Introducing the updated Proton. More services, one privacy mission. Learn more

Introducing the updated Proton. Learn more

           
Support Center / Port forwarding security considerations

Port forwarding security considerations

Port forwarding through your router or VPN tunnel involves opening up a port on your computer to accept incoming connections through that port. It can, therefore, provide an opportunity for someone to attack your system.

The scope of damage an attacker can do in this way, however, is entirely determined by what the opened port is used for. 

  • An open port on a file server could provide an attacker with access to files shared from the server, which they could steal, delete, or modify. It would not, however, give them control of the server or provide access to other parts of the system.
  • A port left open for a video camera might allow an attacker to access your video feed but, again, would not provide them with access to other devices on your home network. 
  • A port left open to allow remote access to a PC using VNC (which is only secured using a password) could allow a hacker to gain full control of the target system. 

This article describes some of the inherent risks of port forwarding. It also describes the Port Fail vulnerability and why Proton VPN is not vulnerable to this exploit. Ultimately, the risks of port forwarding are quite small, especially if you take proper precautions, such as only downloading trusted software.

Port forwarding when torrenting

When a port is opened for a program, such as a BitTorrent app or a multiplayer game, the risk is very low. In most cases, the worst an attacker could do is cause some damage within the app (such as changing your app’s settings). They would not gain any further access to your system. 

However, the program could contain vulnerabilities that an attacker could exploit to gain access to other parts of your system. In this case, the scope of the damage an attacker could do is limited only by the software’s access to your system.

The chances of this happening are minimal, but you should always be sure to download trustworthy software from a known source. If the software is open-source (as, for example, qBittorrent is), take the time to verify its digital signature.

Port Fail

Port Fail is a security vulnerability that can allow an attacker who uses the same VPN service as the victim to exploit port forwarding to expose the victim’s real IP address. It doesn’t matter if the victim uses port forwarding or not.

Proton VPN’s implementation of port forwarding is not vulnerable to this exploit. We detail why below, although the explanation is necessarily quite technical.

How the Port Fail attack works

Let’s assume we have a user with a laptop connected via WiFi to their router, which is connected to the internet.

The router will have a public IP address (let’s call it IP_public). When the user connects to a VPN server ( IP_server) to reach the internet, websites and other servers they connect to will see requests coming from IP_server (since the VPN server protects the user’s IP_public address).

The user is also assigned a unique dedicated local IP address (IP_local), which is valid only within the network of all users connected to the VPN server. The VPN server is reachable by the user’s device in this local network through its local IP (IP_local_vpn).

Now, for every IP the user tries to reach, their device checks a routing table to decide where the request should go. If the user is trying to reach IP_server (the IP of the VPN server), the request will go directly in clear (i.e., unencrypted) through the user’s router. Any other requests are routed through IP_local_vpn and will be encrypted in the VPN tunnel. 

Port forwarding maps a given port on IP_server to a port on IP_local. In the Port Fail vulnerability, an attacker tries to exploit this to make local ports available on the internet so that the IP_public address of the victim is exposed.

The attack uses the following trick:

  1. The attacker connects as a VPN user to the same VPN server (IP_server) as the victim and enables port forwarding (for example, opening “port 1234” on the server).
  2. Through social engineering or other tricks, they then manage to convince the victim to connect to IP_server:1234.
  3. By default, since the victim is connecting to IP_server, the routing table will execute the request in clear, bypassing the VPN. The source IP of this request will be the victim’s IP_public.

At this point, a vulnerable Port Fail implementation would directly translate the request coming from IP_public →  IP_server:1234 into IP_publicIP_local_attacker. The attacker would therefore see IP_public.

Why Proton VPN is not vulnerable to Port Fail

Proton VPN’s port-forwarding implementation isn’t vulnerable because our VPN servers are aware of the fact that IP_public belongs to a user, and will translate the incoming requests of the user from:

IP_publicIP_server:1234 to IP_localIP_local_attacker

In other words, the attacker would see only the (valueless)  IP_local of the user while their public IP would still be protected.

Final thoughts

It is always a security risk to open any port so it can be accessed from the internet, but when a BitTorrent client or game uses the port, the risk is small. If you use Proton VPN, you don’t need to worry about the Port Fail vulnerability as our implementation of port forwarding is not vulnerable to this attack. 

Secure
your internet

Get Proton VPN
Get Proton VPN

For customer support inquiries, please submit the following form for the fastest response:
Support Form

For all other inquiries:
contact@protonvpn.com


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v4.10.10
Comment: https://openpgpjs.org

xsBNBFiYeeIBCACpwuYcTsACyjQaqY3tOUonokamGZf3VDuLvcA9nQnu4vlB
n1RFFUJa5Pmf2yZ9EjJFSldTl5lreE3tFf53CcZ9wKa1R6aMnN/0VqURJho0
ZTqevQlCvuJ9kKHkDck3Em0/1WWnhDJgabp+fOa5HAHoAvcNy5gVPuexTT/N
wp6QcfB7w+qFhf73s0bcSn5RC+FAYlQxZVFhFtA7/7LthBVatDJrYLYP9XJd
zOZqz9AX0XZwKal25RcVeGHkNKgloo0bTgro4D88MR7saqXFHTRhy3+Wss7c
uqrh0uIkVmqtadoK/rAbqOyFXQ2DlvSMVrEMLUvwlZbC0taqcKDfNA+FABEB
AAHNLWNvbnRhY3RAcHJvdG9udnBuLmNvbSA8Y29udGFjdEBwcm90b252cG4u
Y29tPsLAfwQQAQgAKQUCWJh54wYLCQcIAwIJEN4dfnhhw11TBBUIAgoDFgIB
AhkBAhsDAh4BAAoJEN4dfnhhw11T6PwIAKgIHTUaEcCFQ5WfmwGpdhRgFe7H
gnHR8UOFPrRKnbCOQgTVPGwCFt8UVFhEgbmtroThU89DpxFSYUOD6nZ2k1X3
X4Q9OsItFUUuhPtLJrkz5ghtZLmsAH/edTRbVU1Ew1E8KbylLFI1J5yId7zR
GdnaTXv/E7P3po5X/b08TFAhXSyYYUbMeQuthbJajtpFygr53lm47cOWa4N8
udqLhmpheaQj04DuqYXOGC08JQn+XbHzhFl5Yvlt9Idk8+7c2UJ0qgWKQ5ZV
mquRAw5HDCQM5OqF1MoImDxOH+tK3PUlvFDsLZ1WPEOHK/EN12sPBx0x1R04
fcPTPdbMwgISGM3OwE0EWJh54gEIALqhrLUpvarPc0nkuHpyJC/MsrIDPLuV
qMc49tgjgDBsyIKJFEP9qCnkSOEixaFi+nTljUSpkHGR+PvEGecmcOdW6djN
QGxon/nwBT9d8HbtxJesaEIzwRAxmqQW9MqNq4UsfNQ0VvUYqV9wEbYfdDT/
jZfz9N0hjFELF1sg3UPcCRijhf162bp+rLQdO9vWVUbOdMQvsM/kyUJ6JMXR
xUtyKC05ddxii2SMr4XUW45ostPbxJybOF5oSZpEb1EIlrTLLPAe/498XlBW
hpRAPe+9ZfNs7drMvUEFnnOXahrXAuaaZpyaS/XBaloqSb1+v2AkUep3dbSF
PaRtbXRMS+kAEQEAAcLAaAQYAQgAEwUCWJh54wkQ3h1+eGHDXVMCGwwACgkQ
3h1+eGHDXVMZ4Qf4hu5N8/uYNDqJMFRIWSCpPGxmyIVXGARG4hgR8gwPZY9K
fReAUndX3uODBNIgZU7I3YntawU1DlP6GpP6yyR/8lfUMNCAXPDmd+zTFYIJ
UDHD8sw2GRrFVzFOKUpAapWFOI4XjSMP2UiK4HgrpUjAhe1wSaa7nEjtAuYT
zFx1QSuQD1iYcOF/FAm7EuhBIfWITjYAobGM6gonPbp3IPHM52rUbulllcdV
vCLs+blcyiVCGZlNcmlg3eibAJJL19TQLqT2DbQvQ/SyVBJGjoT+y4TTRtmZ
cebEjt2KJcc4x2lzPq3z2KJNyJTOTMB+aYD9Ma9IObDds+M/+5XDWi7f
=ueTT
-----END PGP PUBLIC KEY BLOCK-----

You can also Tweet to us:
@ProtonVPN