Question about VPN Risks?

Hi

I’ve installed zomboided vpn manager for kodi which works great and easy setup. Although in his wiki he mentions about the risks using vpn as follows:

Some VPN providers appear to provide some rudimentary form of filtering/blocking and some do not. If your provider does not provide filtering then SSH access to your Kodi box as well as access to the web interface by entities outside of your network may be possible. For Kodi builds like LibreELEC this is especially bad as they use a default user ID and password.

After you have installed the add-on and connected to the outside world, you will be told which IP address the Kodi box is using. You should try and SSH to this address from another computer. You should also enter the IP address into a web browser and see if the web interface is displayed. If either of these things work, you are not protected. You should consider if you can make changes to your firewall, use an up/down script, using an SSH key rather than a password and disabling the web interface. Alternatively, determine whether using a VPN is right for you.

I’m using PIA so i tried to ssh to my PIA external IP and it brought me to login screen. I tried OSMC username password but got access denied. Turned vpn off an ssh again brought me to login. It seems PIA use same ip address for everyone connected to same server so i may not have been connecting to my box.

Anyways i don’t like this risk so i may stop using this. Is this risky?

I may just wait to OSMC implements its own vpn manager hopefully sometime.

Just change the password for the OSMC user (outlined in the Wiki).

Ok that makes sense. I will make a strong password. Just incase i forget my new password is it simple enough to reset password if you forget it.

Thanks

Yes. But try not to forget it…

When you connect as a VPN client to a VPN server, as far as the world is (or should be) concerned your IP address is the address of the VPN server. All traffic that you initiate will have a return path through the server’s firewall, whereas traffic that originates from elsewhere should not normally be able to pass through the firewall. This type of firewall is often referred to as a stateful firewall.

When using a commercial VPN service, such as PIA, you will be one of many people using the server at the same time. If you try to ssh to the VPN server’s external IP address on port 22, which the default ssh port, there is no way for the server to know that the connection is meant to go to you, rather than to one of the many other users of the server. The only exception is if PIA have a port-forwarding system in place - which you would need to have configured yourself, so that, for example, port 51234 on the VPN server gets routed to port 22 of your real IP address. Since you don’t mention having done this, the ssh login screen might just be some dummy or honey-pot mechanism installed by PIA and is most unlikely to have gone to your system. (I’ve never used PIA but I do know that AirVPN operates such a port-forwarding system.)

Nevertheless, it’s always a good idea to change the default password on every system you install.

Thanks for the lengthy info @dillthedog

I now understand cheers :slight_smile:

You’re very welcome. I checked and see that PIA does operate a port-forwarding system. Whether it’s wise to open up your ssh port directly to the Internet is another matter entirely. :wink:

I havent enabled port forwarding in the PIA app so is it safe to assume that someone can’t ssh into my device?

Although i just did a online port scanner test and it says ssh is open. So if i understand correctly the pia ssh is open but needs port forwarding enabled to get to specific device? So if i havent port forwarding enabled then having ssh open on vpn is ok?

I just completed Comptia Network+ thought i had decent understanding on networking but vpn stuff threw me off completely ha :stuck_out_tongue:

Edit: Upon further reading in forums it seems the reason the ports are open are as follows.

To explain why the mentioned ports are open:
port 22 is an SSH console for administration, port 80 has many applications, port 443 is part of the VPN server software.

Well, the phrase “never say never” springs to mind but I’d say its reasonably safe to assume so.

That would be the VPN server’s port 22.

As I said before, the server has no way to know that the port 22 connection to it should be forwarded to you unless port-forwarding is configured.

Perhaps PIA really do use port 22 for ssh but if I were them I’d keep the port open as a dummy connection to keep the script kiddies busy and have the real ssh port on a much higher number.

1 Like

Disable SSH via My OSMC -> Services if you have no use for it.