but check out https://filesharingtalk.com/content/. Get known for being active and if there is still an IRC pop by there. The key once you're past the standard ones like TL, is to not be that hungry for invites, the less hungry you are the more places you get to. Maybe check out https://thepiratesociety.org/ which used to be a solid community 10 years ago but I dunno how it is nowadays.
Or you can just buy one. https://www.ebay.com/itm/143939358334 for example is $2 and is the private (semi public - all the benefits of private but easy to get). It's the one I use. Buying invites can lead to getting banned but if you're just chilling out on TL then you'll be fine.
A tip for private trackers. Only download new things and freeleech until you build up a buffer (You've uploaded more than you've downloaded)
Personally, I would suggest this. Use the seedbox for the first month downloading new freeleech torrents and build up a few TB buffer and use it worry free for years.
This is why I gave the cavet that it's only worth doing if you're just going to use TL. If you're not into the whole tracker ladder thing then buying TL is kinda a safe bet, it's semi public. TL just care about money, I wouldn't be shocked to find out that TL has been sold a few times.
Previously, when I was really into torrenting I climbed the ladder really well, I was in the forum sections where staff would share the details of banned users. They mostly cared about cheaters, unless it was a small site trying to be exclusive. I knew people who would go to tracker staff and out people for trading and selling and nothing would happen.
But overall if you want to get into the torrent community buying and trading isn't worth it. But if you just want a single solid torrent site and are willing to pay TL is the one to do it with.
whats is the best way to get access to the better sites? i've been on IPT for years with great ratio but no idea where to even begin to look for getting into top tier ones
The advice gioo gave about going to RED and going through the interviews is a solid way to get started in that community.
IPT is solid from my memory so there won't be many that are better as a general torrent site. But for niche obivously there are tons.
But since you're already in a torrent community, Check out the IPT forums back in my day they had recruitment threads in the forums. Hang out on their chat and be friendly, don't ask for invites just be friendly after a while people will start offering invites especially if you say you aren't there yet.
IPT is a fine tracker but because of their scummy behaviour [1] you are very unlikely to climb the tracker ladder from there. You can try following that_guy_iain's advice under for sure, but if you feel stuck go for RED 100% (regardless of your feelings about collecting music).
Remember that user invites carry the risk that if someone in your invite tree breaks a golden rule (trading/selling invites) you will be banned too. Always prefer official recruitement.
This doesn't answer your question directly but it might help anyway. Usenet is an excellent (paid) alternative to climbing the private tracker ladder. All traffic is secure and effectively anonymous. Download is lightning fast. If you're on the right backbone there is an ocean of content. It's only missing very old, obscure stuff. It's MUCH easier than climbing that ladder and worrying about ratios.
The common advice is to start out on RED (Redacted) by doing the interview, and climbing the pyramid from there. Use official recruitement to join other trackers, and with some patience you'll eventually have
everything you need.
What really bugs me about these popular private trackers' interview processes is they too discriminate against VPNs. Like I know they think they have some private community of completely trustworthy angels, but I'm still not going to stick my non-anonymized neck out.
So then what, find public Wifi somewhere to do their "interview" from, that they'll pass for a non-shared IP address? And then hang around there all day until your turn for the interview comes up? That's the conclusion I came to last time I looked at Red's requirements years ago.
Also I just assume the interview processes have gotten much more competitive and inhuman due to the popularity, like everything these days. I got my Oink account by joining the IRC channel, and just asking nicely in a way that demonstrated a modicum of technical knowledge and reasonableness.
It's all by design, invite selling/trading is a big problem in the tracker world and tracker staff often force people to use their home IP to register for this reason. By having your home IP they can easily ban all your accounts if you are caught breaking some golden rule.
The interview process is not bad, it's just particularly slow in the case of RED. Especially frustating for europeans because most volunteers are in an american timezone and so interviews often happen in the middle of the night (in Europe).
OPS has faster interviews but you want to join RED if you want to climb the tracker ladder, so passing through OPS basically just adds some delay.
Anyway, if you value your anonymity this much, maybe private trackers aren't for you.
> invite selling/trading is a big problem in the tracker world and tracker staff often force people to use their home IP to register for this reason.
It really isn't that much of a problem. Hell even ratio cheats aren't actually a problem. If you have a ratio based torrent site fundamentally someone has to have negative ratio for the site to function. Ratio cheats basically add download to others because they download. I'm of the opinion a lot of tracker staff are just nerds who power trip. And honestly, from my experience it's largely true. Simply, torrent sites have gotten away with power tripping and creating this image that people who buy and trade torrent accounts are a problem when you can literally talk you way up the chain within 6-12 months. It's really not that hard if someone wanted to infriate them, just say you're willing to code for them and boom you got yourself a staff position with access to the database and servers. Do that well, you'll get yourself a few more, you'll get friendly with staff at other trackers they'll invite you. Literally, it would be the easiest uncover role within the cyber world. And there probably aren't that many that are easier overall.
> Anyway, if you value your anonymity this much, maybe private trackers aren't for you.
This is sure a valid point. Your data 100% is not save with private trackers. Nothing is safe with then. They act all high and mighty but holy shit will they share you data like no ones business and publically out you, steal money from the "server fund" (personally I never had a problem with it but it was always drama ScT's exit was funny), etc.
It's not really a problem because they don't want people joining the tracker in general. It's about accountability, exclusivity and the quality of the user base. Invites being for sale means any random person could join, hindering the exclusivity and likely the quality of the userbase (a good user is already in other trackers and could join with other means). And of course, it also means that the user who bought the invite is more likely to break the golden rules because them getting tree banned is of no concern to them.
From the staff's POV it is very much a problem and some trackers are famous to drop the hammer at the slightest violation of the golden rules.
> a good user is already in other trackers and could join with other means
Actually, these users are generally deadbeat users. They're good at providing upload and buffering accounts but that is it. They don't make your community any better, they're spread out over multiple communities.
For example, back in the day I was on UK-T, SCC, ScT, FSC, FTN, BTN, HDBit, etc. I didn't really download much from any of them specifically. I created buffers and what not and kept my accounts alive. Like FTN I never used, for me it was actually not that good. But when I started out I just had LeechersLair, I was very active in the community, very active with comments, very active downloading and seeding because it was only account. So the good users for these sites are actually people who end up on my accidentally, aren't active in the generaly torrent scene and aren't looking for anything else. They'll make the forums better by being active there with unique content, they'll make the chat unique instead of conversations that carry on over from other chats (Been there done that), they'll file requests, etc. They'll be more active. The people who are all over the place are often deadbeats in terms of community value, if that makes sense.
> some trackers are famous to drop the hammer at the slightest violation of the golden rules.
So true, I once rejected from a so-called high level tracker FTWR (follow the white rabbit) because one guy was pissed I once said on a forum "Torrent trackers should be happy we use them." they're soo up themselves. Imagine thinking your users owe you something. The aim is to get users and get good users.
> Actually, these users are generally deadbeat users. They're good at providing upload and buffering accounts but that is it. They don't make your community any better, they're spread out over multiple communities.
You do have a point, I guess it boils down to the definition of a 'good user'.
Like you said, someone joining from an invite they bought is likely gonna be more active.
From the staff's POV the activity of an account is of secondary importance though, and the respect of golden rules is paramount. Tree-bans often end up banning users with high userclasses and (very) active accounts.
From my POV as a normal user, I like the tracker being active but I don't like the web of trust being broken. An invite-only club is good because everyone was invited by a trusted member; if you can just buy your way in it's different.
Anyway, the TL;DR is that at the end of the day your personal interests change depending on what position you're in (staff, normal user, etc.) and while you as an user may not mind people buying invites because of passive benefits, the tracker staff has different priorities and definitely does mind.
The interviews are not too difficult if you know your digital audio well and can memorize/look up a few facts. The hard part is waiting in the queue...
I'm not sure if they will allow public wifi either if it doesn't look like a residential IP. It's unfortunate... I too wish many trackers didn't do this. Totally worth it for me though. I'll just hope future me doesn't have to suffer the consequences :)
They can probably build quite a specific profile based on my searches and snatchlists, lol. There's no privacy in private trackers for the user.
For me, it's generally the same as private trackers but a few differences. Very little - almost zero chance of viruses in the apps. The speeds are way faster, this is very noticable on older stuff. There is no bait and switch.
For niche stuff you can even find the super hard to find. Want to find the tv version of episode 12 of season 3 of Flashpoint, there is a site where that is possible.
Some have communities which are super useful if you're into those. But if you just want to download and get good speeds, a general tracker like TorrentLeech is pretty much all you need.
Reliable source for movies and TV-Shows - even rare ones.
And zero chance of being picked up by copyright watchdogs who download the whole swarm's IP addresses and send legal notices to each one fishing for ISPs that will give their user's data without a warrant.
“Zero chance” is bullshit, they could easily join a private tracker and look for IPs, they just don’t currently because private trackers are not widely known.
One site on that list, for example, TorrentLeech.org has been around for almost 18 years and has hundreds of thousands of active users. In fifteen years I’ve never had an issue.
There are also foreign language trackers that are largely immune like rutracker.org - you just have to make sure to download the English versions
Is TL really the same site it used to be? I have a vague memory of losing my account and the site shutting down 10+ years ago. When they came back, they offered open sign-up now and then. Made me avoid it.
last they had open signups checked it out and i didn't find it to be anything special or give me a reason to move away from IPT (which is from what i understand mid tier?)
so of course i didn't use it enough and was banned for inactivity
It's actually harder than it sounds. To scrape IPs from a public tracker, all you need to do is to download the torrent, pretend to the tracker that you want to join the swarm (without actually sharing any content) and you get a nice list. On a private tracker, all your activity is linked to an account and the tracker knows how much you upload / download. If you are a copyright owner, actually seeding content is probably a terrible idea for legal reasons, and you'll quickly run afoul of ratio requirements and get banned if you do not do so. Besides, if users report which torrents they're getting copyright complaints on, it won't be hard for staff to figure out which account tried downloading all of those and has 0 upload activity on them.
Copyright trolls not being able to upload chunks seems like a myth along the lines of "if you ask a cop if they're a cop, they have to say yes". It's easy enough to create a separate legal entity that doesn't have any rights to distribute a work, and then sign an indemnification agreement for any copyright violation that happens in the course of investigation. And if you wanted to be real paranoid, mod the client to never transmit say 20% of chunks, so even if some court finds that participating in a swarm at the behest of a copyright holder is constructive distribution, that last 20% is still actionable.
Even if this is true, there are several difficulties with this approach, you'd need to figure out a way to refuse clients from countries where you have exclusivity deals and aren't allowed to distribute, which would quickly be noticed. Besides, if the problem got big enough, tracker staff could require users to seed a few different torrents from different studios before having their accounts fully unlocked, and studios would never seed others' copyrighted content. Sure, you could defeat that with studios having contract between each other and so on, but that's yet another difficult problem for them to solve.
The risk and effort is probably not worth the reward, considering how many public tracker users are there.
You seem to be thinking that movie studios can only operate as singular entities and in system-legible ways.
What I'm imagining: someone who is mildly connected to execs at various studios/labels starting a company that participates in private trackers, and then passes information about infringement/infringers onto studios. They would only need one or two studios as clients to prove the concept and (informally) prove the idea to the rest of the industry. Their agreement with client studios includes an agreement that they won't be sued for infringement that occurs in the process of finding (other) infringers, doesn't include any license to works, and certainly doesn't include the ability to sublicense!
Sure it's possible that when this eventually goes to court, a chain of "activist" judges might go against the status quo of a company taking steps to protect its "property" - discard corporate veils, call the investigator's uploading an implicit sublicense, etc. It's just not likely, and the failure mode still would be individual licenses for the specific downloaders that were in the swarm at the time, not blanket rights to redistribute indefinitely.
Well, depending on your tastes some stuff can be hard to find especially if you want lossless copies. Other nice features are the user collages, comments, and great organisation which are pros over something similar like Soulseek.
Private trackers moderate torrents, and peers can use this to their benefit. Formats and naming are more standardized, software has less chance of malware.
there are a few subreddits that people offer invites/ask for them
otherwise many have open signups randomly throughout the year
the better ones are harder and often expect proof of previous seeding, like i've been in IPT for years with 7TB/2TB ratio but still not managed to find an invite to some of the more renowned ones.
Cost. If you've already got an old, cheap server lying around, then having an 8 TB box at home is very cheap. Say, $15 a month for Mullvad + power usage. Reputable seedboxes seem to be in the range of ~$60 a month for 8TB of storage. Obviously, if you want to scale beyond that, it's as simple as adding another 8 TB drive to your box at home, whereas a cloud seedbox would nearly double in price.
Not really. With a VPN, the only change is that the networking between A and B now go through a tunnel with no changes to A or B. But if you get a seedbox, A is completely removed from the picture and you just have a connection between B and C.
It takes just as long to download them on a torrent client ¯\_(ツ)_/¯
I don't live in the time zone as the TV shows I watch, so having a delay isn't really an issue. And even if I did, I wouldn't watch them immediately anyway, that's kinda the whole point.
dude, at least for tv/movies, just use ultra.cc (cheapest plan) and kodi can connect to it via https so no need for vpn and you don't even need to to download anything - super easy
Mostly because I haven't been able to find a seedbox service I trust as much as mullvad. It's impossible to tell which ones will flip to copyright authorities as soon as a little bit of pressure is applied.
You don't even need to ftp it, you can run the client at home and it would connect to the seedbox through the swarm (or you can manually add a peer if needed)
You add the torrent to the seedbox torrent client and your (eg) home torrent client.
They are both become part of the swarm for that torrent, through the tracker or DHT, so eventually they would know about each other.
If your seedbox dowload the chunk then you home client can connect to the seedbox client and download that chunk, just as a regular participant of the swarm, no need to do anything.
Because the seedbox has a direct connectivity then if there is a seed without a direct connectivity - it can connect to your seedbox (again, discovered through DHT or tracker) and give out all the needed chunks.
A bit slower than having a direct connectivity at you home, but most of the time it doesn't matter.
Seedbox has a real IP (or port forward, though that doesn't matter here) so seed and peers behind the NAT can coonect to it and transfer torrent data. Your home torrent client therefore can connect to it and receive the torrent data even if it can't connect to the seed directly.
Mullvad isn't stopping port forwarding because of copyright issues. It's because you can use their IPs to host highly illegal websites and they can't connect your account to the content and suspend it.
can you elaborate? how could someone outside Mullvad claim that Mullvad is passing illegal traffic, but Mullvad itself can’t figure out who in their network is passing that traffic?
These days, free and open source software clients are table stakes for a VPN to be considered trustworthy. The fact that PIA silently stopped releasing source code after previously promising to do so is a major red flag.
For torrenting, port forwarding is only marginally important - for torrents which have very few peers and you can connect to none of them.
It's also risky because mullvad certainly has records of forwarded ports and can out you if they receive a properly worded subpoena. There is also a chance those records would be present in their backups even after you deleted the forwarded ports.
I have a separate command for port forwarded torrent client and only use it when absolutely necessary, which is almost never.
How is that relevant here? mullvad has to keep track of who to forward the port to, any NAT ports are going to be ephemeral and conducted through an encrypted tunnel.
Pity. I never used them, but I know the pain of not having an externally reachable IP. My Lte provider (the only one in my area with "unlimited" plans) has basically all of its tens of thousands of users on a single IP. So I've been using a vpn terminated in Aws to access for example Ip cameras and other stuff at home while I'm away. I can't wait until we finally get ubiquitous ipv6. Probably not in my lifetime(because security). I've been waiting for it for last 20 years.
All of those happen on VPNs period, not just with port forwarding.
Dealing with annoyed law enforcement, hosting providers, and IP reputation is 99% of the value of a VPN. The other 1% is just setting up a VPN server to open proxy everything (which there are scripts on github that can do it in 2mins). Of course its not really preserving privacy much unless there are multiple users...
Any significantly shared connection will have at least one person abusing it and causing most of the problems, the logical conclusion would be to ban the few abusers but if mullvad truely doesn't log/retain billing data as they claim, permanent banning would be difficult as a new account could just be created.
I don't see why they couldn't do some kind of compromise like an account has to be of certain age/spend to use port forwarding. They do keep mappings of ports to account, so its not like they don't know which accounts are abusing. Getting banned would then be more expensive for the abusers.
> I don't see why they couldn't do some kind of compromise like an account has to be of certain age/spend to use port forwarding.
In my personal experience investigating these scammers: people are happy to resell "used accounts of good age and reputation that they no longer need" on blackhat marketplaces — usually for about a dollar.
> Unfortunately port forwarding also allows avenues for abuse, which in some cases can result in a far worse experience for the majority of our users.
Let me rephrase that.
> Unfortunately port forwarding also allows people to get the value for the money they pay us, which in some cases can result in our service not functioning like a gym membership, where we aren't used for much but many users continue to pay for us (sadly many services block traffic coming from us which makes a lot of simpler uses of a VPN fail as well). We'll aggressively defend against chargebacks.
As far as I’m aware Mullvad doesn’t have a method of automatic recurring payments. So they can’t operate on the gym model. Only users who want to use it pay for it repeatedly.
The new gym model is annual payments. (Gyms use them too.) And chargebacks are very relevant there. Which they avoid by getting people to use other payment methods. But they also take credit cards.
Edit: Ooh, they charge the same whether you sign up monthly or annually. Not too shabby.
So basically, Mullvad is saying that you can use its VPN aeevice as a client to reach services but not host a service yourself (especially in a home network behind NAT or CGNAT) and have others connect to it via the VPN.
The most commonly used scenario for port forwarding would be torrenting, where users forward ports so that they can be “connectable” (i.e., accept incoming connections from the Internet).
Unfortunately was only a matter of time, this happens to every VPN provider who offers port forwarding eventually - widespread abuse by script kiddies and such to host RAT C&C servers.
Because a least one person has to have forwarded ports for them to form a direct connection. [0]
This will degrade torrent performance and make torrenting worse, routers normally have uPnP enabled these days so we forget about it, but this will make it so you can’t connect to any other users who are also using Mullvad, for one.
From what I understand, uPnP took off for a while, but started to become much less common about a decade ago because of the security issues it caused. I think most routers come with it disabled by default now. (If you know of any surveys indicating otherwise, I'd be curious to read them.)
Part of it is that hole punching became a standard feature for new protocols, so the need to forward ports has been reduced.
You need to be able to accept incoming connections to be able to fully participate in the network. Last time I seriously looked into this, BitTorrent clients didn't support any sort of NAT hole punching (and they often work over TCP in any case). Try running a client with and without a forwarded port and you will see massive difference in the number of peer connections.
Transmission has supported UPnP and NAT-PMP for many years. Although it doesn't always work as reliably as having a client with directly routable address(es), it does exist and works okay.
Of course, but if everyone is behind the NAT then no one in the swarm can connect to any one. If this is a popular torrent when someone with the connectivity would show up, eventually, but otherwise good luck. Recently it took me four months to complete one torrent and I was the one with the real IP.
In order to download a file via Torrent, someone has to upload it, and when using Torrent via VPN, the file cannot be uploaded without port forwarding.
Uploading can still happen even without open ports. The open port part is that someone has to initiate the connection after the connection is established anyone can send anything in any direction.
Actually, the initial seeder with a closed port can upload if someone else has an open port. Generally a lack of port forwarding means you can only connect to others who do have port forwarding.
I've paid with my card though. It's possible to refund those, and PayPal.
It's a very sudden move on the Mullvad part that impacts a lot of their customers. If the torrent speed drops down as much as I think it will I won't be very happy...
They used to allow refunds for cryptocurrency payments but there's probably opportunity for abuse there since the payment method is practically anonymous to them.
They offer refunds within 30 days of purchase as a matter of course, provided you paid with a method that can actually be refunded. Seems like you're out of luck if you paid longer than 30 days ago, though.
That specifies "an account that has an active subscription" and they only seem to be using the term "subscription" in the ToS for auto-renewing plans.
>If you wish to subscribe to the service, you can sign up for a PayPal subscription. With a subscription, €5 is automatically deducted from your PayPal account each month.
Otherwise they just talk about "using" or "paying". It has also been absolutely possible to a) add new port forwards if you have paid for Mullvad b) pay for Mullvad when you have port forwards, so those ToS wouldn't make sense if they referred to all Mullvad accounts.
Shame, I'd been greatly enjoying Mullvad and their stance on privacy, but port forwarding is a must for some of the services I run. Anyone have a good suggested alternative?
I'm curious: if you have a forwarded port on your vpn that anyone can send traffic to, assuming that someone can observe the encrypted traffic going out of the vpn provider, couldn't they send various traffic "shape" to the port and try to find the same pattern in the encrypted traffic to figure out who you are?
Yes, if you can observe incoming and outgoing traffic you can trivially use timing attacks. That being said, If you have that capability, mullvad isn't going to keep you save anyway. As the folks over at PerfectPrivacy succinctly put it: If you have a whole NSA Team after you it's game over anyway.
I port forward via ec2. Had to learn iptables (which apparently are now deprecated) and set up openvpn (these days I’d probably do wiregaurd). Works fine for my personal website, and paying in advance the cost is maybe $3/mo, didn’t realize it was remotely controversial.
This feels a bit like the Dropbox comment. Sure, open source tools exist that enable you to do things yourself. However there’s a large market for less-technical people (prosumers) who might pay for a lot of that complexity to be simplified.
See I’ve never understood the privacy argument. Who are you trying to stay private from? If it’s your local ISP, sure that could probably work. But if it’s LEO’s and the VPN provider must comply with international laws, you’re really just changing the amount of paperwork someone has to do. If the American FBI wants to see access logs for a VPN provider in Switzerland, the VPN provider must respond and comply with a subpoena or court order.
I feel like people really need to think about who they’re trying to be private from before signing up for VPN’s.
with a VPS as your vpn, reddit/google/facebook/whatever all see you from a single ip, one that might change even less then your ISP's, all of your alternative accounts will all share this ip as well, and 0 other people use that ip address. basically data collection and alternative account identification becomes dead simple because your ip is basically your universal id.
you stand out as an individual, part of the "security" with things like mullvad is that you share that ip
security in depth of course, fingerprinting and stuff still exist, but if you have such a clearly unique ip address you have 0 chance
Yes, your local ISP. So they don't send you copyright infringement letters about torrenting. And the American FBI doesn't really care about that.
Also your local network, like you need to use your phone's WiFi because you don't get a good cell signal at work, but you don't want your employer seeing your personal phone activity. Same as public coffeeshops.
Your local ISP doesn't monitor torrenting, but copyright holders monitor torrent peer list and they send warning to ISP. If you use AWS as a front ISP, you'll get warning from AWS
eh except I'm not saying I don't get why people need VPNs, I totally get that and have used several. The Dropbox comment was saying Dropbox is redundant. I don't feel that way at all about VPNs and didn't say anything like that.
I'm just saying there are workarounds that mean we don't have to be beholden to the Mullvads of the world if they drop this feature. I think we're basically one good blog post away from a situation where most people who need port forwarding can set it up themselves via ec2. If they prefer VPNs, and can find some that do port forwarding, more power to them.
Recently I watch the Scotties Tournament of Hearts[1].
I paid for a monthly subscription to the Canadian streaming provider (TSN), since I live in Canada.
For whatever reason, there was no international streaming provider. (It has been on ESPN in previous years.)
The ads on the TSN stream were horrific. They put a full 25% of the active play of every game (the first thrower in every end) in a muted PIP box so they could play more full-screen ads.
TSN decided to offer a stream of the playoff games to non-Canadian viewers who had no way of watching, and since pay-for TSN is geoblocked to Canada, they made that stream free, and geoblocked it to not play in Canada.
The international stream was also free of commercial breaks. Instead of commercials it just showed miscellaneous cameras between ends, and showed the entire ends without putting a quarter of them in a PIP box.
So obviously, my experience was much better by streaming the international stream rather than the local stream that I paid for.
To have a fixed internet point of presence, when frequently travelling. Otherwise, all kinds of services start complaining that you're logging in from a new location.
I have had multiple problems with ISPs throttling/prioritizing traffic, such as games. In one case I had ping times to the steam servers that were so bad the game DC'd about every 5 minutes. Popped everything into a VPN endpoint in my own city and suddenly everything worked smoothly and flawlessly. And this wast not a high bandwidth game by any means. This has happened multiple times.
Also, hosting stuff at my house. Multiple times had ISPs that appeared to be degrading incoming connections where once again popping everything into a VPN tunnel fixed any problems. (for example when I set up a streaming website from my house with a webcam of our kittens to watch from work. Stream kept getting interrupted randomly until I routed it through a VPN)
I tend to use VPS based solutions rather than commercial VPN providers, but I've done both.
I would like to watch Japanese commercials and trailers for things i'd like to watch -- but Japanese publishers are big on region locking on the streaming sites, so I circumvent the issues with VPNs.
Questionable? Maybe; but I don't really feel personally beholden to copyright/trademark law that isn't preventing a loss anywhere -- in many cases when I watch these trailers I make purchases based upon them, so if anything the corporations that region-lock their YouTube videos away from other markets are doing more damage than I -- the extra diligent customer.
If you need an absolutely vanilla answer : I VPN into a network node that can access other nodes that only host their services to the local network. That's also a big advantage, and as far as I know it doesn't step on any legal toes.
That said, I never actually got incoming connections over UDP working properly anyway through these ports, even though they were supposed to be supported.
Might be the most trustworthy option available if you need multiple ports associated with an account... IVPN only supports one port. ProtonVPN may be OK if you're okay with getting a new random port every connection.
I wrote something tangentially related, but for single user.
"gofwd" is a cross-platform TCP port forwarder with Duo 2FA and Geographic IP integration. Its use case is to help protect services when using a VPN is not possible. Before a connection is forwarded, the remote IP address is geographically checked against city, region (state), and/or country. Distance (in miles) can also be used. If this condition is satisfied, a Duo 2FA request can then be sent to a mobile device. The connection is only forwarded after Duo has verified the user.
Also, does this mean they just aren’t going to allow fully routable ipv6 because of “abuse” or whatever (one of the promises of ipv6 whenever it’s realized probably shortly before the heat death of the universe is preciously what mullvad claims to be the cause of trouble)
Everyone having a unique globally routable IPv6 address might be less private/anonymous. Less ability to blend with the crowd. Personally I wouldn't mind ULA on a commercial VPN.
You don't need port forwarded to use bittorrent. Clients connected to the network exchange information with each other. Magnet links or torrent files provide the information needed to get in touch with peers to make the initial connection.
You don't need port forwarded to use bittorrent. Clients connected to the network exchange information with each other. Magnet links or torrent files provide the information needed to get in touch with peers to make the initial connection.
They do, but you will only be able to connect to peers that do have a public port open on their IP, unless you have one open yourself, then everyone can connect to you. But this latter option is now going away.
Which is not a lot because in most countries exposing your IP on the torrent leads to legal threats.
Actually you have no problem initiating the connection with port forwarding. Brief reading suggests it would work better/faster with it enabled as some peers may not be able to initiate with you.
This is off topic but how can Mullvad be a no log vpn and still operate without impunity? What about Uber illegal stuff like csam or terrorist stuff etc?
Compare it for example to a company operating taxis that can be hailed on the street and be paid in cash on arrival. The company does not log any details about its passengers, nor does it inspect their luggage or inquire about their reason to travel. How can the taxi company still operate with impunity? What about passengers using them for uber illegal stuff, like transporting drugs, illegal arms, or for escaping from law enforcement?
You can still put the taxi driver on the stand. Most cabs are even equipped with cameras now.
This is more comparable to a taxi company which makes driver take a pill to forget all details on arrival. That would be harder to defend, after the first incident of "why was this car in my driveway last night? - we couldn't tell you!"
That is a terrible analogy because the information is inherently captured and you are talking about taking extraordinary measures to destroy evidence. It's also a failed conversational gambit because we end up discussing the bad analogy instead of the underlying issue.
In other news despite VPNs people who commit crimes are prosecuted all the time via ordinary police work per normal. In fact despite sophisticated tech criminals on average leave behind more breadcrumbs than they ever did in prior eras.
Generally it's not illegal to host services that could potentially be used for those things (as basically any online service with user generated content could be used for that), but it's illegal to not act once you have received complaints about it and not acted. Presumably, Mullvad does act when they get noticed about their service being used in those manners.
Do you think if VPNs became illegal in America that it would have any effect on terrorism or child abuse? People who don't care about violating little children don't care about violating the law.
