Tuesday, February 27, 2024

Restrictions on Publicly Known VPN Connections

Greetings all. Will keep the general announcement short and sweet, but will leave details below for those interested. As of this week, connecting using a known VPN provider will require SASL authentication, or the connection will be rejected. This is due to the influx of spam received recently.

Typically, when encountering spam on the network, a simple ban and blacklisting of the IP address is sufficient. More recently, I have noticed that the spam is coming from known VPN providers, such as TunnelBear and Proton VPN. These providers provide shared servers that serve as endpoints for customers to route their traffic through, which I will call "exit nodes" for simplicity.

Exit nodes are problematic to blacklist as they are typically not malicious in nature: the servers themselves are often secured and do not run open proxies. However, a bad user can perform malicious activity through them. Blacklisting the address causes collateral damage as it harms other legitimate users. Ultimately, this makes blacklisting less effective than otherwise as these entries tend to be contested rather quickly.

This is where "authentication gates" come into play. Authentication gates are exactly what they sound like -- a gate to pass through. Authenticating is the key to entry. Using public and private data, connecting through a known VPN provider will now need authentication via SASL. This system:
  1. Allows legitimate users to connect using a recognized VPN
  2. Denies unauthenticated / guest connections, typically used by spammers
  3. Keeps the resulting spam from (2) from ever appearing on the network
Registration online is available through the dashboard for those who do not already have an account and wish to connect through a VPN provider.

While this policy may change in the future, the current restrictions will remain in effect indefinitely. Bad apples do spoil the bunch, unfortunately. I believe this middle ground will be sufficient to balance the needs of the network with the desires of users to use known VPN services.

No comments:

Post a Comment