Web lists-archives.com

Re: Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice

>   I'd strongly urge you to reconsider packaging this project, for
>  three main reasons:
>   * It relies upon the external VPNGate.net site/service.  If this
>     goes away in the lifetime of a stable Debian release users will
>     be screwed.

That is actually a good point. I wonder if using a local copy might be
a good alternative.

>   * It allows security attacks against the local system, which other
>     users on the host could exploit via symlink attacks on
> /tmp/openvpnconf

True, but this could be handled by using a better system to access a
temp file.

>   * It allows security attacks on against the local system which the
>     remote service could exploit:
>     1.  The tool downloads a remote URL to /tmp/openvpnconf
>     2.  The file is then given as an argument to the command:
>             sudo openvpn /tmp/openvpnconf
>     3.  That generated/downloaded openvpn configuration file could
>        be written to do anything, up to and including `rm -rf /`.

Can you actually get openvpn to do this?

>   Finally the project itself notes:
>     "This is completely insecure. Please do not use this for anything
>     important. Get a real and secure VPN. This is mostly a fun tool
> to
>     get a VPN for a few minutes."

I read this not as "insecure for the system it runs on" but "insecure
on the connection side". This is certainly not something you should use
  to open your local network to, or to do something illegal.

Michael Meskes
Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
Meskes at (Debian|Postgresql) dot Org
Jabber: michael at xmpp dot meskes dot org
VfL Borussia! Força Barça! SF 49ers! Use Debian GNU/Linux, PostgreSQL