upvote

points

by gruez9 hours ago |
comments
upvoteby TheDong8 hours ago|
next
[-]
It's simpler to implement because it's more stateless, and it's a better user experience.

If you get a new exit IP each time you connect, you need something like a NAT table to look up "key 0xabc exits ip 1.2.3.4", and that grows to be the size of the number of users you have active, and you need to save it forever so that when the NSA asks who used the IP for what duration you can tell them.

With a static mapping derived from the key, you don't need a table like that.

It's also better UX since it means reconnecting your VPN software (say you switch wifi hotspots) doesn't give you a different IP address, so things like SSH sessions can resume, which wouldn't be possible if it were a different public IP each time.

reply
upvoteby arciini8 hours ago|
prev|
next
[-]
I'd guess that this is to ensure one abusive user doesn't get every other user blocked from a large service (say, Google) for botting over the VPN and constantly rotating IPs.

It's a practical measure, but definitely has a privacy cost though.

reply
upvoteby stevekemp8 hours ago|
parent|
[-]
It's possible that contributes, but to be honest most VPN users are split "privacy seeking" and "abusive". Though I grant you paid users are probably slightly more circumspect than users of Tor, etc.

It seems more likely this is just about load-balancing use against their available nodes.

reply
upvoteby Riany8 hours ago|
prev|
next
[-]
My guess is deterministic assignment makes load distribution and debugging easier. But for a privacy product, that convenience probably needs to be reconsidered
reply
upvoteby tempest_8 hours ago|
prev|
[-]
I imagine there are a bunch of things on the internet that break if you start trying to connect to them from varying IP addresses. Things like the various CAPTCHA schemes and rate limiting etc, IP reputation etc.
reply
upvoteby lmm8 hours ago|
parent|
[-]
> I imagine there are a bunch of things on the internet that break if you start trying to connect to them from varying IP addresses. Things like the various CAPTCHA schemes and rate limiting etc, IP reputation etc.

Given how much of the world is stuck behind CGNAT now, I would expect any major sites to handle it.

reply
upvoteby nly4 hours ago|
parent|
[-]
Ironically the CGNAT at my ISP is so broken at peak times the only way I can actually use the internet is via a VPN (presumably because I then only occupy one connection tracking slot on the NAT)

I'm also stuck in a 2 year ISP contract

reply