OK are you using a fixed IP address?

I contacted my VPN provider Reliable Hosting but they do not offer dedicated IP addresses. Instead they have a choice of servers around the world and advised to switch away from their Atlanta server which Cloudflare had blacklisted. That solved the issue for me, at least temporarily.

I too am getting blocked no matter which of several VPN services or servers I use. Like others here stated, I need to use VPN for other, non-nefarious security and privacy reasons (ie. not all VPN users are bots and criminals).

Is there any way to keep some of whatever security measures in place but loosen them enough so that actual legit users can still access the forums? I used to visit every few days. Lately it’s once a month maybe due to the blocking. I guess I’m not traveling as much so I don’t NEED to visit FT as much, but I still appreciate the dialogue and sense of community here. It’s a shame to just block out a segment of the population inadvertently or just to do the same to crawlers and bots, imho.

I had them whitelist the IP you sent me. Is that working?

IBJoal what do you need from me to unblock ?? I get the error as well.

Just PM me your IP address of choice

Unfortunately no, I still can’t access the site even when using that particular server. I appreciate you trying and it could be an auto-rotation of IP on my VPN’s side too. Very frustrating because I know you guys don’t want to be blocking us real FTers but also need to prevent the bots somehow. Wish there could be a happy middle ground. I’ve been accessing FT over VPN without issue for years until not long ago.

Pm sent.

Looks like it worked thanks.

In USA using Nord VPN.

Can't access FT.

https://cimg1.ibsrv.net/gimg/www.fly...929a8db586.jpg


Why?

Check out this recent thread, especially recent posts by FT Administrator IBJoel

Thank you.

It's frustrating....

Mine is working fine now. Did you give him your IP that's shown at the bottom of the error page or your providers IP??

To be honest whitelisting IP addresses is going to be a game of whack-a-mole. These public VPN providers, unless specifically giving you a static IP as part of the service you have purchased, will be moving their users and infrastructure around between IP addresses fairly regularly.

I get why these public VPN services have some utility to get around geo-fenced content, or local excessive restrictions. But using them all the time for general internet browsing can be counterproductive, as it makes all your connectivity come from an IP address that lots of other people are using, probably has a below average reputation, and can take away a layer of intelligence from some of the sites that you use. For example your bank and your payment card providers will use the device you are using and your connectivity among other parameters to assess the risk presented by certain financial transactions. By logging into sites and services whilst using the VPN can make those providers think you are elsewhere globally, moving around frequently and disable geo-based login security challenges that might otherwise be used to protect your logins or financial transactions.

With any site of any importance using SSL encryption by default these days, what you're doing is already obscured, and uses the similar encryption that you're buying from the public VPN provider. If privacy is really important to you many people would be better off setting up a cheap Linux box and running your own VPN. And if you're up to naughty stuff then you're much more likely to be using other solutions to hide your tracks.

So the point I'm trying to make here is by all means use one of the public VPNs when you need to defeat geo or local restrictions, but I would suggest that just using it all the time can actually impact your security posture to the other sites that you interact with. If cloudflare are taking this stance to reject connections from public VPN providers, you can probably assume that some of the other big names that provide front door services to many sites are going to start adding similar lists of known public VPN IPs and other IPs of below average reputation to block lists.

I just started using Surfshark. I can even access my relatively secure work server without issue. But not FT. I've tried a varierty of servers from safe countries - US, Canada, Iceland, etc. Any ideas as VPN is new to me? Thanks!

I think I sent a direct message to tech support about Cloudflare acting stupid, but maybe I posted in this forum instead.

Anyway, I use Astrill 90% of the time. Most of my preferred servers are blocked by Cloudflare (only when trying to access FT). I went through a trial and error phase during which I found some that worked intermittently before settling on Santa Clara, which works all the time.

However, I'd like to be able to use the better ones, which is what I relayed to tech support in my message. It shouldn't be especially difficult to whitelist Astrill's (or any other major VPNs') popular servers, right? I'm surprised this particular issue has been persisting for so long; some of my friends have basically stopped using FT as a result.

As an aside, the Cloudflare error page contains no guidance whatsoever.

Replying to myself, following is the Cloudflare error message I get when trying to access FT from most Astrill servers:

https://cimg6.ibsrv.net/gimg/www.fly...09e51f3158.png

This one happens to be "Los Angeles Supercharged" (one of the better ones for me)

I use 3 different VPN services (two of them regularly) and all servers seem to be blocked, even the one that was whitelisted manually.

I too know a couple people who are in the same boat and so just don’t use FT anymore. For me it’s cut my visits way down and I just rely on the email notifications to know a little bit about what’s going on here, but generally can’t reply except the once every few weeks for something that I’m compelled enough to make it happen (such as this thread).

FT is the only site I’m having this problem with, and I am certain that many sites on the internet also use Cloudflare, so I’m wondering if maybe there’s a configuration that is set to some extreme degree that is blocking nearly every VPN out there. I wish the right person who understands the issue and has control over the site’s configuration would see this thread and consider lowering the level of that setting to one that would allow SOME VPN servers to access the site. Barring something like that, FT is basically an email newsletter to me now :’(

Lastly for the poster who suggested that everyone just stop using VPN altogether because one website is inaccessible because of it- it reminds me of when that iPhone came out and had a bad antenna design flaw resulting in poor signal when handheld a certain way and Steve Jobs suggested that instead of altering the antenna design that people just hold the phone differently. The internet minions immediately found and posted photos of Jobs holding the iPhone the exact same (supposedly “wrong”) way and the next iPhone came out with a revised antenna set up that fixed the issue. smh

Again, we can accommodate VPN users, but we need you to use a single IP that we can whitelist.

Thanks working again. I just hope that when I turn VPN off anf back on I don't get assigned a new IP address and get the error again.

That's a bit of an over exaggeration of what I said. I didn't say stop using VPN altogether but consider using it more selectively when you really need to do so. I think everyone who has reported the issue has noted that turning off their VPN has resolved the issue.

FT is essentially a 'free' to use site, although I guess that the advertising revenue that IB can get pays the bills necessary to keep it prospering. Regular users will be aware that the site does get targetted by denial of service attacks from time to time, and IB have chosen to use cloudflare to help accelerate the site performance as well as defend against such attacks to help maintain uptime. IB have probably turned on some additional IP filtering to provide some additional front door security to probably minimise the costs of Cloudflare sinking DDOS traffic. CDN providers like Cloudflare typically strike commercial deals on the basis of what's expected as an 'in contract value' and then a PAYG rate for what is unexpected. So by turning on the additional IP filtering my guess is that IB are trying to defend against additional PAYG bandwidth costs from Cloudflare to sink malicious traffic. The reason that the IPs that the public VPNs are on this list is because they are frequently associated with traffic that is suspicious or malicious.

IB are not a charity. This site is commercially run. It's probably getting a lower number of hits and less advertising revenue than it used to due to the downturn in global air traffic, but has been the subject of more DDOS attacks which are expensive to mitigate. We can ask the techs to twiddle the knobs and permit certain IPs but it will be a case of whack-a-mole. Those same tech resources could be otherwise trying to fix other genuine software bugs like the ARG likes, or a dark mode.

I am not anti-VPN, they have a place and purpose. But I would not use them all the time as they obfuscate genuinely useful information from genuine sites that you probably use from time to time and can actually raise your own risk level for logins and financial transactions on the web.

Could you please explain how VPNs actually raise risk levels for logins etc? Thanks

Yes. A number of systems now use a number of criteria to assess the posture of a potential login or a transaction. They will typically use data that they can reasonably collect or know and aggregate the intelligence and posture across all users that use their systems globally. For example (there are other metrics)

• Who the user is
• What their usual transactions look like
• Where they say they usually located
• IP addresses and locations that they have used in the past
• The reputation of those IP addresses
• Whether the device being used has been seen previously and whether the locale and user agent of the device matches previous transactions
• Etc

if something looks out of the ordinary, the service if it can might ask for a 2nd factor authentication when a transaction seems unusual from the list of above typical metrics (or any others it has access to). For example from a new device, or in this instance suddenly from a different country or an IP address of poor reputation, especially when the last previous login was in a different geographical region and it would be impossible for the person to have flown in that time. Conversely using a WiFi connection at a transport hub or as you travel can actually help systems profile you as travelling somewhere and be less paranoid about new connections in a new location.

Systems will where possible learn the networks that a user typically uses... Work, Home ISP, Mobile ISP, WiFi in their local hospitality venues. If they pop up in a new coffee bar in the same country then this will usually be seen as low risk. But pop up on an IP with poor reputation in another country suddenly, this would hopefully be seen high risk and further checks instigated to protect.

If the user has a regular pattern of using public VPNs then there will be a pattern of jumping about between IP addresses in various places typically with a poor reputation. The login systems can of course profile this as part of this user's typical behaviour, but with a certain amount of blindness, but they won't be able to get a richness of quality data about those connections compared to using network connections directly.

How do I know this - experience of how globally mobile users are profiled by global systems for $dayjob and how public VPNs make a mess of the intelligence that can protect them.

Banks in particular are now using this kind of data to comply with PSD2 (Payment Services Directive) to protect financial transactions. Take a user who makes most of their purchases in Country A, but does most of their online purchases from random IPs in Countries B, C and D. What does the bank do when it sees a new online transaction for Country E, is it high risk?

Public VPNs eliminate a layer of data intelligence and lump your connectivity in with a bunch of other ne'er-do-wells. And the encryption the VPNs typically offer isn't offering anything significant over the native encryption these sites deploy.

I like being able to read sites like NYT and Wapo when I'm logged into FT. I get the fact that there are only about 10 FTers in China at present, but all of us use the same VPN provider, so whitelisting our favorite servers should be easy. My request is for Los Angeles Supercharged. Our friends in Beijing tend to have better luck with others.

Frankly that's a pretty lopsided view of the issue, which seems to be skewed by who pays your daily living.

I couldn't care less about some automatic geolocation profiling as a means to "protect me", since the very same technology is often times used maliciously for selling my data, forcing advertising on me I don't want or forcing me to be outside some online services. Plus of course other even more malicious forms of evesdropping and ouright espionage. I don't have an issue using an added login verification, but I do take issue with being evesdropped e.g. on a public WLAN or using any Internet connection in a multitude of countries (we aren't only talking the PRC here now). And I didn't yet mention honey pot WLANs.

Suggesting/Advicing me to use a direct connection without an encrypted TCP/UDP tunnel, for the sake of "it's more safe for me" is - with all due respect, utter crap talk and not very recommendable in most scenarios, unless you're happy to expose your traffic. Yes, running HTTPS over a VPN doesn't per say provide added security for a large amount of persons, but you can e.g. revert your DNS queries then, use a strong cipher and also control a bit more fine-grained how the connection is setup. Overall you are indeed better protected then, assuming you've taken steps to have adequate protection for all your online facing user accounts, in which case the geolocation algobased protection is something for the less informed end-users.

As for FlyerTalk, I bypass the overly sensitive WAF as needed, when on a VPN, but it's making the service less practical to use.

I understand where you are coming from but you don't know who pays me for my $dayjob, and if you had a genuine concern about half of the things you say you wish to protect yourself from, subscribing to a public VPN provider is to a certain extent kicking the can down the road - what assurance to you have over the infrastructure they are running, and who might or might not have access to it? What does your contract say and what right do you have to enforce or audit anything in it? Most of the public VPN contracts I have seen so far offer the subscriber little or nothing.

As I have said upthread, if you do want an additional layer of security I would suggest setting up a throwaway Linux box or similar to provide a VPN on demand that is dedicated to you, has no reputation issues, turned on only when you need it, configured as you need it, can listen on bespoke ports or protocols, etc. would probably be a better solution. There are plenty of tutorials out there.

same and highly annoying as i need the vpn to access other US and UK sites while in the EU and would like to switch over to flyertalk in the middle of work but cannot because i am aligned with the UK or US again so am shut out while on nordVPN.

VPNs only hide one's IP address, they do nothing to hide one's identity. An IP address may or may not be unique to an individual. As an example, FlyerTalk users tend to travel, which means they likely access the Internet from lots of different places, which has the same IP address hiding as using a VPN. Personally, I use a VPN 100% of the time when away from home as a privacy and security measure. When using Wi-Fi, anyone on the same Wi-Fi network can capture traffic. When using Ethernet, the local network sees the traffic. The primary purpose of VPNs by is to encrypt traffic to hide it from the local network (including other Wi-Fi users). Unfortunately, VPNs are also a great way for attackers to make it harder to block and trace their activity.

Your answer, while detailed and factual, doesn't actually explain how a VPN makes it more likely that a user is an attacker. Blocking access to a site by VPN users is too broad a brush. A site could, just off the top of my head, allow access by users with cookies that indicate recent successful authentication, and send other users to a more-thorough verification check.

It's not the VPN itself, it's the IP address that you end up using when you use a public VPN. Your risk profile is effectively the same as everyone else using that same node on that public VPN. Log into your corporate VPN it's a different story. Or a VPN you run yourself.

By choosing to use the public VPN service you've effectively chosen to walk into some downtrodden bar in a dodgy district somewhere, and although you might have innocently assumed it was an ok place to go for a drink, there's a bunch of people in there just watching their geo-ringfenced Netflix content in the snugs, but at the bar you're actually rubbing shoulders with some of the local criminal lowlife. The police walk in and start asking questions of everyone at the bar, they want to know why you're there and what you're up to associating with the others at the bar, and they're likely to be agresssive with their questioning. They might send you down the station for more questions (2FA challenge), or they eject you out for your own safety for drinking the wrong place and suggest you drink elsewhere in future (Cloudflare 1020 error).

But if you used your native IP address ir a private/corp VPN your reptuation would likely not be besmirched with other internet lowlife who think their VPN is going to protect them. By using your native IP address you're now drinking the bar of your multi-star hotel of a reputable brand where you have status and can earn some points and stuff that FT members care about. The chance that police are going to walk in is already low, and even if they do they would likely be polite and apologise for inconvenicing you.

You're right to question whether the login process of the forum could do more to provide protection, but InternetBrands are using some off the shelf forum software albeit with some customisation. The capabilities of the login authentication is fairly basic as it is for most forums. It doesn't appear to do 2FA, or if it does it will cost more that will have a detrimental impact on the economics of the service. So although I agree it would be good to do more with analysis of the login cookies I guess they are pretty much stuck with what the underlying software provides unless they develop something themselves at considerable cost and ongoing cost to maintain, or they wait for the bulletin board software provider to develop something better or plugins into the big boys (Google, Microsoft, Facebook, Twitter, etc) to reuse an identity you already have. There may be upgrades available that they haven’t implemented, but I don’t have any insight here.

I do have my own VPN running on one of my server machines at home, but when traveling it's not as reliable or fast as some of the larger VPN providers who have access points all around the world.

I get the downsides of using a VPN, but when traveling, there are at least a few reasons to always use a VPN:
1. From a reputable provider (like NordVPN), your connection will be more secure than the run of the mill hotel/airport WiFi. In fact, if you don't use a VPN, you're taking on added risk.
2. Some of your work (like stock trading, etc.), probably requires an IP address in your home country. This is not uniformly the case, but I do know of at least a couple of brokers I use that will not let me access my account from a foreign IP address.
3. If you're traveling in a country that's known to snoop internet traffic (and we all know at least a few of them), you should use a VPN. In fact, if you're traveling on business to some of these countries, your company SHOULD mandate the use of a VPN. The risk to IP loss/theft is real and several companies have suffered because of this.

It is annoying that FT is blocking me from accessing it using a US IP on NordVPN. I changed to a Canadian IP and can access it (as I'm doing now).

Just on this one point, my company requires a VPN with two-factor authentication for all travel anywhere, and also has a list of countries where the government actively engages in industrial espionage. For travel to those countries, it is prohibited to bring any company-provided equipment and strongly discouraged to bring any personal devices. (Including laptops, cell phones, etc.) The company provides special-use burner devices. For travel to countries on the list, we must leave our devices at home/office and get burner devices from IT. On return, the devices are wiped top to bottom. including firmware.

I opted out of all cookies when I logged in just now, and I run an ad blocker for 99% of websites, and to the right of this text input box are two boxes imploring me to think about the FlyerTalk team and how it's so easy for me to help them out by disabling my ad blocker.

Ironic, considering this is a website and forum dedicated to frequent travelers, a significant number of whom A: use VPNs when abroad for any number of which use VPNs when abroad and B: are unable to access anything on FlyerTalk while abroad using those legitimate VPNs. As this thread is now 7.5 years old (It'll be 8 this November) and this is STILL an ongoing problem that the "FlyerTalk Team" has no intention of fixing, No thank you, I will continue to deny you the ad revenue. Sorry, I'd be happy to help you out there, but you can't be bothered to even let me participate without using an insecure network connection. Such a sad, ironic shame.

As discussed above, it's not the use of a VPN per se that is blocked, it's the specific IP address your VPN uses for you. if that IP address has recently been used by attackers, it's blocked. There are ways around this. You can try disconnecting and reconnecting your VPN, as it might assign a different IP address that might not be associated with bad actors. You can try choosing a different VPN access point. You can try a different VPN provider.

​​​​

IF the ads and cookies (including those here on FT) didn’t also come with trackers, retargeting, “analytics” elements and other wholly unwanted and surreptitious tech then many of us would allow them in support of the sites we find value in visiting.

However, publishers and site operators, some unknowingly, display ads that act as a trojan horse to inject unwanted tracking code into the user’s browser, which follows them around long after they’ve left the website that injected the code. It sucks for everyone except maybe the retargeting companies and data brokers.

I value FT and would happily pay a reasonable fee annually for them to be able to provide the site without the invasive tracking technology. Unfortunately that’s not an option, and it’s not easy to convert an ad based site to a subscription one.

On the issue of VPN I also agree, it is sadly ironic and tone deaf to be trying to make savvy travelers of all demographics disable one of the few protective measures we have available to us. I did ask FT and they obliged me to whitelist a single VPN server. I appreciate being able to access the site again but it is a chore to switch to that server just for one website and admittedly my visits here have been a fraction of what they once were due to the extra hoop I now have to jump through.

I operate a small forum of my own and I realize it’s a balance between keeping the spam bots out yet keeping the site accessible and convenient for your users. Seems like it’s too heavy handed in the direction of the former concern, at least from where I sit.

Those are my two cents and FT Team and Mods, know that many of us very much appreciate this place and your work to keep it going. But please also consider the concerns expressed in this thread about the technology decisions that have been made. For every one of us being vocal about it there are likely many more who just stopped visiting and participating or don’t feel compelled enough to speak up.

edit: quoted wrong post.

Just on this note, I also visit the Australian Frequent Flyer forum, which offers access as free ad-supported and also paid without ads (subscription levels are $6/month, $50/year, $100/year).

My usage of Flyertalk has gone down by 80+% as a result of the VPN issue. Real shame. I tried to get my IP address whitelisted but it was to no avail as apparently it wasn't feasible. I'm no IT expert so can't speak to the details but I know that one of my go to websites is no longer that for me. Too bad, but oh well, life goes on.

Guys, I'm working with our network team to make some fairly comprehensive reforms on blocks. The hurdles to that are two-fold: Cloudflare is a service we use for security, but independent of us. The other problem is that I have zero knowledge or understanding of networks, so I need a lecture in every email explaining to me what our techs mean.

If it's not inappropriate, and you wouldn't be causing issues for IB by your dirty washing in public, there are some clueful techs on here that understand networks, I and maybe others can help with translation. :p