Port forwarding through your router or VPN tunnel involves opening up a port on your computer to accept incoming connections through that port. It can, therefore, provide an opportunity for someone to attack your system.
The scope of damage an attacker can do in this way, however, is entirely determined by what the opened port is used for.
- An open port on a file server could provide an attacker with access to files shared from the server, which they could steal, delete, or modify. It would not, however, give them control of the server or provide access to other parts of the system.
- A port left open for a video camera might allow an attacker to access your video feed but, again, would not provide them with access to other devices on your home network.
- A port left open to allow remote access to a PC using VNC (which is only secured using a password) could allow a hacker to gain full control of the target system.
This article describes some of the inherent risks of port forwarding. It also describes the Port Fail vulnerability and why Proton VPN is not vulnerable to this exploit. Ultimately, the risks of port forwarding are quite small, especially if you take proper precautions, such as only downloading trusted software.
Port forwarding when torrenting
When a port is opened for a program, such as a BitTorrent app or a multiplayer game, the risk is very low. In most cases, the worst an attacker could do is cause some damage within the app (such as changing your app’s settings). They would not gain any further access to your system.
However, the program could contain vulnerabilities that an attacker could exploit to gain access to other parts of your system. In this case, the scope of the damage an attacker could do is limited only by the software’s access to your system.
The chances of this happening are minimal, but you should always be sure to download trustworthy software from a known source. If the software is open-source (as, for example, qBittorrent is), take the time to verify its digital signature.
Port Fail is a security vulnerability that can allow an attacker who uses the same VPN service as the victim to exploit port forwarding to expose the victim’s real IP address. It doesn’t matter if the victim uses port forwarding or not.
Proton VPN’s implementation of port forwarding is not vulnerable to this exploit. We detail why below, although the explanation is necessarily quite technical.
How the Port Fail attack works
Let’s assume we have a user with a laptop connected via WiFi to their router, which is connected to the internet.
The router will have a public IP address (let’s call it IP_public). When the user connects to a VPN server ( IP_server) to reach the internet, websites and other servers they connect to will see requests coming from IP_server (since the VPN server protects the user’s IP_public address).
The user is also assigned a unique dedicated local IP address (IP_local), which is valid only within the network of all users connected to the VPN server. The VPN server is reachable by the user’s device in this local network through its local IP (IP_local_vpn).
Now, for every IP the user tries to reach, their device checks a routing table to decide where the request should go. If the user is trying to reach IP_server (the IP of the VPN server), the request will go directly in clear (i.e., unencrypted) through the user’s router. Any other requests are routed through IP_local_vpn and will be encrypted in the VPN tunnel.
Port forwarding maps a given port on IP_server to a port on IP_local. In the Port Fail vulnerability, an attacker tries to exploit this to make local ports available on the internet so that the IP_public address of the victim is exposed.
The attack uses the following trick:
- The attacker connects as a VPN user to the same VPN server (IP_server) as the victim and enables port forwarding (for example, opening “port 1234” on the server).
- Through social engineering or other tricks, they then manage to convince the victim to connect to IP_server:1234.
- By default, since the victim is connecting to IP_server, the routing table will execute the request in clear, bypassing the VPN. The source IP of this request will be the victim’s IP_public.
At this point, a vulnerable Port Fail implementation would directly translate the request coming from IP_public → IP_server:1234 into IP_public → IP_local_attacker. The attacker would therefore see IP_public.
Why Proton VPN is not vulnerable to Port Fail
Proton VPN’s port-forwarding implementation isn’t vulnerable because our VPN servers are aware of the fact that IP_public belongs to a user, and will translate the incoming requests of the user from:
IP_public → IP_server:1234 to IP_local → IP_local_attacker
In other words, the attacker would see only the (valueless) IP_local of the user while their public IP would still be protected.
It is always a security risk to open any port so it can be accessed from the internet, but when a BitTorrent client or game uses the port, the risk is small. If you use Proton VPN, you don’t need to worry about the Port Fail vulnerability as our implementation of port forwarding is not vulnerable to this attack.