VPN Blocking?

Looking for an Extension? Have an Extension request? Post your request here for help. (Note: This forum is community supported; while there is an Extensions Development Team, said team does not dedicate itself to handling requests in this forum)
Ideas Centre
User avatar
ChinaGal
Registered User
Posts: 182
Joined: Fri Jan 24, 2020 10:02 am

VPN Blocking?

Post by ChinaGal »

Is there an extension available to block site visitors from using a VPN? I couldn't find one.

I saw though on another phpBB forum they have some sort of VPN blocking. See the VPN blocking message in the attached screen shot.

This came from the https://www.avathar.be/forum site.

Any idea if this is something that would be easy to implement on other phpBB forums too?

Many thanks.

VPN.jpg
User avatar
KevC
Support Team Member
Support Team Member
Posts: 70066
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: VPN Blocking?

Post by KevC »

Why not register an account on there and ask them?
-:|:- Support Request Template -:|:-
Image
Cheap UK Hosting
"In the land of the blind the little green bloke with no pupils is king - init!"
User avatar
EA117
Registered User
Posts: 1765
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: VPN Blocking?

Post by EA117 »

Not aware of an extension that has a database of VPN IP address ranges. Which doesn't mean it can't exist, but I haven't seen it mentioned here.

The feature within phpBB itself which could have presented a similar message is simply banning an IP address range. As with other types of phpBB bans, you get to define a message that will be shown to the banned user/session. I suspect that might be all they have done here, and set the "Forbidden..." message as the ban reason to be shown.

Banning of IP address(es) is on the phpBB ACP Users & Groups tab, same as banning usernames or email addresses.
User avatar
david63
Registered User
Posts: 18077
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Contact:

Re: VPN Blocking?

Post by david63 »

Out of interest why do you want to block anyone on a VPN?
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored
User avatar
AmigoJack
Registered User
Posts: 5757
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: VPN Blocking?

Post by AmigoJack »

Looks like: The illogic comma in that message bothered me enough to use Google which brings up results for different boards, and that led to the name "CleanTalk", which then brought up the extension. The error message itself is not within the phpBB extension files, but instead must directly come from their service (which means it's somewhat impossible to fix).

From my personal experience the only difficulty in detecting VPNs is to first accumulate lists of hosters that aren't ISPs - once that is done the lists serve quite well for almost a decade. Checked every detection manually to see if it was a false positive. And I made it working without using one single bit of JavaScript and supporting both IPv4 and IPv6, as well as checking the reverse resolved hostname.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.
User avatar
warmweer
Jr. Extension Validator
Posts: 4915
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Bel ... gium

Re: VPN Blocking?

Post by warmweer »

I don't see the Cleantalk extension being used on https://www.avathar.be/forum/
Spelling is freeware, which means you can use it for free.
On the other hand, it is not open source, which means you cannot change it or publish it in a modified form.
User avatar
ChinaGal
Registered User
Posts: 182
Joined: Fri Jan 24, 2020 10:02 am

Re: VPN Blocking?

Post by ChinaGal »

AmigoJack wrote:
Sun Jul 26, 2020 9:07 pm
Looks like: The illogic comma in that message bothered me enough to use Google which brings up results for different boards, and that led to the name "CleanTalk", which then brought up the extension. The error message itself is not within the phpBB extension files, but instead must directly come from their service (which means it's somewhat impossible to fix).
Thank you for figuring out where it came from. Clever. I didn't even notice the comma.

Here is their website: https://cleantalk.org/ - Looks like its a paid service.

Too bad you can't edit the error messages. Maybe you can ask them to update it if you are a subscriber.
Last edited by ChinaGal on Sun Jul 26, 2020 10:14 pm, edited 1 time in total.
User avatar
ChinaGal
Registered User
Posts: 182
Joined: Fri Jan 24, 2020 10:02 am

Re: VPN Blocking?

Post by ChinaGal »

warmweer wrote:
Sun Jul 26, 2020 9:31 pm
I don't see the Cleantalk extension being used on https://www.avathar.be/forum/
Interesting. How are you able to know that?
User avatar
ChinaGal
Registered User
Posts: 182
Joined: Fri Jan 24, 2020 10:02 am

Re: VPN Blocking?

Post by ChinaGal »

EA117 wrote:
Sun Jul 26, 2020 8:46 pm
Not aware of an extension that has a database of VPN IP address ranges. Which doesn't mean it can't exist, but I haven't seen it mentioned here.

The feature within phpBB itself which could have presented a similar message is simply banning an IP address range. As with other types of phpBB bans, you get to define a message that will be shown to the banned user/session. I suspect that might be all they have done here, and set the "Forbidden..." message as the ban reason to be shown.

Banning of IP address(es) is on the phpBB ACP Users & Groups tab, same as banning usernames or email addresses.
Good idea. I got a list of about 33,000 VPN IP addresses in a zip file here from Github: https://github.com/ejrv/VPNs/archive/master.zip and here is where the ZIP file came from: https://github.com/ejrv/VPNs

I added them to IP Address Ban via ACP as you suggested. No problem to add them all in one go from the IPV4 TXT file list from within the ZIP file. Just a simply copy and paste. But I tried many different VPN servers after getting that setup and it didn't seem to block any of them. Maybe there are just too many VPN IP addresses to capture them all in a database even though the README.MD file says that they got most of them and the list itself says it was last updated on March 22, 2020.
User avatar
EA117
Registered User
Posts: 1765
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: VPN Blocking?

Post by EA117 »

warmweer wrote:
Sun Jul 26, 2020 9:31 pm
I don't see the Cleantalk extension being used on https://www.avathar.be/forum/
https://www.avathar.be/forum/ext/cleantalk/antispam/composer.json

ChinaGal wrote:
Sun Jul 26, 2020 11:24 pm
Good idea. I got a list of about 33,000 VPN IP addresses in a zip file here from Github: https://github.com/ejrv/VPNs/archive/master.zip and here is where the ZIP file came from: https://github.com/ejrv/VPNs
That the site in question had simply issued the ban themselves, from an IP address range they had found to be "at high risk for spam", is all I was expecting had happened. i.e. phpBB's built-in IP address ban capability could explain having a specific message presented to those users, as was being shown in the screen shot. But as was uncovered by AmigoJack, it appears they likely have an extension which has made its own deduction of "this is at high risk for spam", and nothing to do with the phpBB IP address ban system.

Yes, pre-loading a list of 33K IP addresses is certainly bound to present some kind of issue. Either in trying to get the list accepted in the first place, or in performance of having to check against that many addresses even if successfully loaded. But indeed, it should be able to "work", even if ultimately the performance might turn out to be undesirable.

A ~490KB list might be accepted in a single attempt to add them to the phpBB ACP ban page. It would depend on what the PHP post size was set to allow in a single request on your server. Worst case you might have to break such a list into smaller pieces, if you're getting an error when trying to add the entire list, or don't see all the IP addresses in the ban list after you submit them.

The issue I see which should prevent the entire list from loading regardless of the post size is because the phpBB "ban IP address" input does not accept the network mask or CIDR-type notation being used in the list you linked to. Meaning the format such as x.x.x.x/27, x.x.x.x/18, etc. As described in the phpBB ACP page, each line must have either an IP address (x.x.x.x) possibly with an asterisk-based "wildcard"; or a range of IP addresses separated with a hyphen (x.x.x.x-x.x.x.x).

So that might have been what kept the VPNs you tested with from being blocked; because the IP address range present in the list which would have blocked the VPN wasn't specified in a format compatible with the phpBB ACP IP address ban input. The other possibility, since you didn't specifically confirm, is that the VPN you tested from simply wasn't in this public VPN list. I'm guessing your VPN probably was listed; but just saying we haven't explicitly confirmed having ruled that possibility out yet, either.
User avatar
warmweer
Jr. Extension Validator
Posts: 4915
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Bel ... gium

Re: VPN Blocking?

Post by warmweer »

ChinaGal wrote:
Sun Jul 26, 2020 10:03 pm
warmweer wrote:
Sun Jul 26, 2020 9:31 pm
I don't see the Cleantalk extension being used on https://www.avathar.be/forum/
Interesting. How are you able to know that?
Standard header analysis and it showed about 10 extensions (cleantalk not being one of them)
Yep: since I was specifically looking for cleantalk, I should just have explicitly checked that (but blindly accepted the default check results).
Again proof that relying on default procedures can make one forget/overlook the simple/logical things :shock: :oops:
Spelling is freeware, which means you can use it for free.
On the other hand, it is not open source, which means you cannot change it or publish it in a modified form.
User avatar
ChinaGal
Registered User
Posts: 182
Joined: Fri Jan 24, 2020 10:02 am

Re: VPN Blocking?

Post by ChinaGal »

EA117 wrote:
Mon Jul 27, 2020 4:30 am

A ~490KB list might be accepted in a single attempt to add them to the phpBB ACP ban page. It would depend on what the PHP post size was set to allow in a single request on your server. Worst case you might have to break such a list into smaller pieces, if you're getting an error when trying to add the entire list, or don't see all the IP addresses in the ban list after you submit them.

The issue I see which should prevent the entire list from loading regardless of the post size is because the phpBB "ban IP address" input does not accept the network mask or CIDR-type notation being used in the list you linked to. Meaning the format such as x.x.x.x/27, x.x.x.x/18, etc. As described in the phpBB ACP page, each line must have either an IP address (x.x.x.x) possibly with an asterisk-based "wildcard"; or a range of IP addresses separated with a hyphen (x.x.x.x-x.x.x.x).

So that might have been what kept the VPNs you tested with from being blocked; because the IP address range present in the list which would have blocked the VPN wasn't specified in a format compatible with the phpBB ACP IP address ban input. The other possibility, since you didn't specifically confirm, is that the VPN you tested from simply wasn't in this public VPN list. I'm guessing your VPN probably was listed; but just saying we haven't explicitly confirmed having ruled that possibility out yet, either.
Thanks. The list was accepted as a single attempt to add it as I think I mentioned. No problem. And it created a separate line for each IP with the same Ban reason given for each entry. The difficulty was removing them all afterwards though. I couldn't do the whole list in one go again in the same way that I added them. It would only delete a few hundred at a time. So it took a bit longer to delete them all again. But while I had the list installed, I didn't see any reduction in site speed or performance.

Also, there were no IP ranges in the list I added. The list I used was all purely one IP per line. They seem to be providing 2 different IPV4 files on Github. If you go to the following link https://github.com/ejrv/VPNs and save the vpn-ipv4.txt file directly from the link provided there then you get a strange looking file filled with lots of code and IP ranges. But if you download the ZIP file, and then open the vpn-ipv4.txt file within the ZIP file, then you just get a pure list of just over 33,000 IP addresses, one per line, and that is what I used to install the Ban list I put in. I may setup a test board and do a bit more expirimenting with that list and see what the results are.

As for CleanTalk, nice idea, but its purpose really isn't to block VPN. It seems to be more like a general anti-spam filter and we don't need that. So probably not the solution we are looking for. I also did more testing on that board where they have the CleanTalk extension running. It might block you from registering an account with a VPN, but it certainly doesn't block access to posts. Also, if you are registered already for an account and try to login using a VPN then it doesn't block either. It only seems to block you for signup. So blocking a list of VPN IP addresses using the Ban funciton in ACP seems like the better way to go.

I wonder if one contacted the 3-4 biggest VPN services if they would provide a list of their server IP addresses. Probably not because companies like NetFlix, BBC and other streaming platforms try to block VPN servers. So it is a constant game of cat and mouse and the VPN companies probably won't give out their server IP information because they want to remain stealthy.
User avatar
david63
Registered User
Posts: 18077
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Contact:

Re: VPN Blocking?

Post by david63 »

Having 33k IP addresses to check in phpBB will make your board run extremely slowly, that is if it doesn't stop functioning altogether.

If you need to block that many then you will be better off doing via some other means such as your board's firewall or something like Cloudflare.

You still haven't said why you feel a need to block anyone using a VPN from accessing your board when VPNs are becoming more prevalent for many legitimate reasons.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored
User avatar
AmigoJack
Registered User
Posts: 5757
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: VPN Blocking?

Post by AmigoJack »

ChinaGal wrote:
Sun Jul 26, 2020 10:00 pm
AmigoJack wrote:
Sun Jul 26, 2020 9:07 pm
Here is their website: https://cleantalk.org/
ChinaGal wrote:
Sun Jul 26, 2020 11:24 pm
here from Github: https://github.com/ejrv/VPNs/archive/master.zip and here is where the ZIP file came from: https://github.com/ejrv/VPNs
Isn't this obvious? If I have an address I can also try parts of it. Maybe you should also read the content of the websites you link to:
This list doesn't list all VPNs,
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.
User avatar
EA117
Registered User
Posts: 1765
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: VPN Blocking?

Post by EA117 »

ChinaGal wrote:
Mon Jul 27, 2020 6:39 am
Also, there were no IP ranges in the list I added. The list I used was all purely one IP per line. They seem to be providing 2 different IPV4 files on Github. If you go to the following link https://github.com/ejrv/VPNs and save the vpn-ipv4.txt file directly from the link provided there then you get a strange looking file filled with lots of code and IP ranges. But if you download the ZIP file, and then open the vpn-ipv4.txt file within the ZIP file, then you just get a pure list of just over 33,000 IP addresses, one per line, and that is what I used to install the Ban list I put in.
Understood. Yes, the "save as" which resulted in a file containing codes is saving the HTML document used to display the file on github, rather than saving the file itself. You have to click the "raw" view offered by github first in order to get just the file itself, instead of the friendly HTML display.

I believe you and I are looking at the same file, and mine has ~33000 entries in it too. But as can be seen even in the first few lines of the file:

Code: Select all

1.0.69.27
1.236.132.203
1.242.79.148
2.56.16.0/22
2.56.92.0/22
2.56.140.0/24
2.56.220.0/22
2.57.28.0/22
2.58.12.12
2.58.12.18
...these are not "just IP addresses." e.g. 2.56.16.0/22 is a range; all hosts within 2.56.16.0 with a 22-bit network mask applied. Everything you see with "/xx" at the end is a range of addresses.

phpBB does not accept them in this format, and is probably only adding 2.56.16.0 (the part that passes the regex pattern) when processing the line 2.56.16.0/22. But what the list intended is that you would have added 2.56.16.0-2.56.19.255 to phpBB in response to 2.56.16.0/22, because that is the range of addresses "2.56.16.0 with a 22-bit network mask applied" represents.

So this list does contain the information you need, but it would take some significant massaging to get it into phpBB-ready input.

Indeed, "use this list to block the IP addresses at your firewall or router" avoids the potential performance impact of having phpBB check an extensive ban list. But those other approaches don't give your visitors the friendly message of what's wrong and what they may need to do in order to access your board. They may simply believe your web site isn't even up.
Post Reply

Return to “Extension Requests”