
How Is NordVPN Unblocking Disney+? - dagurp
https://medium.com/@derek./how-is-nordvpn-unblocking-disney-6c51045dbc30
======
mikl
Seriously creepy stuff. I hate how VPNs are being shilled by e-celebs these
days as a privacy improvement.

It’s just using a different middleman. One middleman might be better than
another, but if you have a good ISP already, there’s no privacy/security
benefits to be had by using a VPN when surfing from home.

It might be worth getting a VPN if you use sketchy WiFi often, or want to
bypass geo-blocking or restrictive firewalls. But remember that you’re
trusting the VPN provider with all your traffic. DNS is still not encrypted in
most browsers, so this traffic is still a goldmine of marketable info. Sure,
they can’t see what you post on snapstagram.com or what pages you visit on
news.ycombinator.com, but they can infer a lot about your browsing habits from
DNS queries.

~~~
rsync
"It might be worth getting a VPN if you use sketchy WiFi often, or want to
bypass geo-blocking or restrictive firewalls. But remember that you’re
trusting the VPN provider with all your traffic."

I never understand this false dichotomy - especially in a forum which is named
... let me check ... "hacker news".

 _Just set up your own_.

It costs almost nothing to run a EC2 instance in the region of your choice (or
at some other provider like GCS or whatever). There are keystroke-by-keystroke
instructions everywhere on setting this up.

Extra points for _adding the extremely trivial and also very low cost_ steps
of signing up under a corporate name and removing your personal identity from
the account altogether.

Some more extra points for multiplying the almost-zero-cost by 3 or 4 or 5 and
spinning up extra copies of your endpoint in multiple regions (or even
providers) and manually (or automatically) switching between them.

You don't need to trust anyone - adjust your threat model all the way up to
"near nation state" (in the case of Amazon or GCS) and assume these actors
could already discern all of your Internet traffic even if you weren't doing
business with them.

Christ.

~~~
Ruthalas
Could you provide a good reference for the process you describe, or maybe just
a good set of search terms?

I'd like to pursue this, but have just little enough experience with ec2 to
not be composing effective search terms.

~~~
kizashi
I think one of the interesting option out there is:
[https://github.com/StreisandEffect/streisand](https://github.com/StreisandEffect/streisand)

Waiting for
[https://github.com/StreisandEffect/streisand/pull/1668](https://github.com/StreisandEffect/streisand/pull/1668)
to be fixed though.

~~~
nitzle
Hey, I wrote the PR you just linked (#1668). Was there an issue with the code
changes you ran into? Just asking since you said you were waiting for it to be
fixed. If so, I'd love to know what the error was so I can test/fix it. Or did
you just mean the underlying issue (ACMEv1 protocol being deprecated)?

~~~
kizashi
Hey, thanks for the fix. I was indeed able to spin off a Streisand server
using it without any error <3!

~~~
nitzle
Hey there, I found an issue in the PR recently that affects the auto-renewal
process. Nginx will still serve the old certificate after renewal succeeds
since it's never restarted or reloaded. I have another PR open to fix this,
but there's a manual way to apply the fix if you're so inclined (and you still
have that Streisand server up and running).

Obviously this only applies if you don't plan on destroying/recreating your
Streisand server after the newer PR gets merged (EDIT--just got merged). But
just in case, the steps are pretty easy (it's in the PR here too:
[https://github.com/StreisandEffect/streisand/pull/1688](https://github.com/StreisandEffect/streisand/pull/1688)):

    
    
      [root@streisand]# cat > /etc/letsencrypt/renewal-hooks/deploy/01-reload-nginx.sh << EOF
      #!/bin/sh
      systemctl reload nginx
      EOF
      [root@streisand]# chmod u+x /etc/letsencrypt/renewal-hooks/deploy/01-reload-nginx.sh
    

If your cert was already auto-renewed (unlikely given the timeline), you'll
also need to run systemctl reload nginx to serve the new cert, since the
deploy script wasn't present when certbot ran the renewal.

------
NelsonMinar
No one's said this clearly so I will. oxylabs.io as described in this article
is an awful unethical company and should be investigated for criminal
activity. If NordVPN is using them to bypass DRM controls, that's pretty ugly.

The central concern is how they get their 32M "residential proxies". I spent a
few minutes trying to get an answer and could not find one. The article
straight up assumes it's coming from malware, which certainly seems possible.
I could also imagine them buying legitimate access from ISPs but given the
various legal and technical issues involved it seems less likely.

Is there anything directly connecting Oxylabs to malware? Again I looked for a
few minutes and didn't find anything clear. I did find a couple of troubling
posts on Reddit from Android Devs saying Oxylabs approached them offering to
"monetize your users with our SDK", which sounds like the slippery slope to
malware. Or at least bundleware without meaningful consent.

[https://www.reddit.com/r/androiddev/comments/ajfc7w/question...](https://www.reddit.com/r/androiddev/comments/ajfc7w/question_about_oxylabs/)
[https://www.reddit.com/r/androiddev/comments/ao27tu/my_app_w...](https://www.reddit.com/r/androiddev/comments/ao27tu/my_app_with_1million_installs_and_100k_monthly/)

BTW, Oxynet has a list of the ASNs they have proxies on:
[https://intro.oxylabs.io/hc/en-
us/articles/360003444780-Supp...](https://intro.oxylabs.io/hc/en-
us/articles/360003444780-Supported-ASN-List)

~~~
spyder
From the patent infringement document:

 _"... Upon information and belief, the above OxyLabs embedded code has been
integrated in at least the following software applications that may be
downloaded by any user located anywhere having Internet access: AppAspect
Technologies’ “EMI Calculator” and “Automatic Call Recorder”; Birrastorming
Ideas, S.L’s “IPTV Manager for VL;” CC Soft’s “Followers Tool for Instagram;”
Glidesoft Technologies’ “Route Finder;” ImaTechInnovations’ “3D Wallpaper
Parallax 2018;” and Softmate a/k/a Toolbarstudio Inc.’s “AppGeyser” and
“Toolbarstudio.”"_

[https://cdn-resprivacy.pressidium.com/wp-content/uploads/201...](https://cdn-
resprivacy.pressidium.com/wp-content/uploads/2018/08/Luminati-Networks-LTD-vs-
UAB-Tesonet.pdf)

Looking at few of these app's descriptions and privacy policy, doesn't mention
anything about oxylabs or proxies, so I'm not sure it's true, but somebody
should check the apps with decompiler or monitoring the connections it makes.

------
derefr
> Does [Oxylabs.io’s distribution] mean your device can be used by a third
> party to access child porn or hack into a bank? Absolutely!

I mean, isn’t the existence of Oxylabs a boon for _everyone’s_ privacy—in the
sense of making everyone’s actions deniable/repudiable? Oxylabs introduces
reasonable doubt for every possible allegation of cybercrime! “It wasn’t me;
it was this botnet malware routing through my computer without my knowledge!”
It’s like having a Tor exit node on your computer, without the associated
_mens rea_ that would come from the explicit choice to install one!

~~~
rtempaccount1
In theory sure. In practice (especially if you don't know your connection is
being used like this, as the article suggests), if law enforcement turn up at
your door to take all your kit as evidence in a crime, they'll likely take all
your kit for an extended period of time (and possibly charge you) until/unless
you can prove that it wasn't you that sent the traffic.

There have been cases of this happening to ToR exit nodes and that was ones
the operators could point to...

~~~
o-__-o
No you can easily prove it wasn't you that sent the traffic, simply look at
case law for all of the torrenters absolved from having open wifi access
points. The problem is your hardware is locked up in a criminal trial, which
realistically means you ain't getting it back. And they're not just going for
that device you used with a VPN, they're taking any possible device that
connected to the VPN including routers, laptops, iphones, tablets, connected
hard drives, etc.

THAT is the reason why a rational actor won't use such a service.

~~~
Majromax
> they're taking any possible device that connected to the VPN including
> routers, laptops, iphones, tablets, connected hard drives, etc.

Mind you, that's just sensible evidence-gathering. If law enforcement thinks
that the homeowner did in fact act illegally and is using the VPN for
deniability, then there would be ample cause to search attached or
potentially-attached devices for direct evidence of illegal behaviour. If some
is found, that's compelling circumstantial evidence that other identified VPN
activity was also instigated by the connection-owner.

~~~
Drdrdrq
And inefficiency which results in delays in getting this equipment back to the
owners is obviously just an unfortunate side effect. /s

~~~
o-__-o
Yes, the police and courts are here to serve us, the people, but that means we
have to wait for them to clear their backlog from other people to get to our
case. It will always be resolved within a reasonable time, like <4 years.

------
EternalAugust
They may be "residential IPs" but you can do an nmap scan on the IPs to see if
there are any open ports. If there are no open ports then it's likely a
residential IP because stateful firewalls on home routers. If there are open
ports it's likely not a residential IP since some kind of port forwarding
would have to be enabled, which most people don't do, or a DMZ would have to
be set up (even less likely). I scanned a few of the IPs returned from the
curl test. Granted a small sample size, but they all have open ports. Beyond
the scan I didn't try to connect to any of them via browser or otherwise. Here
is what I found for the "Delcom" IP he's so worked up about:

``` $ sudo nmap 76.77.25.75 Starting Nmap 7.70 (
[https://nmap.org](https://nmap.org) ) at 2019-11-29 19:21 EST Nmap scan
report for static-76-77-25-75.networklubbock.net (76.77.25.75) Host is up
(0.097s latency). Not shown: 992 closed ports PORT STATE SERVICE 22/tcp
filtered ssh 23/tcp filtered telnet 25/tcp filtered smtp 53/tcp filtered
domain 80/tcp open http 443/tcp open https 5060/tcp open sip 8080/tcp open
http-proxy

Nmap done: 1 IP address (1 host up) scanned in 331.02 seconds ```

Maybe I'm missing something here. Of course it could still be malware, but
that's far from the first conclusion I'd jump to. This article is just
speculation to me and the methodology seems ... bad

edit: sorry if the markdown is broken. Noob here. ;)

~~~
Spy520
Won’t services like this take advantage of UPnP to open ports?

I know FluidStack which is a similar service uses UPnP to open ports that it
requires. FluidStack is a service you earn money through by willingly selling
your internet bandwidth though, not like Oxylabs but same idea.

~~~
EternalAugust
First, sorry for the late reply. I don't log in often. I didn't consider
malware using UPnP. But it seems to me that the probability of malware using
it to make a residential IP look like a business IP (e.g. opening up ports for
VoIP) is pretty low. But always possible.

I didn't know about FluidStack. Looks interesting. If you have numbers on how
many people actually use such a service I would be really interested to know
:)

------
dathinab
Did they consider that maybe all the clients are NordVPN customers, i.e your
data will come from a different users internet connection but another users
data comes from you.

With that there world be no reason to have any hidden malware practice or
similar, it _could_ even be in the terms of service if some of their
products...

I mean it's true that there is a lot of bs going one but before claiming them
for having hidden malware you should make sure they do, instead of just saying
"that's the only way it's possible' even if it isn't the only way.

~~~
jesuisuncaillou
I thought the same thing. They could be using their legitimate user's
connections.

But even if they're rerouting traffic through their users, and if they wrote
that in the terms of service, I doubt any of their users know they signed up
for this.

Which is not illegal, but still kind of sketchy.

If it's hidden in their terms of service, but not explicitly written on the
content the user actually reads while subscribing, I consider this very
unethical.

~~~
mthoms
It would probably violate your ISP's terms of service as well. Not that I have
any love or respect for ISP's but still.

------
oefrha
Having used one of these shady proxy pool services once in the past for some
(pretty harmless) scraping (not especially proud of it), I seriously doubt a
service like that is good enough for video streaming. Usually half of the
proxies in the pool are high ping or unreachable, and the other half are only
valid for at most a few minutes. Maybe I just didn’t pay enough for the gold
tier or something.

Edit: Another comment pointed out that maybe only the front domain is
geoblocked, but not the video CDN domains. That would make sense. Now that I
think about it, youtube-dl also has a --geo-verification-proxy option that
works in the same way.

~~~
brianpgordon
It works perfectly for me.

[https://i.imgur.com/PFITtZT.png](https://i.imgur.com/PFITtZT.png)

~~~
Spy520
He wasn’t talking about NordVPN speeds. He was talking about the sort of
services offered by Oxylabs, Honeygain, PacketStream and other similar proxy
services.

~~~
brianpgordon
Well isn't the whole article asserting that NordVPN is routing traffic through
residential endpoints to confuse would-be VPN blockers? I thought that the
allegation is that there's no distinction between the Oxylabs network and the
NordVPN service.

~~~
oefrha
The allegation is that they use a Oxylabs-like service for disneyplus.com
specifically. Your speed test result using a Total Servers Solutions LLC
connection to a non-disneyplus.com destination is irrelevant to that
allegation.

------
dewey
> Think of “residential proxies” this way: 1.) Oxylabs installs some malware
> on to a user’s device, unknown to the user, by bundling it with other
> software that the user downloads. 2.)This malware enables Oxylabs to sell
> off your bandwidth, your computing power, and your IP address to third
> parties, who will route their internet traffic through your device.

There's so many providers doing something similar, it really isn't a Oxylabs /
NordVPN exclusive issue.

\- [https://luminati.io/residential_ips](https://luminati.io/residential_ips)

\- [https://www.geosurf.com/blog/what-are-residential-
proxies/](https://www.geosurf.com/blog/what-are-residential-proxies/)

\-
[http://stormproxies.com/residential_proxy.html](http://stormproxies.com/residential_proxy.html)

\- [https://krebsonsecurity.com/tag/residential-
proxies/](https://krebsonsecurity.com/tag/residential-proxies/)

\- [https://multilogin.com/proxy/](https://multilogin.com/proxy/)

\- [https://smartproxy.com/blog/what-is-a-residential-proxies-
ne...](https://smartproxy.com/blog/what-is-a-residential-proxies-network)

Based on my understanding it's people having free apps they want to monetize.
They then implement a proxy company's SDK which enables this traffic sharing
and get paid by them.

------
hombre_fatal
> It’s often the case that VPN users will find that services like Disney+ are
> blocked on many servers, presumably because the content provider is able to
> discover the VPN’s IP addresses and restrict access to those IPs.

Something that keeps bothering me about the title and content is that the VPN
isn't blocking or unblocking Disney+. It's Disney+ that's doing the blocking.
It's blocking the VPN's IP addresses.

If I block you from entering the building but you find a secret entrance
through the air vents, you didn't unblock me, you evaded my block.

Their title and usage of blocking should be something more like: "How is
NordVPN evading Disney+'s VPN-blocking?"

Great article though. This kind of stuff really needs to be more well known.

That it's possible to unknowingly be part of a botnet is a major flaw in the
internet and ISP billing model. I think the only solution that has a shot is
for unexpected bandwidth to lead to an unexpectedly high bill.

------
Havoc
I'm on the lookout for a black friday VPS deal.

Between this a PIA's shady stuff I'm just gonna have to host my own. The
commercial VPN scene is a cesspool.

~~~
EpicEng
What happened with PIA? I haven't heard anything.

~~~
Havoc
New corporate overloads with a ahem checkered past

~~~
berbec
That's the most polite way of saying "botnet delivery mechanism" I've ever
heard.

------
johnpowell
I'm somewhat shocked that residential connections have enough bandwidth to
upload a streaming video as a proxy. But maybe people using a VPN for Disney+
are just glad it works at all.

I have Comcast and my upload on a good day is 500KB/s and that cripples
everything else on the network.

~~~
driverdan
Why is your uplink so bad? Do you have a low tier plan? If not, why haven't
you had Comcast fix it?

~~~
johnpowell
I have Comcast Business. I pay them 100 dollars a month. Even if I paid them
way more they just don't offer much more upload where I live. They will give
me tons of download but all their plans have anemic upload. My only other
option is Centurylink and they will give me a symmetric line. But that tops
out at 12Mbp/s. At least with Comcast I get a reasonable download. I live in a
major metropolitan area. Five miles from where a NBA team plays home games.

~~~
bscphil
I was going to say more or less this. The maximum anyone can get in my major
US city for any money (other than a few areas that are trialing fiber) is 20
Mbits/sec. You literally can't pay for more.

------
streb-lo
> All the most common US ISPs are there… AT&T, Comcast, Verizon, CenturyLink.
> IPs from Charter Communications in their Midwest, Texas, Pacwest and
> Northeast regions. ISPs I’ve never heard of before… who the heck is Delcom?
> Turns out they are serving some rural communities in Texas. Did NordVPN buy
> servers or connectivity from them?

I've been seeing a ton of these guys' advertising lately. If it turns out
they're also reselling your bandwidth?

Still, I'd like to see someone take a peek at their local client traffic for
any suspicious activity before coming to any conclusion.

Edit: I guess allegedly the 'botnet' aspect is provided not by other NordVPN
users but by malware provided by companies associated with NordVPN.

~~~
dewey
> If it turns out they're also reselling your bandwidth?

Monetizing your free app through selling traffic is nothing new and there's a
bunch of companies doing just that. You drop their SDK into your mobile app,
they give you money and in return they get their very own "botnet".

~~~
smolder
Users should be upset that such trash is allowed on whatever stores they're
hosted on.

------
ikeboy
>They promised they had nothing to do with Oxylabs, but now that assertion
seems to be false.

Only if you deliberately misread the post, which is clearly saying that
NordVPN doesn't use its users' devices to route traffic, unlike HolaVPN. It
doesn't say they don't use Tesonet services to route traffic. They're denying
being a supplier to Tesonet, they're not denying being on the demand side.

------
dd6d658
Hadn't heard of akamai pragma headers before. Used the ones from
[https://support.globaldots.com/hc/en-
us/articles/11500399670...](https://support.globaldots.com/hc/en-
us/articles/115003996705-Akamai-Pragma-Headers-overview) and it dumped a bunch
of other debug info
[https://pastebin.com/hteaGG6N](https://pastebin.com/hteaGG6N)

wtf?

~~~
c256
(This part of) Akamaiks value prop rests on two things: they have servers all
over the world, and they can figure out which of those are both functioning
well and (network-wise) close to you. The former comes from infrastructure
investment and management. The latter comes from collecting and processing
data from all over the (network-wise) world, quickly. That last part involves
building and updating a map of actual and potential internet traffic — not
quite all of it, but for everywhere that your (prospective Akamai customer
‘you’) customers might be. Doing _that_ without owning ~all of the BGP routers
in the world plus ~all of the local ISPs in the world involves a fair bit of
probing, data gathering, and a bunch of math.

It’s likely that those headers don’t all get added all the time, for all the
Akamai traffic, but instead are added selectively for key parts of the mapping
process.

(Disclosure: I worked for Akamai Way Back When, but left the company many
years ago.)

------
berbec
Not defending PIA, as they've been purchase by satan.net, but remember the HN
posts where NordVPN was asked some very unfriendly questions by Private
Internet Access? Remember everyone dismissing it as a astroturf marketing
ploy?

I've been a PIA customer, and am canceling to switch to Mullvad, but PIA
selling out seems not to prove they weren't right before.

~~~
Exuma
Can you tell me more about Mullvad, does it have a good reputation with
HN/elsewhere? Does it have common VPN problems like leaking etc? I'm looking
to switch away from Nord now.

------
dalemyers
What am I missing here? Surely if this were true, Nord would be able to
unblock basically every service. Netflix, prime video, etc. Would all work.
That's not the case though?

~~~
ilaksh
I live in Mexico and use Nord VPN (or I did at least, seems like maybe I can't
anymore unless I want my computer to be a proxy for arbitrary and potentially
nefarious traffic). I have Amazon Prime Video, Disney+, HBO Now, Hulu, and
Netflix. All work with Nord VPN running.

------
Scoundreller
Ah, I think Oxydata is behind the recently defunct Oxyleads.com which seemed
to publish historical scraped LinkedIn data.

They had a browser extension, maybe somebody can get a copy and see what's in
common with other extensions?

[https://support.oxyleads.com/hc/en-
us/articles/360015036112-...](https://support.oxyleads.com/hc/en-
us/articles/360015036112-Download-Browser-Extension)

------
NeaterPeter
This article doesn't really make a lot of sense as there's no hard proof, just
speculations of the author

~~~
ortekk
Well, I just verified this article's claims with this curl request: curl
--head -H "Pragma: akamai-x-get-client-ip"
"[https://www.disneyplus.com"](https://www.disneyplus.com")

It returns different IPs for every request, and these IPs do look like
residential ones.

~~~
EternalAugust
Do an nmap scan on the IP and check for open ports. If there are open ports
it's very likely not actually a residence but a business.

~~~
Spy520
Not necessarily. Oxylabs could use UPnP to open ports like other similar
services as FluidStack, Honeygain, etc.

------
mirimir
Hey, this is an ~old thread. But I'd like to contact the author, Derek
Johnson. And, having no Facebook or Google account, I can't even create a
Medium account to post a comment.

So do any y'all perchance know his address? If so, please email me at the
address in my profile.

------
Nas808
All of these commercial VPN providers seem a bit sketchy to me. Roll your own
on a VPS with Algo.

------
mathgenius
I don't know what this guy is doing with all this pragma stuff... Once you
hook up to a NordVPN server the IP doesn't change... NordVPN has thousands of
servers, I assumed that is why the content providers don't block them, because
they can't keep up. Except amazon, which seems to be better at blocking than
the others.

Is this guy saying that these thousands of servers are not in some data center
somewhere, but actually residential malware?I'm doing some tracepath'ing (not
a network guy...) and I don't see what this guy is claiming. I'm calling bs.

~~~
mirimir
I think that he's saying that the connection from the NordVPN server to
Disney+ is getting proxied through residential IPs.

But hey, I'm testing that now.

Edit: Using IVPN's Germany exit ...

    
    
        $ curl -LIX GET https://www.disneyplus.com -H 'Pragma: akamai-x-get-client-ip'
        ...
        X-Akamai-Pragma-Client-IP: 178.162.222.41, 178.162.222.41
    

... and ...

    
    
        $ w3m -dump https://ipchicken.com
        ...
        178.162.222.41

~~~
limond
I was testing this earlier with a NordVPN US server. Akamai sees a changing IP
(different from the public IP of the server) that seems to be in residential
ISP IP blocks when retrieving www.disneyplus.com. For other sites on the
Akamai CDN this was not true. On other sites header and public IP matched like
in your example.

~~~
mirimir
Did you use the NordVPN client, or stock OpenVPN?

And if the NordVPN client, what OS?

~~~
limond
I used the NordVPN CLI client version 3.4.0-1 from a Debian bullseye PC

EDIT: package from
[https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/](https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/)

~~~
mirimir
Thanks.

So far, using the stock openvpn package in Debian, it doesn't look like the
Disney+ circumvention is happening for NordVPN's US servers.

I'm guessing that the NordVPN client must do it.

And if that's the case, it may merely route traffic directly through the
residential proxy, and not first through a NordVPN server. Which wouldn't be
good, because someone investigating the residential proxy would see the users
IP address, rather than the exit IP address of the VPN server.

~~~
limond
Well, I had only little time to dig further but I can confirm your findings
that OpenVPN alone behaves as it should while the NordVPN client acts
differently. However, wireshark says I am only communicating with the NordVPN
server when connected through their client. I would love to know where the
difference in configuration is. I always assumed NordVPN would just call
OpenVPN with the public ovpn configs. They call the OpenVPN client with a
config that is shortly deleted after OpenVPN starts but can be extracted when
swapping the openvpn binary. It looks unsuspicious. A management unix socket
is opened to control the OpenVPN client. I would like to know how the
communication is configured.

~~~
mirimir
I'm also testing now with NordVPN CLI v3.4.0-1 in a Debian 10.1.0 x64 VM with
standard Gnome desktop.

I used the default settings. In particular, I didn't enable "obfuscate", which
I gather uses two hops.

I'm using a crude infinite while script.[0]

And so far, I haven't come across any servers with unexpected "akamai-x-get-
client-ip" for Disney.

But then, there are well over 1000 US server IPs.

So did you enable "obfuscate"? Or "CyberSec"? Or other options?

It would also help if you could share which servers showed unexpected "akamai-
x-get-client-ip" for Disney.

0) [https://pastebin.com/hz5due96](https://pastebin.com/hz5due96)

~~~
mirimir
Damn, I can be such a dumbass.

I was testing "www.disney.com", not "www.disneyplus.com".

Now I always see residential proxies for US servers. Or SSL certificate
failures, occasionally.

Edit: That's using either the Windows GUI client, or the Linux terminal client
in Debian. Not using "Obfuscate", "CyberSec", or other non-default options.
But residential proxies aren't used for "www.disney.com" or "paypal.com".

Also, with the stock openvpn in Debian, I don't see residential proxies being
used for "www.disneyplus.com".

------
sas41
I have to say, the use of residential IPs as proxy for your traffic is
essentially digital money laundering for data, or Data Laundering if you will.
(IP laundering?)

It's one thing to use a VPN, another to use some unaware person's computer for
your mischief (think about someone doing illegal stuff using this method).

Knowing how the law works in some places, and how ill-informed some law people
are, I can totally see an innocent man getting locked up for illegal stuff,
like hacking or other stuff that I dare not say.

------
eximius
If anyone here knows enough about ASNs and the RIRs to set up a company whose
sole purpose was for individuals to buy/lease IPs, I would gladly help set up
and run such a company. The RIRs generally don't allow individuals to have
ASNs, so I assume an intermediary like this would be necessary.

But between uses like setting up a personal VPN with a clean IP or just the
cool idea of having a personal IPv4 address or IPv6 block... I think it would
be a viable, if rather small and niche, business.

~~~
U8dcN7vx
You don't need a company to get an ASN, but you do need to show that you
intend to get network connections from at least two providers and generally
that mean planning which plans are generally required as proof.

There are effectively no more clean IPv4 addresses, you'd have to buy
addresses that had previously been used.

Anyone can get IPv6 addresses even those whose ISP sucks via tunnelbroker.net
(aka Hurricane Electric) which will provide a single address, also a /64
and/or a /48\. Of course they are generally blocked by streaming services
since they are a form of VPN and thus the endpoint might be anywhere.

~~~
eximius
If I didn't plan on having a physical location (i.e., AWS or Colo as opposed
to trying to get Comcast or any other connection to my house), what would
constitute a network connection?

What are the terms of assignment via Hurricane Electric? Can they take it
away? Do they only allow BGP advertisement to their sites or can I still bring
the IP elsewhere?

I still think there is an opportunity for niche needs here.

~~~
U8dcN7vx
At a colo or location of you own you might hire two upstreams like CenturyLink
and GTT, and since your (purchased) addresses would be reachable via either
you would need to announce via BGP which requires an ASN. At AWS the only
provider is AWS and are typically single addresses (even if you special
requested 256 you might not receive a /24), further I don't know that AWS will
issue an LOA to allow to you to announce their space via other providers.

An HE IPv6 tunnel is as permanent as you like, but they reserve the right to
phase out the terminal you are using which sometimes means your prefix would
change, and they expire unused tunnels periodically. IPv6 has builtin handling
of prefix changes though it does not deal with related DNS updates, which
you'd have to arrange.

An HE IPv6 assignment is from their allocation so you'd call that PA not PI,
i.e., you can't take them elsewhere. To get addresses of your own you would
need to apply to an LIR or RIR for an allocation -- generally easy to get a
/48 without any/much documentation with a /40 generally requiring
documentation but that's not free (250/yr for an ARIN allocation).

------
bigfuz
Any open-source OpenVPN client works just fine with NordVPN

------
asimpletune
Does anyone know if they’ve provided any response on this?

------
kitcar
Wouldn't this be pretty easy to confirm by monitoring bandwidth consumption on
a dormant computer running NordVPN? If bandwidth consumption is exponentially
higher when their VPN client is enabled, then clearly they are passing traffic
through your machine...

~~~
dna_polymerase
That is not how this supposedly works. The Oxylabs people (according to the
author) put software out there (like Apps, or Installers whatever) and those
are infected. That's why it's hard to proof this, first link those gnarly apps
to oxylabs, next link oxylabs to NordVPN.

This is how it could be done:

Rent Oxylabs Residential IP's (600$ minimum commitment, according to [0]).
Check out IPs, stop using them, hope they get rotated to NordVPN, where you'd
have to monitor the ips used. At Oxylabs pricing the only possible conclusion
if a match was found would be that the services are intertwined.

[0]: [https://oxylabs.io/pricing/residential-proxy-
pool](https://oxylabs.io/pricing/residential-proxy-pool)

------
Exuma
Ok, well fuck NordVPN. Can someone recommend something good that doesn't log,
without setting up my own entire VPN (yes I get its the only way to be sure
blah blah blah. I definitely care, but not enough to waste a week doing all
that)

~~~
ignoramous
Mullvad, ProtonVPN, and iVPN tends to get recommended often.

If geoblocking isn't a concern, you could use Cloudflare's Warp, which is
free. Not sure abt no-logs policy.

You could consider using Orbot, too, a tor as a porxy service for Android, if
annoying captchas and broken P2P apps is acceptable.

~~~
hawaiian
ProtonVPN seems to be involved with Tesonet as well. I'd do some more research
on them.

~~~
protonmail
No, we have never used IPs or servers from them (this is publicly verifiable
as our VPN IPs are public), and have no business connection with them today.
Verified by Mozilla and the European Commission as well when they audited
ProtonVPN, details here: [https://protonvpn.com/blog/is-protonvpn-
trustworthy/](https://protonvpn.com/blog/is-protonvpn-trustworthy/)

------
harrylucas
Interesting, I'm assuming that this wouldn't be possible on iOS devices? E.g.
would installing a calculator app on iOS allow someone to route traffic
through my phone? (obviously without me granting vpn access to said app).

~~~
c256
Technically possible, practically unlikely (you iOS phone would be a terrible
router, giving the people who made the calculator app a slow, unreliable
output node that would identify to the desired source as a lower-quality
(mobile) client. In other words, it would be a bunch of extra work and risk
for a worse result.

The theoretical model here is using people’s fast, stable (-ish) broadband
connections to relay the connection. Even then, it’s only for the initial
setup steps; once you get to the actual streaming data, nobody in this model
wants to ferry those packets around.

~~~
smolder
Getting around geoblocking probably doesn't require the main video streaming
connection to be through one of these IPs.

------
kyledrake
It seems that the author is getting a different IP from NordVPN each time they
make a request. Does that mean Disney could block this by preventing the
request from coming from another IP each time a request is made?

~~~
Exuma
That would block all "first requests" which wouldn't work

~~~
kyledrake
After a logged in session, you could count the number of times an IP address
changes, and if it changes more than 3 or something in the last 10 minutes,
it's a good sign that they're using some sort of malware VPN.

~~~
aflag
Or that they could be walk around the city and connecting to different wifis
or maybe the person's connection is poor and keeps dropping and reconnecting.
I'm sure there are plenty other legitimate use cases where the IP changes
frequently.

Also, bear in mind that blocking people from using it is not in disney+
interest. They do it just so they can prove in court they are following the
copyright agreements they have. But if someone "hacks" the system, they are
not incentivised to put in resources to fix the hacks so they can have less
paying costumers.

------
lucb1e
> Then I decided to give NordVPN a try, and poof, it worked like a charm. How
> was this possible? Residential IPs was my guess.

"Guess"? Do they route packets differently depending on the destination, i.e.
if you go to one of the whatsmyip websites you'll see a nordvpn-owned IP but
to a Disney server the use someone's home connection? Is that what the author
says is happening here? I don't know if this is common but, while technically
possible, it seems a little weird. I assume the author could just have checked
what IP they were exiting from.

Edit: someone else verified it, yes indeed they use residential IP addresses:
[https://news.ycombinator.com/item?id=21665084](https://news.ycombinator.com/item?id=21665084)

~~~
7777fps
The author also verified it, if you had the decency of actually reading the
article rather than exiting as soon as you found some way to state that you
know better.

~~~
lucb1e
I suppose that's fair.

------
mirimir
As much as I love VPN services, this is indeed creepy.

I mean, why stop at using whatever app installs as exits?

Why not route a VPN service through an _actual_ botnet?

------
mmd45
i let my kids download apps on ios and chromeos (no android). is it
technically possible for these apps to be proxying data for someone like nord?

if so, would it only be while the apps are in the foreground or can they do it
in the background?

~~~
smolder
Yes. As stated elsewhere this is Oxylabs' business model and it's how a decent
number of free apps monetize. I don't know how relevant background/foreground
are.

------
trymas
Ring ding ding ding. Jackpot.

I had on my backlog to do something similar, I guess I do not have to. NordVPN
is just a front for Tesonet to gather data and sell your bandwith for bots,
scrapers etc. through OxyLabs and other companies.

------
IdontRememberIt
We block vpns/open proxies. 99% of the time a user is complaining, their main
argument is so they can have "a secure Internet connection" to our site.

~~~
pteraspidomorph
I don't know what your business is, but I run my own VPN (closed). I will
complain if you block it for no apparent reason, because you are forcing me to
interrupt a dozen connections and ongoing workflows if I want to use your
service (usually I just won't).

