search

pia-foss / desktop

Private Internet Access - Desktop VPN Client for Windows/macOS/Linux
Other
263 stars 50 forks source link

PIA application returns wrong public IP #35

Open piramiday opened 2 years ago

piramiday commented 2 years ago

running piactl get pubip sometimes returns the wrong public IP address. if an ISP leases the IP for a short period of time, say 24h, then an always-on computer with PIA smoothly running will get the correct answer to piactl get pubip only for the first day, then it will not refresh the ip, ever.

the PIA application should be instrumented to verify that the public IP is still current every few hours, to be able to use piactl get pubip reliably.

JonathonH-PIA commented 2 years ago

Agree this is an issue - it goes way back to 1.0 when we didn't have any machinery to make a request bypassing the VPN while connected, which we do have now of course.

I'm curious about your setup here though - polling every few hours still could return the wrong IP for a few hours (or whatever interval we choose), so I'm not sure if it'd be reliable enough without some sort of active detection.

What are you using this for? Would a few-hours accuracy guarantee be sufficient?

With OpenVPN, we could currently rely on the connection terminating whenever the public IP changes since we don't currently have roaming, but with WireGuard we can't rely on that. We could heuristically re-detect if we see the local NIC change state (like roaming across Wi-Fi networks), but a change due to the ISP lease expiring would only be apparent on the gateway for many networks.

I suppose it might also be possible to have a CLI command to tell us to "probe now", so you could be pretty sure it's up-to-date whenever you are about to use it.

piramiday commented 2 years ago

What are you using this for? Would a few-hours accuracy guarantee be sufficient?

I have a remote box with strict firewall rules -- every time my local public IP changes I have to re-authorize it. my SSH config implements cool tricks hopping via a fixed-IP gateway if a direct connection is not possible, so I'm never locked out, but I would still like to have a more automated way of whitelisting my IP when it changes. at present, I do need to disconnect from the VPN only to force the recomputation of the pubip.

I suppose it might also be possible to have a CLI command to tell us to "probe now", so you could be pretty sure it's up-to-date whenever you are about to use it.

that's for sure! you could even ping your PIA backend to fetch the current public IP before any piactl get pubip command.

JonathonH-PIA commented 2 years ago

Interesting, thanks for all that context. I agree that an on-demand probe sounds like a good solution - then it's up to date whenever the custom automation requests it, and anybody using it can tune the interval to their needs just by probing at the right time.

I can't promise when it'll happen, but I will get it in our backlog :grin:

piramiday commented 2 years ago

any news on this? such a bug is still alive and kicking.