Perfect Privacy Remote Port Forwarding

Published June 30, 2009 in English, Knowledge Base and Perfect Privacy Announcements.

Perfect Privacy offers Remote Port Forwarding (RPF) with both OpenVPN and PPTP VPN. This service is completely covered by your membership fee and is offered on most of our servers. You can find an updated list of our servers with RPF support on our Servers Status list: Servers which support Remote Port Forwarding carry an [RPF] indicator next to them.

What is Remote Port Forwarding and what is it good for?

For all novices, let us briefly explain what Remote Port Forwarding is and for what you need it. Assume you are connected directly to the Internet without being behind a router, a firewall, a Local Area Network (LAN), a Virtual Private Network (VPN), or a privacy provider. If another person behind a computer on the Internet or an Internet server would want to establish a connection to an open port on your machine or send data to this port, your computer’s application (e.g. µtorrent, Azureus, mIRC, or Skype) which had opened and is administering this port could simply accept the connection attempt or the data transmitted and process them. Because your computer is visible on the Internet, its IP address is known and its ports can be freely contacted by other computers on the Internet, it would simply work.

If you connected to one of our VPN servers — no matter whether via OpenVPN or PPTP VPN — in order to anonymize and encrypt your whole Internet, the situation is entirely different, however. Your computer is now a member of a Virtual Private Network. You no longer directly communicate with other servers and computers on the Internet, but exclusively with our VPN server. If you want to read the content of a website, for example, your computer sends the website’s URL in encrypted form to our VPN server which, once the URL arrived, forwards it to the Internet server which hosts this very website. The reply of the website is then sent back to the VPN server which forwards these data in encrypted form back to your computer.

So in a nutshell, your computer is completely hidden behind our VPN server. If it wants or needs something from the Internet, it tells the VPN server to fetch it. Only the VPN server communicates with other computers and servers on the Internet, and only the VPN server and its IP address can be seen on the Internet, reached from the Internet and contacted by other computers and servers on the Internet. As far as the rest of the Internet is concerned, your computer doesn’t even exist. It cannot be seen, detected or reached and nobody on the Internet even knows that it exists (at least as long as your software or active code you execute doesn’t give your computer’s existence away).

Needless to say, this setup thus enormously increases your safety. And it comes in very handy and works perfectly, as long as it is you who wants something from the Internet — like browsing the web or connecting to an FTP server or instant messenger service. The problems start if a computer on the Internet would like to establish a connection to you: for it doesn’t know your IP address. As a matter of fact, it isn’t even aware that your computer exists at all. As far as other computers and servers on the Internet are concerned, they are communicating with the VPN server and its IP address.

Let’s look at an example: Assume you are using µtorrent, a very popular peer-to-peer (P2P) file sharing client using the bittorrent protocol. If you are connected to one of our VPN servers and start µtorrent to download, upload or exchange files, your µtorrent client will instruct your computer (which in turn will instruct the VPN server) to connect to a bittorrent tracker in order to read the IP addresses of other participants of the bittorrent network who share the file(s) you want — or who want the file(s) you share. The µtorrent client software also permits you to specify a port number on which you want to accept incoming connections. This port number is also transferred to the tracker — together with the VPN server’s IP address in order that other peers of the bittorrent network can establish connections to you. Remember that once you connected to one of our VPN servers, it is always the VPN server which communicates with the Internet. Hence, the tracker will receive the VPN server’s IP address together with the port you specified to accept incoming connections — and not the IP address assigned to your computer by your ISP.

Eventually, other peers who want the file(s) you have or who have the file(s) you want, will read this IP address and the port number from the tracker. And they will try to establish a connection to you in order to exchange files with your µtorrent client. However, since you are connected to a VPN, other computers don’t get your real IP address but only the IP address of the VPN server which had been submitted to the tracker. And if these peers now try to establish a connection to the port (you had specified in your µtorrent client) on the VPN server (with whom they think they communicate), exactly nothing will happen. Their connection attempts and data will be dropped … but why? Why does the VPN server not just accept the connection attempts and data and forwards them to your computer where your µtorrent client could process them?

Well, firstly, there is no bittorrent client running on our VPN server at all — neither on the port you had specified nor on any other port. In order that incoming packets can be accepted, there needs to be some application which listens to the port on which the packets arrive. And secondly, our VPN server hasn’t got any clue at all that somebody might send eventually data destined for your µtorrent client to one of its ports. This might be pretty self-evident for you, because you are an intelligent human being who knows what (s)he is doing. But a computer just does what it is told: Our VPN server was simply instructed by your computer (which was instructed by your µtorrent client software) to connect to a certain IP address (the tracker’s) and to send a number to it (the port number on which you want to accept incoming connections). But in a simplified representation that’s pretty much all the VPN server did and knew: “Send a number to a certain IP address.” The VPN server doesn’t know that you are running a bittorrent client, that the IP address to which it connects is a tracker, that it is part of a P2P network, that the tracker reads its IP address, that the number it transfers is a port, and that in a few minutes time some total strangers from different continents might try to establish connections and send data to one of its ports.

So is there a solution to accept incoming connections and data without revealing one’s true IP address?

Yes. The solution to this problem is called Remote Port Forwarding or, for short, RPF. It means that we reserve and open a couple of ports on our VPN server and if another computer or server wants to establish a connection to these ports or sends data to one of these ports, our VPN server forwards the request or the data to the corresponding port of your machine. This happens completely hidden and in the background. In other words, you can listen to incoming connections in server mode without that your real IP would be exposed: the computer thinks it establishes e.g. a connection to a port on our VPN server, but our VPN server forwards the data secretly and clandestinely to the same port of the VPN IP address assigned to your computer, where the connection or data can be accepted and processed by the program you are running and which listens to this port (e.g. a P2P client such as µtorrent).

You need RPF for example to get a “High ID” on Emule while you anonymize and encrypt your traffic with VPN, to avoid the “NAT errors” or “Firewall errors” on bittorrent clients like µtorrent, or to administer your machine remotely through the VPN. Another application where Remote Port Forwarding helps, is Skype, where you can equally set a port for incoming connections to speed up transfers.

Which are my remotely forwarded ports?

Ports are assigned on our servers with RPF support (see Servers Status list) within the base ranges 40000+, 41000+, 42000+, 43000+ and 44000+ for OpenVPN, and 45000+, 46000+, 47000+, 48000+, 49000+ for PPTP VPN, and accept both TCP and UDP traffic (or “connections”, but UDP is actually a connectionless protocol).

This means that if you establish a VPN connection, you receive five remotely forwarded ports. Your open remotely forwarded ports are directly linked to the VPN IP address assigned to you by our VPN server after a successful connection. To find your port, simply add the last octet of your VPN IP address to the base ranges.

Example OpenVPN:
Assume the VPN IP address assigned to you by our Paris OpenVPN server was 10.0.41.86. Your remotely forwarded ports would be 40086, 41086, 42086, 43086, and 44086, for these port numbers are the result of 40000, 41000, 42000, 43000, and 44000 (the OpenVPN base ranges) plus 86 (the fourth octet of your OpenVPN IP address).

Example PPTP VPN:
Assume the VPN IP address assigned to you by our Plaza PPTP VPN server was 10.0.70.5. Your remotely forwarded ports would be 45005, 46005, 47005, 48005, and 49005, for these port numbers are the result of 45000, 46000, 47000, 48000, and 49000 (the PPTP VPN base ranges) plus 5 (the fourth octet of your PPTP VPN IP address).

Different Base Ranges:

In general, the OpenVPN base ranges are exactly calculated as described above for each and everyone of our servers. However, when our OpenVPN servers in Moscow and Amsterdam are very busy, it is possible that more OpenVPN connections are established, then assignable IP addresses within the primary network ranges in Moscow (10.0.16.0/24) and Amsterdam (10.0.32.0/24) exist.

In this case, the subnet would change from 10.0.16.0/24 to 10.0.17.0/24 in Moscow, and from 10.0.32.0/24 to 10.0.33.0/24 in Amsterdam.

If this should happen, and your Moscow OpenVPN subnet is 10.0.17.0/24 (instead of 10.0.16.0/24) or your Amsterdam OpenVPN subnet is 10.0.33.0/24 (instead of 10.0.32.0/24), then the OpenVPN base ranges are 40300, 41300, 42300, 43300, and 44300 instead of 40000, 41000, 42000, 43000, and 44000. Add the last octet of your IP address to the base ranges, and you will get your remotely forwarded ports.

Example OpenVPN:
Assume the VPN IP address assigned to you by our Moscow OpenVPN server was 10.0.17.114. Your remotely forwarded ports would be 40414, 41414, 42414, 43414, and 44414, for these port numbers are the result of 40300, 41300, 42300, 43300, and 44300 (the OpenVPN base ranges for the next subnet 10.0.17.0/24 instead of 10.0.16.0/24) plus 114 (the fourth octet of your OpenVPN IP address).

Once one caught the drift, it’s actually very simple and straight-forward.

How do I find my VPN IP address?

This depends on your operating system and the software you are using but involves usually no magic. In case you are a confused newbie, let us give you some pieces of information first which might help you to increase your understanding:

Your computer can have many IP addresses assigned: the one you know best is probably the IP address assigned to your computer by your ISP. It’s also called an external IP address because it connects you to the Internet. Everyone on the Internet can reach and contact your computer by this unique number. But apart from this, your computer can also have a multitude of other IP addresses assigned, both internal and external IP addresses.

Internal IP addresses help you to communicate with trusted networks (intranets) which can exist completely independent from the Internet. Maybe you have a small local area network (LAN) at home or at your office. To communicate with the other members and devices of the LAN, your computer gets an internal LAN IP address assigned (the most commonly used ranges are 192.168.0.0/24 and 192.168.1.0/24; these IP ranges — as the ranges our VPN servers use — don’t exist on the Internet and can thus safely be used for intranets).

A VPN (virtual private network) is finally basically nothing else but a simulated secure (’cuz encrypted) WAN (wide area network) which uses the (as such insecure) Internet to connect trusted computers and devices with each other and to give them access to shared resources. So whenever you connect to one of our VPN servers, the VPN server assigns your connecting computer an internal VPN IP address. The VPN server needs it to communicate securely with your computer. If it would use the IP address your ISP assigned to your computer instead, the communication would be unencrypted and unsafe.

If you establish a VPN connection to one of our servers, you get automatically (via DHCP) a free internal VPN IP address within a specified range assigned. In the case of our Hong Kong PPTP VPN, the address will be within the range 10.0.10.0/24, and if you use our OpenVPN in Tel Aviv, the address will be within the range 10.0.76.0/24. That’s nothing else but a funky way to write 10.0.10.xxx and 10.0.76.xxx. And it’s this address (and in particular the xxx, the last octet in the address) for which you are looking and which you need to calculate your remotely forwarded ports.

If you use Windows and the OpenVPN GUI, the OpenVPN GUI icon in the system tray displays your VPN IP address in a notification bubble after you successfully connected to the OpenVPN server: “Roubaix is now connected. Assigned IP: 10.0.46.xxx“ You can also retrieve your OpenVPN IP address at any time: Simply hover your mouse over the OpenVPN GUI icon in the system tray and a small info window containing the IP address will appear.

If you use Windows and its PPTP VPN client, it’s a bit more tricky for newbies to obtain the IP address. You have to view the status of the active PPTP VPN connection (in Vista e.g. via the Network and Sharing Center), then click on the “Details…” button and the corresponding IPv4 IP address will be listed. If you have a connection icon in the system tray, left-clicking on it (if you are using Vista) or right-clicking on it (if you are using XP) might guide you to a path at whose end you can find the connection status of your active PPTP VPN connection.

Opening the Windows Terminal and entering ipconfig will display your internal VPN IP address, too. There isn’t just one way of doing it.

Can I have static remotely forwarded ports?

Your remotely forwarded ports are linked to the dynamically assigned internal VPN IP addresses and thus typically change every time you connect to a VPN server. If you would like to have static remotely forwarded ports (which are linked to your user name), we have to set them up for you.

The following conditions apply:

  • Static remotely forwarded ports can technically only be offered for OpenVPN.
  • The price is €9.95 per year and “unlimited traffic” server you choose. Note that some locations offer more than one server.
  • Static remotely forwarded ports are equally only available on those servers with an [RPF] indicator on our Servers Status list.
  • You will receive five consecutive ports per server within the range of 10000 to 59999 which we will open for both TCP and UDP traffic. The traffic will be forwarded to the corresponding ports of the machine or router with which you connect to the Open VPN server.
  • The Perfect Privacy Administration either has to have good reasons to assume that you are trustworthy, law-abiding and reliable (i.e. we need to know you in person), or your combined past and future (pre-paid) membership has to sum up to at least 12 months.

If you fulfill these criteria, please contact us with your user name and membership number and let us know on which server(s) you would like to have your static RPF set up and how you would wish to pay. If you have any additional wishes, please let us know. We will then send you the corresponding payment information.

If your past and pre-paid membership does not yet sum up to at least 12 months and you wish to sign up for static RPF, please extend your membership first, and only then contact us concerning RPF. If you are not a member yet at all, please sign up for at least 12 months first, and only order static RPF once you paid for your membership, your Perfect Privacy account has been created and you have received your login information. Signing up for or extending your Perfect Privacy account and ordering static RPF at the same time only causes tons of administrative problems and a lot of confusion. We can only add static remotely forwarded ports to your account, once it exists and it fulfills the necessary requirements, and we need separate orders and payments for the ordinary membership and the static RPF add-on.

Because the creation of static RPF accounts is a very time-consuming process, please note that the creation of an account can take a longer period of time.

We thus appreciate your patience.

Remote Port Forwarding Terms of Service

By making use of Perfect Privacy’s Remote Port Forwarding, regardless whether the ports are dynamically or statically assigned, you accept the following Remote Port Forwarding Terms of Service:

  • It is permitted to use RPF for P2P file sharing and file transfers, P2P VoIP services, legitimate remote administration, as well as closed (non-public and password-protected) HTTP and (S)FTP servers.
  • Other servers, services or uses need the explicit written and electronically signed permission of the Perfect Privacy Administration.
  • In case of breach of our RPF ToS, your PP account will be erased and your remaining credit balance will be forfeited.

Feed for this Entry Trackback Address

Leave a Reply