Hacker News new | ask | show | jobs
by tschumacher 40 days ago
Great find by the author and I have no trouble believing this is an oversight by Mullvad. Kind of shocking that something this simple slips by them but I could see myself missing it.

Putting aside the IP correlation across multiple servers, at first I wondered why even keep the user IP stable on one server. But I think it makes sense because as the author states other VPNs usually have only one IP per server so they are essentially simulating that. The advantages for the user are, if they find a server that works for accessing some service they can connect to that server again and it will work again because they get the same IP.

The IP correlation across multiple servers they should fix though with something like rand.seed(user_pub_key + server_id)
2 comments
saguntum 39 days ago
I feel like trying to "trick" the RNG into providing stability is the wrong approach here given all the footguns that can occur with having a low entropy seed, but I am not sure what an alternative to IP stability would be short of doing session management, which may introduce too much state into the problem to be acceptable for a VPN service.

Maybe a clientside hint that gets rotated in some circumstances with options to toggle it off would be appropriate. That should be fine as long as you don't care about someone being able to control their exit IP reliably.

link
lxgr 40 days ago
> The advantages for the user are, if they find a server that works for accessing some service they can connect to that server again and it will work again because they get the same IP.

On the flip side, if they’re getting banned by a service because of a noisy neighbor on the same IP, they’d have no way to work around that, no?

link
TurdF3rguson 40 days ago
You mean if the neighbor somehow burned every VPN location?
link
lxgr 39 days ago
Doesn’t even need to be every location. Some services are only accessible from a single country, and Mullvad has at most a handful of locations per country.

All things considered, there are just an incredibly small number of IPs shared among all users, no matter the allocation strategy.

link