Access when using a VPN

[Finlander 0]

Hi,

Evernote on my Mac is not syncing when I'm connected to a VPN. I've seen it suggested in other comments that some VPC data centers may be blacklisted by Evernote. Why do you care? I'm using NordVPN so that I can have a static IP at home, as I need one for work. The IP is dedicated, so nobody else is using the same IP, and yet when connected to the VPN, I can't even connect to https://evernote.com ("403 Forbidden"). With the VPN off, Evernote works, but as I said, I'm generally always connected, which makes use of Evernote a pain. Can you whitelist specific static IP even if it is within a CIDR block of a blacklisted data center?

[PinkElephant 8,120]

Using a VPN means nobody on the „far“ end of the connection does see your local IP, be it static or dynamic. They only see the IP of the VPN server that routes the traffic into the open web.

Now it’s hard to tell what’s going on. If the VPN exit node has been used recently for illegitimate uses like spamming, brute forcing or DDOS attacks, it may be it was blacklisted. You can’t know, and you couldn’t do anything against it. To test you could move your VPN exit node to another place, which means to a different IP, and try if it works there.

It might be the VPN provider himself is blocking some sites - pretty unlikely in case of EN.

Any security software in your own computer that might interfere ?

[Finlander 0]

Correct, not my local IP, but NordVPN and some other VPN providers now offer static outbound endpoints at an extra fee where the user gets assigned a static public IP the traffic from that user then always exits from. This is useful, for example, when needing to be able to whitelist an IP at a remote firewall while using a typical internet provider, say Verizon FiOS, whose assigned IPs periodically change. I'm using such an assigned IP, so I know that this IP isn't being used by anyone else (and hasn't been used for a while as I've had the IP now for over six months). Of course, the data center CIDR around "my" IP could have been. If I select a random exit point at NordVPN, even geologically close to my assigned static IP, then Evernote works. No, local software doesn't interfere, and in fact, the remote response appears to come from a firewall device as I get a 403 response.

But what you're saying is that Evernote (on the service side) doesn't block IPs, such as those from VPN providers, as a policy?

[PinkElephant 8,120]

Why should EN block VPNs in general ? It’s the users choice how to get at his data. I use VPN access myself, both through providers and through my own server. I avoid NorthVPN, they are doing too much advertising with windy security promises. 

But it may be that a specific end point is blocked when it was used for malicious activities before. This can be a single IP, or a range.

I doubt blocking is done by EN. To know you can ask support.

[JensZ 0]

I have exactly the same issue using airvpn. Must be an EN issue because my VPN tunnel is existing for several years and I did not faced any issues right now. Quite annoying. 

[PinkElephant 8,120]

Connection is working with my VPN provider. I really think that the blocking occurs when an endpoint server was used by some hackers, and this activity is detected.

Since you never know which folks will be connected through the same endpoint, you can try if using another VPN server (or switching to another country) allows for access.

[JensZ 0]

Who can help me here? I created a ticket 4 days ago and have not received any answer right now. Using VPN in public networks is a must have for me and in case VPN is blocked by EN (for whatever reason) it is not usable for me.

I can't use Evernote like this!!!

[PinkElephant 8,120]

Support reaction time is roughly 14 days at the moment.

As I said, connection through VPN is working for me. If it is just EN, you can skip the VPN. Data in transfer is encrypted by TLS/SSN.

[Finlander 0]

On 12/2/2023 at 3:45 PM, PinkElephant said:

Since you never know which folks will be connected through the same endpoint, you can try if using another VPN server (or switching to another country) allows for access.

In my case, that cannot be the case because, as I said, I'm using a dedicated IP from NordVPN (https://nordlayer.com/dedicated-ip/) and have had the same IP for the last seven months. Evernote worked earlier while using it but is no longer connecting while the VPN is on. 

This blocking would be done on Evernote's end; the VPN provider does not block outbound destinations. Perhaps Evernote servers are using some kind of auto-blacklist system that blocks entire CIDR blocks for known hacker activity. In any case, it makes Evernote use a pain. I think it's a terrible idea to employ IP blocking practices for a SaaS because you never know what IPs the customers are using. Stop blocking IPs and instead have the servers sufficiently hardened against hacking attempts.

[PinkElephant 8,120]

Maybe they block a whole IP-Range. NorthVPN likely has complete ranges, and if too much trouble originates from there, it is pretty easy to block a range. Easier than to listen to all, and find out that all except the …xxx.146 are evil.

In addition it completely escapes me how somebody using an anonymizing tool is happy about getting a static IP. But that’s another question, probably mostly related to NorthVPN finding always methods to make more money from the fear of their customers.

In fact there is no need to send EN traffic through a tunnel in most cases - communication is encrypted by TLS/SSN. If you want some protection for a network, a Cloudflare tunnel would be an alternative.

[Finlander 0]

As I mentioned, I don't use the VPN necessarily to anonymize but to have a static IP, which my Internet provider doesn't offer for home customers. I need a static IP to be able to whitelist it on some of my work-related firewalls. 

It may be possible to route application-specific traffic outside of the VPN tunnel; at least, it can be done on Linux, maybe on Mac/Windows, too. But I don't feel I would need to for a product like Evernote. For a comparison, Joplin (joplincloud) works fine over the same VPN tunnel, and as I already use Joplin for all my personal technical documentation/notes, unless corrected by the next renewal date, this may push me to migrate my non-technical notes from Evernote to Joplin as well. The only thing I'd miss is the better web clipper.

[PinkElephant 8,120]

Firewalls … interesting. IPv6 would solve this all, I assume. But OK, nothing of my business.

I would say: Ask support.

https://help.evernote.com/hc/en-us/requests/new