Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Is there a reason why this forum is anti VPN?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Is there a reason why this forum is anti VPN?

Hi,

I use Mullvad, which is a pretty popular VPN, and Cloudflare instantly bans my ip.
When I'm not on a VPN, cloudflare redirects like 5 times before finally shows the forum page.

Is there a good reason for setting up Cloudflare to be so restrictive?

There are other ways to protect from DDOS, like nginx rate-limit, firewall rules, etc.

Comments

  • FalzoFalzo Member

    @juupiner said: like nginx rate-limit

    you're cute!

  • bulbasaurbulbasaur Member
    edited March 2021

    As a person who has operated other websites that were essentially DDOS magnets, a fair bit of abuse does come from hosting IP ranges, which are the same places where VPNs are hosted.

    In addition, VPNs tend to be hosted on providers who are willing to look past a few abuse notices and copyright infringement notices. This is good for the VPN provider because they won't be booted out, but it also makes for a good haven for those willing to DDoS. M247, Servermania and OVH are well known examples.

    It is in the interest of the provider to make the website available for as many people as possible, so usually hosting IP ranges are the one to get the boot.

  • deankdeank Member, Troll

    VPN is the new evil.

    That's why. They claim to provide privacy but what they do is sell your info to bidders.

  • I have not encountered any issue while using expressvpn. The hosting servers at popular locations are pretty much same across all vpn providers. May be there is another variable at play which you have not factored.

  • edited March 2021

    The VPN disguises your source address. While you may not be using this for nefarious purposes, in fact you might not care about your source address (using the VPN to get around ISP monitoring perhaps, and the host address thing is just a side-effect), filters can't tell the difference between you and the other people using that VPN provider to disguise their source address, some of who are doing so for nefarious purposes.

    Lots of DoS attempts, both amateur and effective, come from the same addresses ranges you appear to come from over the VPN, it is a choice between not blocking them and blocking you, as you don't look any different.

    Two possible ways around this: set your network routing so that access to LET doesn't go through the VPN, or setup your own VPN (Wireguard, OpenVPN, ...) on a host somewhere (though you have to make sure it isn't a host that also plays host to public VPN services or you'll likely hit the same problem).

    There are other ways to protect from DDOS, like nginx rate-limit, firewall rules, etc.

    Unfortunately all of which take more admin time (and therefore cost) than using CF, are often less effective, would require more resources (and therefore cost) at LET's end, and might just as well block your VPN provider for exactly the same reason CF do anyway.

    Is there a reason why this forum is anti VPN?

    It isn't anti-VPN directly. It is anti-some-of-the-people-who-use-those-VPNs. And it is not possible to distinguish between you and those other sorts (that would defeat part of the point of the VPN).

    Thanked by 1scooke
  • This forum (or rather: its' members) is not anti-vpn. Check my signature. Firewall rules may have been put in place to prevent abuse.

  • This is good for the VPN provider because they won't be booted out, but it also makes for a good haven for those willing to DDoS. M247, Servermania and OVH are well known examples.

    I connect to M247. I used Torguard previously and it was using the same M247 provider with the same server country, yet I had no issue with this forum. Is it something specific with Mullvad maybe?

    Is it possible to configure cloudflare on the DDOS settings, or is it a one shoe fits all all type of deal?

    @Falzo said:

    @juupiner said: like nginx rate-limit

    you're cute!

    You think nginx rate-limit is not effective?
    I'm using this config and it works pretty good when testing with siege

    limit_req_zone $binary_remote_addr zone=www:10m rate=10r/s; limit_req zone=www burst=50;

  • bulbasaurbulbasaur Member
    edited March 2021

    @juupiner
    It works, but it quickly stresses out when DDoSed at scale. In addition, since you have multiple users connecting over VPNs, you might effectively get the same result once you implement these restrictions in nginx.

  • jsgjsg Member, Resident Benchmarker
    edited March 2021

    Looking at the source of blog and other spam as well as attacks of all sorts some prominent ones that come up again and again are servermania, Tor, and pretty much all VPNs - so I block all of them.

    Well noted, I'm pro VPNs but running my hobby stuff, some of it not anymore small, all by myself I simply can't (and don't want to) afford to clean up after all the thugs so I block them.

    @juupiner said:
    You think nginx rate-limit is not effective?

    I think @Falzo is absolutely right. Simple reason: [D]DOS attacks must be caught early in the chain where they have really big pipes. Once it reaches your dedi or VPS it's game over because you are but a small leaf (1 Gb/s, maybe 10 Gb/s) on the network "tree" while the attacking traffic sometimes even overwhelms the provider or even the DC (typ. 40 - 400 Gb/s).

    Your nginx "protection" is simply worthless against a [D]DOS attack. It's like wearing a T-shirt to protect from a bullet.

    TL;DR When [D]DOS attack traffic reaches your system they already won and you lost.

  • @juupiner said:
    Hi,

    I use Mullvad, which is a pretty popular VPN, and Cloudflare instantly bans my ip.
    When I'm not on a VPN, cloudflare redirects like 5 times before finally shows the forum page.

    It's not just mullvad. I use two good vpns and have never had problems (for years) accessing LET until the past couple weeks.Now many vpn locations are blocked (I've tried dozens). You need to try other cities/countries until you find one that's not blocked. FYI, LES still works normally.

  • im swapping around on my self-hosted vpns all the time, no issues here. However, i havent been here for long

  • its a very peepeepoopoo situation

    some say peepee while others say poopoo

  • i can confirm that VPN unlimited by keepsolid does not work on LET. i get cloud flare warning that IP is not allowed or something.

  • jarjar Patron Provider, Top Host, Veteran

    In some cases the benefits of blocking VPNs at the edge will be greater than the effort required by you to turn off your VPN. In those cases, the loss of your traffic/business is likely an acceptable loss as well.

    As far as nginx rate limiting to deal with DDOS attacks, I’d like you to do an experiment for me:

    Fill your mouth with cotton balls until not a single one more can fit in. Now eat a chicken sandwich and make sure to limit your consumption so that you don’t choke on any of the chicken. Don’t take the cotton balls out.

    Thanked by 2bulbasaur Falzo
  • If you're looking for anti ISP spying, host your own VPN.

  • this is the error

  • jbilohjbiloh Administrator, Veteran

    LowEndTalk gets attacked viciously over and over. We have to put up defenses because of that.

    If you are blocked please share what VPN/proxy service you are using.

  • @jbiloh said:
    LowEndTalk gets attacked viciously over and over. We have to put up defenses because of that.

    If you are blocked please share what VPN/proxy service you are using.

    VPN unlimited [KeepSolid] -=- > Protocol wisetcp

  • raindog308raindog308 Administrator, Veteran

    @juupiner said: You think nginx rate-limit is not effective?

    Reminds me a conversation where someone mentioned DDoS and a guy replied "well, I run mod_evasive so I'm not worried about that".

    Blocking a single attacking host is easy. Blocking thousands is not something your webserver/firewall can do. Difference between DoS and DDoS.

  • @amsaal said:

    @jbiloh said:
    LowEndTalk gets attacked viciously over and over. We have to put up defenses because of that.

    If you are blocked please share what VPN/proxy service you are using.

    VPN unlimited [KeepSolid] -=- > Protocol wisetcp

    Windscribe as well.

  • jbilohjbiloh Administrator, Veteran

    @kalimov622 said:

    @amsaal said:

    @jbiloh said:
    LowEndTalk gets attacked viciously over and over. We have to put up defenses because of that.

    If you are blocked please share what VPN/proxy service you are using.

    VPN unlimited [KeepSolid] -=- > Protocol wisetcp

    Windscribe as well.

    I will see what we can do!

    Thanked by 1amsaal
Sign In or Register to comment.