Being a PureVPN user I was certainly alarmed to find this out. My thinking is that they want to sell their Nat firewall addon. The thing is from what I can see the addon can be gotten for $0.99 a month. I got their 2 year package which was $59.95, or about $2.50 a month. Why wouldn't they just include the firewall and charge $3.50 a month. It's still less than most out there.
The biggest issue is that they don't tell you that you're unprotected, in fact they lead you to believe the total opposite. At least thanks to eibgrad I am now secure and I don't need the firewall.
Joined: 16 Apr 2016 Posts: 307 Location: California
Posted: Mon Feb 20, 2017 2:43 Post subject: Well...
Well atleast I know what VPN allows this by default that I can recommend to my customers who need the ports open.
That is laughable that they think in the reverse lol.
I had been referring customers to StrongVPN for opening up ports and dedicated IP's.
I might get a purevpn account to test with.... I have some things I'd like to experiment with for a week or so with open ports through a VPN service. _________________ My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
Well atleast I know what VPN allows this by default that I can recommend to my customers who need the ports open.
Just so you know, within days after this topic was started all the ports were closed up on their end. I did go ahead and purchase their Nat firewall so I could open up the ports I needed. It does give you the option of opening them all if you really are looking to test some things.
If this does prove to be the case, I still recommend the changes I described above as a second line of defense. Personally, I don't even want ping to respond. And I suspect PureVPN isn't the only one NOT firewall'ing their end of the tunnel.
I agree and I do keep your changes implemented. The more protection the better. Also you're right to be skeptical, because they left their side open for however long, we can't be confident it will remain blocked.
Of course that other persons Gui that you found accessible, it is also possible that he or she intentionally has all their ports open, all though I can't imagine why.
Well atleast I know what VPN allows this by default that I can recommend to my customers who need the ports open.
Just so you know, within days after this topic was started all the ports were closed up on their end. I did go ahead and purchase their Nat firewall so I could open up the ports I needed. It does give you the option of opening them all if you really are looking to test some things.
You may be right, but it's hard to say for sure. If PureVPN is in fact listening, then I wish someone there would just respond.
I just tested my own public IP on the VPN (w/o the changes I recommended above) and can no longer get into either the GUI or telnet. But I can still ping.
I then visited another PureVPN public IP (some other unknown user I found by searching w/ a script) and found his GUI is still accessible. It may be a long-lived connection, and if he disconnects and reconnects in the future, perhaps access to his GUI may be denied. But until that happens, I remain skeptical.
Remember too, these guys have 100's of VPN servers, and if indeed they made a change, it would have to be replicated across every server. Not something that's likely to happen overnight.
If this does prove to be the case, I still recommend the changes I described above as a second line of defense. Personally, I don't even want ping to respond. And I suspect PureVPN isn't the only one NOT firewall'ing their end of the tunnel.
I'm also a user of PureVPN. After reading your post I went on to talk to their customer support. And they gave me this statement; "Service that blocks unsolicited ports for customers malfunctioned in some of our servers which has been fixed now."
I'm really concerned if the issue has been resolved.
Can I piggy-back on this to ask a few questions? I'm only just dipping my toes in the world of VPNs and I'm still learning a lot of the technical stuff.
Firstly, is this still an outstanding issue? There appear to be some suggestions that it was a temporary error, and some scepticism at these claims.
Secondly, does their NAT Firewall add-on that they sell basically cover this whole issue or are there still concerns? Adding an extra $1/month still puts them at a good price for what I was looking for.
My final question is a bit off-topic, so feel free to ignore it, but I read instructions for setting up an OpenVPN connection directly on a Netgear ReadyNAS Network Attached Storage device:
It seems that it was PureVPN's claim that it was a malfunction that caused the security issue and it is now fixed. Whether you want to believe that or not is up to you. Being a user of their service myself, I feel much more secure using eibgrad's scripts to block traffic on my end so I'm protected in case they drop the ball again. I have also purchased the nat firewall from them and can tell you that it gives you the options to:
1-Block all ports
2-Open all ports
3-Open selected ports(up to 15 ports)
I have also noticed on 1 occasion that when their site was down that the port I have opened for my plex to work was not open, but that's preferable to having them all open I guess.
I guess it's possible for any VPN provider to have a breach of some sort that would cause the same issue that PureVPN was having and one would have to be checking constantly to know for sure that you are protected.
One thing I can tell you for sure is if you do decide to use PureVPN, their Tech support blows and for the most part their setup guides are inaccurate at best.
# allow only outbound connections to the VPN (no inbound)
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I INPUT -i tun0 -m state --state NEW -j DROP
iptables -I FORWARD -i tun0 -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE
# port forward from the VPN and into the LAN
iptables -t nat -I PREROUTING -i tun0 -p tcp --dport 32400 -j DNAT --to 192.168.101.125:32400
iptables -I FORWARD -i tun0 -p tcp -d 192.168.101.125 --dport 32400 -j ACCEPT
# block all access to the WAN by the LAN
WAN WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -I FORWARD -i br0 -o $WAN_IF -m state --state NEW -j REJECT
which works perfectly for running plex through the vpn. Just last night I noticed however that when the vpn is down, the only thing that is blocked is plex. Everything else connects via my ISP.
Can it be fixed by modifying the ovpn-file? I asked their support yesterday about this flaw and their answer was to give me the paid add-on "NAT Firewall" for free. With "NAT firewall" I could still reach my computer from my iPhone (on 3G). It sounds like they have a big problem with their security as mention in other purevpn review blog as well.
Is there any resolution to this issue? It seems that the issue is not isolated to DD-WRT (I have the same issue using Asus - Merlin) or VPN provider. It seems that once you have a private IP (not shared) in place, this is the way it should work. I am also facing exactly the same issue, using different VPN provider with private IP. All my router is exposed, despite remote access is disabled. That's because a VPN tunnel is not considered as remote access at all but local access.
Is there any way to fix this, so to use private IP VPN with firewall rules?
FIRMWARE:OpenWrt SNAPSHOT r8217-2cc821e / LuCI Master (git-18.276.41146-280dd33) MODEM:ARRIS SURFBoard SB8200 ROUTER:Linksys WRT32X USB NAS:Western Digital BLACK 1 TB Hardrive + Startech USB 3.0 External SATA III Enclosure