Q&A VPN Proxy Question

n8chavez

Level 2
Feb 26, 2021
91
This has been bugging me for years, and I've never been able to find an answer for it. Hopefully someone here can.

With mullvad vpn you have the option of using a local socks5 proxy address that ties to the local users' instance of that VPN (not the server). With openvpn it's 10.8.0.1:1080, and with wireguard it's 10.64.0.1:1080. That is in addition to the network killswitch, ensures that no traffic from the apps set up to use that proxy will leak. This does not use ssh at all. Great. Awesome. But why is mullvad the only vpn I can think of (out of 25+) that uses it? Wyh don't they all. Could it be that maybe most do, but I just don't know about it?
 
Last edited:

venustus

Level 58
Verified
Trusted
Content Creator
Dec 30, 2012
4,745
This has been bugging me for years, and I've never been able to find an answer for it. Hopefully someone here can.

With mullvad vpn you have the option of using a local socks5 proxy address that ties to the local users' instance of that VPN (not the server). With openvpn it's 10.8.0.1:1080, and with wiregusard it's 10.6.0.1:1080. That is in addition to the network killswitch, ensures that no traffic from the apps set up to use that proxy will leak. This does not use ssh at all. Great. Awesome. But why is mullvad the only vpn I can think of (out of 25+) that uses it? Wyh don't they all. Could it be that maybe most do, but I just don't know about it?
Because Mullvad is one of the better vpn providers;)
 
  • Like
Reactions: Terry Ganzi

rain2reign

Level 6
Jun 21, 2020
276
Airvpn uses a similar set of functions, though not entirely the same way. You can use the "Network lock" feature to force your connection into a vpn tunnel. From which you can whitelist ip's manually. Those whitelisted connections will then go outside the tunnel and not make use of the Network Lock. As well as reroute ip's and hosts to run outside the VPN tunnel without the network lock feature enabled (making them regular connections rather than VPN). As well as force ip's to ONLY run in the VPN tunnel etc...

You can't force proxy on the local user-client (not proxy connection to vpn server) afaik, but you can force either a proxy over the connection as well as TOR proxy/node. And a few other things incl. a killswitch and through the web-account interface (browser) opening custom ports.

You can download the client and view the options without needing a login nor an account at: Download - AirVPN
 
  • +Reputation
Reactions: venustus

n8chavez

Level 2
Feb 26, 2021
91
Airvpn uses a similar set of functions, though not entirely the same way. You can use the "Network lock" feature to force your connection into a vpn tunnel. From which you can whitelist ip's manually. Those whitelisted connections will then go outside the tunnel and not make use of the Network Lock. As well as reroute ip's and hosts to run outside the VPN tunnel without the network lock feature enabled (making them regular connections rather than VPN). As well as force ip's to ONLY run in the VPN tunnel etc...

You can't force proxy on the local user-client (not proxy connection to vpn server) afaik, but you can force either a proxy over the connection as well as TOR proxy/node. And a few other things incl. a killswitch and through the web-account interface (browser) opening custom ports.

You can download the client and view the options without needing a login nor an account at: Download - AirVPN

I guess there's something I'm not understanding then. If the proxy is not leading to a VPN, and forcing the use of that VPN then now exactly is it acting like a safety net in case the network lock (killswitch) fails?
 

rain2reign

Level 6
Jun 21, 2020
276
I guess there's something I'm not understanding then. If the proxy is not leading to a VPN, and forcing the use of that VPN then now exactly is it acting like a safety net in case the network lock (killswitch) fails?
It's most likely my English and ended up doing a piss-poor job explaining. As i am reading back my own post i realize that tiny part made utterly no sense.... XD
(sh- happens :p) My bad, truly.

It works the same way as in Mullvad, the only advantage of proxy alongside with network lock through Eddie (AirVPN client name) is to "hide" your real IP from even the AirVPN servers. They themselves recommend using a TOR proxy node if manual proxy is needed. The proxy feature itself support regular proxy, OpenVPN proxy and TOR proxy nodes.
 
  • Like
Reactions: venustus

n8chavez

Level 2
Feb 26, 2021
91
It's most likely my English and ended up doing a piss-poor job explaining. As i am reading back my own post i realize that tiny part made utterly no sense.... XD
(sh- happens :p) My bad, truly.

It works the same way as in Mullvad, the only advantage of proxy alongside with network lock through Eddie (AirVPN client name) is to "hide" your real IP from even the AirVPN servers. They themselves recommend using TOR if manual proxy is needed. The proxy feature itself support regular proxy, OpenVPN proxy and TOR proxy nodes.

Oh. Okay. I am familiar with Eddie, I currently have an active AirVPN subscription. Thanks. I'll have to research this more.
 

HarborFront

Level 59
Verified
Content Creator
Oct 9, 2016
4,835
This has been bugging me for years, and I've never been able to find an answer for it. Hopefully someone here can.

With mullvad vpn you have the option of using a local socks5 proxy address that ties to the local users' instance of that VPN (not the server). With openvpn it's 10.8.0.1:1080, and with wireguard it's 10.64.0.1:1080. That is in addition to the network killswitch, ensures that no traffic from the apps set up to use that proxy will leak. This does not use ssh at all. Great. Awesome. But why is mullvad the only vpn I can think of (out of 25+) that uses it? Wyh don't they all. Could it be that maybe most do, but I just don't know about it?
This is a double-hop feature..........not a true double-hop VPN though

Quote

Multihop with SOCKS5​

You can also use the SOCKS5 proxies to multihop. To do so, you can configure your browser or other program to exit from a server that is different from the one you connected to.

For instance, if you are connected to se1-wireguard.mullvad.net and then want to exit via us1-wireguard.mullvad.net, you would configure your browser/program to use us1-wg.socks5.mullvad.net on port 1080 as your exit node.

Unquote

 
Last edited:
  • +Reputation
Reactions: venustus

n8chavez

Level 2
Feb 26, 2021
91
This is a double-hop feature..........not a true double-hop VPN though

Quote

Multihop with SOCKS5​

You can also use the SOCKS5 proxies to multihop. To do so, you can configure your browser or other program to exit from a server that is different from the one you connected to.

For instance, if you are connected to se1-wireguard.mullvad.net and then want to exit via us1-wireguard.mullvad.net, you would configure your browser/program to use us1-wg.socks5.mullvad.net on port 1080 as your exit node.

Unquote


I don't think it is a true double-hop though, because the address used as a socks5 is a local address (10.x.x.x:1080) not an external one.
 
  • Like
Reactions: venustus

n8chavez

Level 2
Feb 26, 2021
91
According to the link I posted from Mullad VPN you can configure it to do double hop

Right. But you're missing most of the document. It says:

"You may already be familiar with the Mullvad app's built-in "kill switch" safety feature. In other words, in the event that the Mullvad connection is terminated, all of your Internet traffic is automatically blocked, ensuring that your traffic is not accidentally leaked outside of our secure tunnel.

However, what happens if you've forgotten to start the Mullvad app? This is where using the SOCKS5 proxy comes in handy, to act as back-up protection."

And

"The SOCKS5 proxy is only accessible when you are connected to Mullvad."n

To me this indicates that 10.x.x.x is a local address, which it is. It has nothing to do with multi-hop because the address is internal, not external. But my question remains, do other VPNs offer this safety-net approach in addition to a killswitch? I'm very familiar with Mullvad, they are my current stable vpn.
 

HarborFront

Level 59
Verified
Content Creator
Oct 9, 2016
4,835
Right. But you're missing most of the document. It says:

"You may already be familiar with the Mullvad app's built-in "kill switch" safety feature. In other words, in the event that the Mullvad connection is terminated, all of your Internet traffic is automatically blocked, ensuring that your traffic is not accidentally leaked outside of our secure tunnel.

However, what happens if you've forgotten to start the Mullvad app? This is where using the SOCKS5 proxy comes in handy, to act as back-up protection."

And

"The SOCKS5 proxy is only accessible when you are connected to Mullvad."n

To me this indicates that 10.x.x.x is a local address, which it is. It has nothing to do with multi-hop because the address is internal, not external. But my question remains, do other VPNs offer this safety-net approach in addition to a killswitch? I'm very familiar with Mullvad, they are my current stable vpn.
Have you clarified with Mullvad? If yes, what's their reply?

I believe VPNs which support Socks5 should be the same unless otherwise stated.

 
Last edited:
  • +Reputation
Reactions: venustus

n8chavez

Level 2
Feb 26, 2021
91
Have you clarified with Mullvad? If yes, what's their reply?

I believe VPNs which support Socks5 should be the same unless otherwise stated.


You've kind of just illustrated my point; that a local vpn-proxy is rare. Just because a sock5 proxy is used does not mean it is used externally. A VPN and sock5 are not interchangeable. In the case of 10.x.x.x, which is private (see here, here, here, and, here) you can test this very easily. Ping it. Where does it go? Is the destination external? Try using anything with the socks5 proxy address 10.8.0.1:1080 without Mullvad active. Does it go anywhere? No.
 
  • +Reputation
Reactions: venustus

HarborFront

Level 59
Verified
Content Creator
Oct 9, 2016
4,835
You've kind of just illustrated my point; that a local vpn-proxy is rare. Just because a sock5 proxy is used does not mean it is used externally. A VPN and sock5 are not interchangeable. In the case of 10.x.x.x, which is private (see here, here, here, and, here) you can test this very easily. Ping it. Where does it go? Is the destination external? Try using anything with the socks5 proxy address 10.8.0.1:1080 without Mullvad active. Does it go anywhere? No.
I don't use Mullvad VPN. Can't try the ExpressVPN Proxy Extension either because it's a paid service different from its VPN service. I see later whether can try on NordVPN. Hopefully its proxy service does not require separate payment
 
  • +Reputation
Reactions: venustus

n8chavez

Level 2
Feb 26, 2021
91
Does anyone know why Mullvad seems to be the only VPN provider that uses sock5 to VPN? It's not two remote addresses, so it's not a double-hop, but rather a local one; 10.64.0.1:1080. This is great because it forces apps to use the VPN, and acts as kind of a killswitch safety net. I just can't seem to find if other VPNs have this or not, or why Mullvad is the only one.
 

rain2reign

Level 6
Jun 21, 2020
276
There are vpn services that have had it, SOCKS5, longer than Mullvad. Only its usually not enabled by default due to how those services configured their servers. It's generally buried under proxy settings, in the vpn client (whenever supported).
 
Top