Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
Is there a reason why this forum is anti VPN?
New on LowEndTalk? Please Register and read our Community Rules.

Is there a reason why this forum is anti VPN?

juupinerjuupiner Member

Hi,

I use Mullvad, which is a pretty popular VPN, and Cloudflare instantly bans my ip.
When I'm not on a VPN, cloudflare redirects like 5 times before finally shows the forum page.

Is there a good reason for setting up Cloudflare to be so restrictive?

There are other ways to protect from DDOS, like nginx rate-limit, firewall rules, etc.

Comments

  • FalzoFalzo Member

    @juupiner said: like nginx rate-limit

    you're cute!

    UltraVPS.eu KVM in US/UK/NL/DE: 15% off first 6 month | Netcup VPS/rootDS - 5€ off: 36nc15279180197 (ref)

  • edited March 29

    As a person who has operated other websites that were essentially DDOS magnets, a fair bit of abuse does come from hosting IP ranges, which are the same places where VPNs are hosted.

    In addition, VPNs tend to be hosted on providers who are willing to look past a few abuse notices and copyright infringement notices. This is good for the VPN provider because they won't be booted out, but it also makes for a good haven for those willing to DDoS. M247, Servermania and OVH are well known examples.

    It is in the interest of the provider to make the website available for as many people as possible, so usually hosting IP ranges are the one to get the boot.

  • deankdeank Member, Troll

    VPN is the new evil.

    That's why. They claim to provide privacy but what they do is sell your info to bidders.

    "Jarland is stupid."

  • xetsysxetsys Member

    I have not encountered any issue while using expressvpn. The hosting servers at popular locations are pretty much same across all vpn providers. May be there is another variable at play which you have not factored.

  • edited March 29

    The VPN disguises your source address. While you may not be using this for nefarious purposes, in fact you might not care about your source address (using the VPN to get around ISP monitoring perhaps, and the host address thing is just a side-effect), filters can't tell the difference between you and the other people using that VPN provider to disguise their source address, some of who are doing so for nefarious purposes.

    Lots of DoS attempts, both amateur and effective, come from the same addresses ranges you appear to come from over the VPN, it is a choice between not blocking them and blocking you, as you don't look any different.

    Two possible ways around this: set your network routing so that access to LET doesn't go through the VPN, or setup your own VPN (Wireguard, OpenVPN, ...) on a host somewhere (though you have to make sure it isn't a host that also plays host to public VPN services or you'll likely hit the same problem).

    There are other ways to protect from DDOS, like nginx rate-limit, firewall rules, etc.

    Unfortunately all of which take more admin time (and therefore cost) than using CF, are often less effective, would require more resources (and therefore cost) at LET's end, and might just as well block your VPN provider for exactly the same reason CF do anyway.

    Is there a reason why this forum is anti VPN?

    It isn't anti-VPN directly. It is anti-some-of-the-people-who-use-those-VPNs. And it is not possible to distinguish between you and those other sorts (that would defeat part of the point of the VPN).

    Thanked by 1scooke
  • YmpkerYmpker Member

    This forum (or rather: its' members) is not anti-vpn. Check my signature. Firewall rules may have been put in place to prevent abuse.

  • This is good for the VPN provider because they won't be booted out, but it also makes for a good haven for those willing to DDoS. M247, Servermania and OVH are well known examples.

    I connect to M247. I used Torguard previously and it was using the same M247 provider with the same server country, yet I had no issue with this forum. Is it something specific with Mullvad maybe?

    Is it possible to configure cloudflare on the DDOS settings, or is it a one shoe fits all all type of deal?

    @Falzo said:

    @juupiner said: like nginx rate-limit

    you're cute!

    You think nginx rate-limit is not effective?
    I'm using this config and it works pretty good when testing with siege

    limit_req_zone $binary_remote_addr zone=www:10m rate=10r/s; limit_req zone=www burst=50;

  • edited March 29

    @juupiner
    It works, but it quickly stresses out when DDoSed at scale. In addition, since you have multiple users connecting over VPNs, you might effectively get the same result once you implement these restrictions in nginx.

  • jsgjsg Member
    edited March 29

    Looking at the source of blog and other spam as well as attacks of all sorts some prominent ones that come up again and again are servermania, Tor, and pretty much all VPNs - so I block all of them.

    Well noted, I'm pro VPNs but running my hobby stuff, some of it not anymore small, all by myself I simply can't (and don't want to) afford to clean up after all the thugs so I block them.

    @juupiner said:
    You think nginx rate-limit is not effective?

    I think @Falzo is absolutely right. Simple reason: [D]DOS attacks must be caught early in the chain where they have really big pipes. Once it reaches your dedi or VPS it's game over because you are but a small leaf (1 Gb/s, maybe 10 Gb/s) on the network "tree" while the attacking traffic sometimes even overwhelms the provider or even the DC (typ. 40 - 400 Gb/s).

    Your nginx "protection" is simply worthless against a [D]DOS attack. It's like wearing a T-shirt to protect from a bullet.

    TL;DR When [D]DOS attack traffic reaches your system they already won and you lost.

    The problem with democracy is that by definition > 85% of the voters are not particularly intelligent.

  • mhubudmhubud Member

    @juupiner said:
    Hi,

    I use Mullvad, which is a pretty popular VPN, and Cloudflare instantly bans my ip.
    When I'm not on a VPN, cloudflare redirects like 5 times before finally shows the forum page.

    It's not just mullvad. I use two good vpns and have never had problems (for years) accessing LET until the past couple weeks.Now many vpn locations are blocked (I've tried dozens). You need to try other cities/countries until you find one that's not blocked. FYI, LES still works normally.

  • KaffekoppKaffekopp Member, No Sales

    im swapping around on my self-hosted vpns all the time, no issues here. However, i havent been here for long

  • SirFoxySirFoxy Member

    its a very peepeepoopoo situation

    some say peepee while others say poopoo

    lurking in the shadows like a wombat or some shit

  • amsaalamsaal Member

    i can confirm that VPN unlimited by keepsolid does not work on LET. i get cloud flare warning that IP is not allowed or something.

  • jarjar Provider

    In some cases the benefits of blocking VPNs at the edge will be greater than the effort required by you to turn off your VPN. In those cases, the loss of your traffic/business is likely an acceptable loss as well.

    As far as nginx rate limiting to deal with DDOS attacks, I’d like you to do an experiment for me:

    Fill your mouth with cotton balls until not a single one more can fit in. Now eat a chicken sandwich and make sure to limit your consumption so that you don’t choke on any of the chicken. Don’t take the cotton balls out.

    Thanked by 2stevewatson301 Falzo
  • If you're looking for anti ISP spying, host your own VPN.

  • defaultdefault Member

    Fastmako (aff) - another cheap VPS.

  • amsaalamsaal Member

    this is the error

  • jbilohjbiloh Administrator

    LowEndTalk gets attacked viciously over and over. We have to put up defenses because of that.

    If you are blocked please share what VPN/proxy service you are using.

    Jon Biloh
  • amsaalamsaal Member

    @jbiloh said:
    LowEndTalk gets attacked viciously over and over. We have to put up defenses because of that.

    If you are blocked please share what VPN/proxy service you are using.

    VPN unlimited [KeepSolid] -=- > Protocol wisetcp

  • raindog308raindog308 Administrator, Moderator

    @juupiner said: You think nginx rate-limit is not effective?

    Reminds me a conversation where someone mentioned DDoS and a guy replied "well, I run mod_evasive so I'm not worried about that".

    Blocking a single attacking host is easy. Blocking thousands is not something your webserver/firewall can do. Difference between DoS and DDoS.

    For LET support, please visit the support desk.

  • @amsaal said:

    @jbiloh said:
    LowEndTalk gets attacked viciously over and over. We have to put up defenses because of that.

    If you are blocked please share what VPN/proxy service you are using.

    VPN unlimited [KeepSolid] -=- > Protocol wisetcp

    Windscribe as well.

  • jbilohjbiloh Administrator

    @kalimov622 said:

    @amsaal said:

    @jbiloh said:
    LowEndTalk gets attacked viciously over and over. We have to put up defenses because of that.

    If you are blocked please share what VPN/proxy service you are using.

    VPN unlimited [KeepSolid] -=- > Protocol wisetcp

    Windscribe as well.

    I will see what we can do!

    Thanked by 1amsaal
    Jon Biloh
Sign In or Register to comment.