Outage 21/05/2016 11:20

Dear users,

there was an issue with the OpenVPN authentication backend the last 1,5 hours. If you were logged in things were fine but if you tried to log in the system would deny it. The issue was buried in one of the databases where a duplicate table entry was made. Because there are no logs it took us a moment to figure out where exactly things went wrong. Once we removed the duplicate record the database was happy again and the error resolved.

The IPredator team

Privacy vs. politics

Dear users,

some nice people working for another VPN provider thought it might be a good idea to trick us into terminating an account for spreading right wing material. What the article does not mention is that we asked for verification which was provided in the form of screenshots (see below). It also fails to mention that while we terminated the account we did not disclose any data about the user (earlier versions of the article on chloe.re claimed otherwise but were proven to be FUD). The article on chloe.re as it is right now has already been changed heavily after people started to ask for facts to the claims made there. Maybe the author could be so nice and also publish a diff of all of the changes as well.

The answer to the verification request we lodged along with the screenshots you do not get to see on chloe.re.

Subject: Re: User Batman12121 is spreading rasism
To: IPredator Support 
References: <573454F1.1060405@countermail.com> <5736FE59.6030702@ipredator.se>
From: chloe 
Message-ID: <573773AC.2080302@countermail.com>
Date: Sat, 14 May 2016 20:51:24 +0200
MIME-Version: 1.0
In-Reply-To: <5736FE59.6030702@ipredator.se>
Content-Type: multipart/mixed;

This is a multi-part message in MIME format.
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

Hello again,

"unfortunately" I've deleted all the post he has made on my forum
because they were very racist. I do have screenshot from earlier when he
said some really racist things on my IRC.

I've attached these horrible words by him. I really want him gone. Why
are your service allowing this sort of behavior?





The ToS clearly states that we will not protect users spreading right wing material. The author of the aforementioned article states that in his personal opinion a VPN service should be neutral. We see this differently. If a user spreads right wing propaganda then he/she/it is on the wrong side of history. We are not going to tolerate that our work is used to further the agenda of people who think that:

  • just because your skin has a different color,
  • you have a different religion,
  • you have a different sexuality,
  • or a disability

that those people are lesser humans and have no place on this earth (killing blacks is mentioned above) or within our society. We are not going to look the other way just to earn some money to provide a platform for right wing people.

If other VPN providers employees need to stoop down to the new low of exploiting and tricking us with false accusations to improve their advertising ... so be it. Have fun spreading FUD while you are at it.


The IPredator team

Dear users,

due to a hardware defect we need to shut down some essential parts of the VPN infrastructure. The maintenance should last for about 1 hour until the defect has been repaired. We are sorry for the inconvenience and give our best to bring the systems back online as soon as possible.

UPDATE: The maintenance is over. The broken device has been replaced without causing any widespread service disruptions.


The IPredator team

Website update - request for testing

Dear users,

We have been working on a website update for some time now and it is ready to be tested by you. To make sure that we do not limit the usage of the service we have deployed the updated website to our beta instance.

The new website has a slew of new features and improvements (some small bugs were also squashed in the process). To make testing easier we have only activated some of them for the time being. Once we are sure things work fine we will update the main page and unlock more features.

You might notice that the beta page asks you to migrate your account. Since we migrated to a new database schema to support the new features some things only take effect once the system knows that your account has been "migrated".

Here is a short list of changes that are already enabled.


All of our guides have been updated to the latest versions and now include Windows 10 as well as the latest versions for OS X. The Linux section was also overhauled, updated and extended to include LTS versions e.g. from Ubuntu. Additionally a new router section is now available with guides for TomatoUSB and pfSense.

Mail notifications

One feature many of you asked for was the ability to receive mail notifications. You can now configure the system to send you mails when your account is about to expire, when there are failed logins to your account (on the website) and when there are news like new blog posts, comics etc.

Mail notifications are disabled by default and you need to opt-in if you want to receive them. Account expiration mails are sent once, 24h before your account expires.


Nuke your account

Another feature that was requested is the ability to delete your user account in the system. While we have always deleted inactive accounts after 3 months you can now speed up that process by explicitly marking your account to be nuked on the next run of the cleanup batch job. Right now the batch job runs at the beginning of each month leaving you some time to reconsider. :)


PGP public key

Our privacy conscious users asked us to implement a way for them to add their PGP public key to the system. This way they do not need to upload their keys to the public key servers and its easier for the staff to check your current public key. If you are not yet using PGP to talk to the support via mail please do so. We even gift you with a free month of VPN in return for doing so!


Content Security Policy

We started to enable the Content Security Policy feature that (most) modern browsers support. If you hit any issues please let us know since it still might require some fine tuning. If the page behaves strangely please check the debug console of your browser.

Up and coming changes

We are well aware that just having a VPN is not the golden bullet to privacy. To support you in achieving more privacy we started working on a checklist of sorts. Please check out the work in progress version here. It is not fully done yet but we are happy about any feedback you can give us. If you know a particular tool or technique that should be included in the list please write us a mail and we will include it.

Once we are happy with the current changes and made sure that there are no big bugs lurking in the code we will auto migrate all of your accounts to the new database. After that change a few more features are going to be available. For starters we have added a commission feature for you. It is against our principles to pay advertising networks to track you just to be able to "advertise" on the internet. And on the other hand we know that quite a few of you have monetary constraints. Therefore we thought that giving you the commission for acquiring new users is the way to go. Another feature that we added is a special form of a rebate system along with the ability to have more VPN sessions based on how long you have been with us.

So if you want those features test ... test ... test and you will get them. :)

Mail service

One of the most asked questions is which trusted mail service we can recommend. Based on Trust but Verify we would either recommend riseup.net or a few others.

Now we are pleased to be able to provide you with access to a mail system that is hosted by yours truly.

The system is completely separated from the VPN user interface since we do not want anyone to be able to correlate accounts between the VPN and mail system (this also means you can only access the mail system from within the VPN). Each mail user gets 1GB of mail storage which should make it suitable for receiving a number of mailing lists etc. If you need more space just ask us. To prevent spammers from abusing the mail system we have limited the outbound mail rate to 23 per hour. If you have valid use cases that require you to send more mails ... ask.

Right now the mail system requires you to fetch your mails via IMAP. If you can convince us we might be swayed into setting up a webmail frontend as well.

The mail system defaults to having accounts on ipredator.me but there are a few alias domains that you can use as well:

  • doyoushape.me
  • snatch.io
  • spam.rip
  • tron.io

We will add more domains if we come up with nice domain names. :)

We still consider the mail system to be in the beta stage. In order to get access to it please contact the support staff via mail or on the IRC server. Installation guides are being worked on and will be released soon.

VPN client

When looking at the state of open source VPN clients we noticed that there are quite a few but none are really cross platform, are bogged down by dependencies or focus on other functionality like being a mail client at the same time. We started to work on a VPN client and have reached our first milestone which is to have a build chain for Windows, OS X, Linux and BSD. Our next goal is to reach the same functionality that the native VPN GUI offers. Besides all of the obvious features like DNS leak protection etc. we would like to ask you to provide us with feedback in terms of functionality you would like to have in a client that you miss in other clients. We would also like to know what you dislike in other clients. Your feedback will help us to decide which features we should work on and which of them should be dropped or deferred for later development.

The IPredator team

DNS issues

Dear users,

there were some DNS issues today because the DNS load balancer failed in a spectacular (and unanticipated) way which caused the domains serving the VPN to expire. It took us some time to debug the issue and roll back the git and redeploy all affected zones. All DNS servers should be back and operational again. If you are still having issues try to clear your DNS cache.

We are sorry for the inconvenience this might has caused.

The IPredator team

Staying anonymous online is like running a marathon through a mine field. We have various government agencies breaking into systems to steal our data, or Internet Service Providers like AT&T that mess with user traffic and inject ads to earn some extra bucks by exploiting their customers for advertising. Besides organizations that make online privacy harder for the general population, technology itself is not easy to deal with either.

There are many pitfalls when using VPNs like:

With all those issues present it is already difficult for the average user to attain even a basic level of privacy or anonymity without spending a lot of time researching how to fix things.

To make matters worse there seems to be a recent trend to splash names on vulnerabilities and then send them rather into the "news on security" circus than doing something about educating users more thoroughly. Portfail comes to mind as the most prominent example. Delivering news in that style sends unsuspecting users into a frenzy because it is hard to filter out what is hype, what are real issues and how do they affect the service(s) used in question. While we agree that identified security issues should be addressed and fixed, there are a number of problems that are rarely spoken about.

Many people are concerned about anonymity but the hard questions are rarely asked or answered for that matter. We have been making this experience with every single VPN provider ranking in the last years that we were asked to participate in. Everybody seems only to be concerned about "the logging question" which cannot be validated at all and which also -- obvious as it is -- is only one question among many others that never get asked at all. To the best of our knowledge there is neither a procedure nor an established entity, that can provide you as a user, with a trustworthy explanation or report based on a real world audit of VPN provider infrastructure. Trust but verify.

So what should users be concerned about? Without any proactive transparency on the VPN provider part, a potential VPN user should look at least for the following things:

Website security

Lets start with the VPN providers website. Its the first line of defense when you need to interact with your VPN provider since you need to make an account, log in, pay for your VPN, etc.

Does the website enforce HTTPS and is it actually properly configured? Use ssllabs.com to check the sites SSL configuration and securityheaders.io to check for HTTP header best practices. Does the website use mixed HTTP/HTTPS content? Imagine the following scenario:

  • HTTPS VPN provider website relies on resources fetched via HTTP
  • VPN provider has servers overseas and the website hosted outside the VPN network
  • You log into the website using the VPN but website access is not routed internally but instead uses the normal internet

In the best case you just face a loss of anonymity by partially exposing communications that reveal things about you. In the worst case you open yourself up to injection attack from the spooks via Quantum Inserts.

Web trackers and affiliate programs

Next on the list is the topic of web trackers. Install NoScript + EFF privacy badger + something like Disconnect. Are there any web-analytics trackers on the website? External resources like JavaScript, social media "buttons", etc? They are all used to track your footprints on the internet.

If the VPN service you are looking at is using ad networks, ask yourself how can you trust someone who is spending money on advertising networks that track you. Are they not supposed to protect you from this exact industry? Many (not all) affiliate programs fall into the same category. How do you pay your affiliates if you do not properly track where your users come from?

Mail system

Next on the checklist is the mail infrastructure. If you have a problem you are likely going to write an email to your provider, so it's a good idea to actually check what they are using.

The rule of thumb here is self hosted == good, externally hosted == bad.

To check the MX record enter the provider domain there. If the result turns out to be Google mail, Hotmail, Yahoo, etc., congrats all your support requests are leaked to a 3rd party. Do not forget that mails contain user identifying information as well. Got something to hide? Read this interesting article and this piece.

Ticket system

The next item on the list when interacting with your VPN provider is to check for a ticket system. While it is nice that they wont "lose" your support requests a ticket systems primary purpose is to NOT forget any customer interaction. Many businesses rely on a ticket system to define Key Performance Indicators (KPI) and consider them essential. If there is a ticket system ask how often old data is deleted.

User data retention

Part of providing a privacy service is that your provider should care about the data you leave in their system. So it's a good idea to check if they have some kind of data retention policy. There are many more places where user identifiable data piles up other than just the VPN itself.

  • Do they delete old user accounts?
  • What about your emails or the ticket system?
  • How many payment records are kept in the system and for how long?
  • Payment logs?
  • Web and mail server logs?
  • DNS server logs?
  • Firewall and IDS logs?

Data a provider does not have cannot be lost. As a small exercise comb through your mail folders or password store and check which of the VPN providers you do not use anymore have deleted your account.

DNS servers

Check if the DNS servers assigned by the VPN are actually located within the VPN itself. Once DNS requests pass network boundaries they are open to manipulation. Quantum insert to the rescue, yet again. The whole issue can be worked around by forcing your system to use DNSCrypt by default.


So far all checks have been more or less technical now it's time to look at the organizational aspects of a VPN provider.

The basic question is "What is the primary jurisdiction the VPN provider operates from?". This question is relevant because companies operating from the US or the UK (for example) can be forced to spy on users without having any legal way to disclose that fact to their users. If you are really unlucky the entity operating the VPN service got slapped with a gag order which cannot be violated without risking severe legal consequences.

Some providers try to work around that issue by setting up a warrant canary. A canary is a text file which states that no National Security Letter (NSL) or gag order has been installed by the government. A list of websites having installed warrant canaries can be found at canarywatch.org. While a canary is a good idea, operating a VPN provider in a jurisdiction that does not offer the legal instruments of a gag order and/or forcefully installed network taps is the better way to go.

Server locations

Besides the "We are the most secure VPN in the world" advertising mantra there is the "We are the fastest VPN in the world" motto that gets advertised. Armed with the knowledge from above about jurisdictions you have to ask yourself what counts more. Speed or anonymity? Check where the servers you are connecting to are located network wise by making a whois lookup on the IP addresses. Does the VPN provider actually OWN those machines or are they rented from a 3rd party located in a 3rd (or even 4th) party network?

There is no point in promising you nothing is logged while the network where the VPN server is located in has to be considered hostile. Every infrastructure component a VPN provider hands off to a 3rd party extends the trust relationship you assume to that 3rd party as well. In most cases it lowers the amount of trust you can put into a system rather than increasing it.

In an ideal setting your VPN provider owns all of the hardware AND the network it operates.

What prevents a random 3rd party hoster from actually installing a Management Engine rootkit malware on offered servers for cryptographic key material recovery? Or a network tap for that matter.

The point is that most VPN providers are primarily businesses. The primary objective of most businesses is to drive costs down. In return one of the easiest ways to infiltrate and exploit VPN infrastructure is simply to offer cheap server hosting (do not worry the taxpayer will cover the bills). You might think that this is no big issue, but being on the receiving end there is a never ending stream of hosting offers specifically "tailored for our needs".

Applying the "Trust but verify" principle is really hard considering the environment for 3rd party hosting services.

Below are just two recent examples:

To whom this may concern,

XXX works with many major VPN clients around the globe; so, I wanted
to inquire as to whether IPredator would also have a need for our
extensive US / international server network and vast IP portfolio? 

I am happy to send over additional information at your request.

Many thanks, 

My name is XXX and I represent XXX.com.  I was visiting IPredator.se today and I couldn't tell where you host your VPN nodes.  I wanted to know if you were interested in replacing any of your current US vendors or if you're interested in expanding to a new vendor to diversify where you source your servers.

We have recently begun to specialize in VPN/Proxy company hosting, so we know the nuances of the industry, making the experience pre and post sales efficient and easy for you.  We're happy to announce your IPs or provide our own.  Our servers are covered by a 100% uptime SLA on power and network and a 4 hour hardware replacement SLA.  We have a full featured control panel, SWIP, rDNS, and more.  We make the IP justification process fast and easy.  Our friendly support team is standing by 24/7 365 to assist if the need every arises.

Here are some example quotes, we're happy to tailor these to your needs:

Intel Xeon E3-1230v3
16gb RAM
20TB bandwidth
1000mbit port

Intel Xeon E3-1230v3
16gb RAM
/24 IP space
20TB bandwidth
1000mbit port

We offer services out of our Tier 3 compliant facilities in Dallas, Miami, Chicago, and Los Angeles.  If you're getting better pricing in any of the cities we operate in, we want to see it and beat it!

Thank you for your time and have a wonderful day.

There is another question in that same category: how many of the VPN providers out there are running there services on virtual machines hosted by third parties? Do you think VPN providers can easily offer exit machines in two dozen countries by deploying hardware they own and operate in datacenters they can trust? Honest to good, poke around and just for the fun of it ask some of them.

TLS certificate authentication

Last but not least you should check how your provider authenticates you as a user to their system. Many providers use TLS certificate authentication where a client certificate is issued for your user account. This certificate is then presented to the server infrastructure and used to allow or deny a login to the VPN system. So far so good, but there is a teeny-weeny issue when a TLS certificate is used.

When the TLS protocol suites were designed, anonymity was not seen as important as confidentiality or integrity of the connection. So in reality when you use a certificate to authenticate to OpenVPN for example it will leak the client certificate name and fingerprint in plaintext when negotiating the TLS handshake. This problem has been identified and documented as far back as 2012 but has not been fixed so far (scheduled fix is in TLS 1.3). You might ask whats the big deal here. Assume the following:

  • You create a new VPN account which uses a TLS client certificate
  • You connect from your home IP

Now at that point the information about the association of your client certificate and home IP will have been entered into systems like XKEYSCORE from the NSA, the GCHQ or whatever spook agency which happen to sniff the whole internet just because they can. You go to your best friends house / your spouse / lover / company and connect from there the spooks will know it's you because of the client cert leak. Good bye anonymity ...

Below is an excerpt taken from a raw packet trace that a VPN client sent to its server in a test setup. The name of the client certificate in this test was fbhwaephubsh.vpn.ipredator.se. As you can see this name is also transmitted in plaintext over the wire. This is only a problem in cases where there is a 1:1 relationship between the client certificate and the user. Some providers do not offer any certificate authentication, others use shared client certs, but the general use case for a client certificate is to hand out unique ones.

        0x0110:  0253 4531 1230 1006 0355 0408 1309 4272  .SE1.0...U....Br
        0x0120:  7967 676c 616e 6431 0f30 0d06 0355 0407  yggland1.0...U..
        0x0130:  1306 4f65 6c64 616c 3124 3022 0603 5504  ..Oeldal1$0"..U.
        0x0140:  0a13 1b52 6f79 616c 2053 7765 6469 7368  ...Royal.Swedish
        0x0150:  2042 6565 7220 5371 7561 6472 6f6e 3112  .Beer.Squadron1.
        0x0160:  3010 0603 5504 0b13 0949 6e74 6572 6e65  0...U....Interne
        0x0170:  747a 3127  3025 0603 5504 0313 1e52 6f79  tz1'0%..U....Roy
        0x0180:  616c 2053 7765 6469 7368 2042 6565 7220  al.Swedish.Beer.
        0x0190:  5371 7561 6472 6f6e 2043 4131 2630 2406  Squadron.CA1&0$.
        0x01a0:  092a 8648 86f7 0d01 0901 1617 686f 7374  .*.H........host
        0x01b0:  6d61 7374 6572 4069 7072 6564 6174 6f72  master@ipredator
        0x01c0:  2e73 6530 1e17 0d31 3430 3132 3730 3934  .se0...140127094
        0x01d0:  3234 345a 170d 3234 3031 3235 3039 3432  244Z..2401250942
        0x01e0:  3434 5a30 81a8 310b 3009 0603 5504 0613  44Z0..1.0...U...
        0x01f0:  0253 4531 1230 1006 0355 0408 1309 4272  .SE1.0...U....Br
        0x0200:  7967 676c 616e 6431 0f30 0d06 0355 0407  yggland1.0...U..
        0x0210:  1306 4f65 6c64 616c 3124 3022 0603 5504  ..Oeldal1$0"..U.
        0x0220:  0a13 1b52 6f79 616c 2053 7765 6469 7368  ...Royal.Swedish
        0x0230:  2042 6565 7220 5371 7561 6472 6f6e 3126  .Beer.Squadron1&
        0x0240:  3024 0603 5504 0313 1d66 6168 7762 6570  0$..U....fbhwaep
        0x0250:  6875 6273 682e 7670 6e2e 6970 7265 6461  hubsh.vpn.ipreda
        0x0260:  746f 722e 7365 3126 3024 0609 2a86 4886  tor.se1&0$..*.H.
        0x0270:  f70d 0109 0116 1768 6f73 746d 6173 7465  .......hostmaste
        0x0280:  7240 6970 7265 6461 746f 722e 7365 3082  r@ipredator.se0.


Never forget: Trust but verify. And if in doubt research.

"Port Fail" status

Dear users,

the privacy leak reported by TorrentFreak does not affect IPredator in any way. In order to exploit this vuln the attacker needs to be able to setup a port mapping on the IP address used to log into the VPN server. Our machines hand out dedicated IP addresses to you so there is no need to setup port forwards. Users connecting to the NAT pool are not affected as well because we do not NAT you on the VPN servers.

The IPredator team

OpenVPN config update to force TLS 1.2

Dear users,

if you are using OpenVPN please download the latest configs available from the dashboard. The current version of the config file forces the use of TLS 1.2. This change works on most devices.

In case you are using a particularly old version of OpenVPN or the OpenSSL library eg. on an embedded device like a NAS you can revert to a lower TLS version. You can also expect issues if you run ancient software releases on your phone / mobile devices. In any case we recommend to update the device(s) in question.

If you run into issues or have questions please come to the IRC or write an email to support@. Thank you.

The IPredator team

Dear users,

we wish all of you a happy new year 2015!

There were some login issues earlier today because somebody decided to DOS the authentication backends. We adjusted our countermeasures to keep out the bad requests. The issue is fixed now.

Static IP support

We are pleased to announce that you can now get a static IP config. Some of you have been asking for this feature for quite some time. If you decide you want to spend the extra money you get one fixed IPv4 address and one fixed IPv6 address. On request we can also route you a /56 IPv6 network (4700 billion IPs). Please contact the support via email or IRC if you would like get such a config. Because IPs are expensive and you are likely to use more traffic than the average user the current price is 14 Euro per month on top of your normal account. As usual we do not enforce any speeds or shape your traffic in any way.


Another question that has been asked quite frequently was 'When and where can we get merchandise'. Please check out the picture below. You can now order hoodies in grey and black and t-shirts in black. The price for a hoodie is 60 Euro and for a t-shirt 25 (without shipping). The base material is a bit more expensive because we selected hoodies with reinforced seams and the print on the shirts is some kind of fleece. You can get them from S to 5XL in US sizes which means that they are a bit bigger than the EU sizes. Unfortunately we cannot offer fair trade and ecologically produced clothing at the moment simply because nobody wanted to commit on the sizes we need. :/



If you are interested in getting a t-shirt or hoodie along with some stickers and other propaganda we have lying around please contact the support.

The website will be updated in the coming week with all the information about static IPs and merchandise.

Use more bandwidth!

The IPredator team

Another day another power failure

UPDATE: The power is back online we are restoring all services.

Dear users,

unfortunately there is another power failure at one of our data centers. Looks like we are aiming strong to drive up the average from two power failures in 10 years to four in two months. The whole power grid is down. Its lights out for everyone and the UPS batteries only lasted that long. The power company is working on a fix, but we got no ETA yet.

The IPredator team