OpenVPN problems
Posted: Tue Nov 19, 2013 10:08 am
I have been experimenting with an OpenVPN tunnel between ClientRouterA and ServerRouterB.
Good news is that I’ve gotten it to work (with some tweaks). Bad news is that there are some serious security and minor GUI problems.
Security problem
ClientRouterA is configured so that "All client traffic" goes through VPN. When ClientRouterA fails to establish a VPN tunnel (for whatever reason), traffic instead transparently exits the router using the local WAN.
Put another way, the VPN client is not failing safely: When configured to use the VPN, ClientRouterA should ONLY route traffic through the VPN. This failure could be actively exploited (e.g. using a TCP SYN to terminate the VPN connection) to force the traffic to be routed in the clear.
My naive suggestion is to add firewall rules (when using "all client traffic" VPN mode) to allow communication only with the ServerRouterB on the specified port and transport (UDP/TCP). I guess an initial non-VPN DNS lookup may also be required for establishing the VPN connection.
Poor visibility of the state of the VPN connection
There is also no way for a normally skilled user to know that their traffic is not protected by the VPN. I only realized by accident that there was a problem. I would suggest providing status notifications on the gargoyle router status pages. VPN status should be highlighted when a connection is or can not be established. It might make sense to add this also to the login spash screen, just as notification of “You are at 100% of your quota” are shown.
GUI
Encryption selection: I am using Blowfish 256. My client shows that I am using 128 bit in the drop down list. I think there may be an initialization problem in the screen menus.
Good news is that I’ve gotten it to work (with some tweaks). Bad news is that there are some serious security and minor GUI problems.
Security problem
ClientRouterA is configured so that "All client traffic" goes through VPN. When ClientRouterA fails to establish a VPN tunnel (for whatever reason), traffic instead transparently exits the router using the local WAN.
- client status.JPG (11.71 KiB) Viewed 4245 times
My naive suggestion is to add firewall rules (when using "all client traffic" VPN mode) to allow communication only with the ServerRouterB on the specified port and transport (UDP/TCP). I guess an initial non-VPN DNS lookup may also be required for establishing the VPN connection.
Poor visibility of the state of the VPN connection
There is also no way for a normally skilled user to know that their traffic is not protected by the VPN. I only realized by accident that there was a problem. I would suggest providing status notifications on the gargoyle router status pages. VPN status should be highlighted when a connection is or can not be established. It might make sense to add this also to the login spash screen, just as notification of “You are at 100% of your quota” are shown.
GUI
Encryption selection: I am using Blowfish 256. My client shows that I am using 128 bit in the drop down list. I think there may be an initialization problem in the screen menus.
- cypher.JPG (16.62 KiB) Viewed 4245 times