Web lists-archives.com

Re: [OT a bit] -- OpenVPN and mobile safety




On Tue, Nov 21, 2017 at 05:46:23PM +0000, Joe wrote:
> On Tue, 21 Nov 2017 22:35:24 +0900
> 
> Look at the --redirect-gateway startup option or (without leading --)
> in the config file. The chances are that the default openvpn
> configuration does this anyway, as there are two main uses for a VPN,
> the remote access that you are using now, and the routing of all
> traffic to a trusted network before it gets out unencrypted onto the
> Internet. The latter use requires the gateway redirection.
> 
> Have a look at the routing table with and without the VPN open to
> check. Also look at the server configuration, which should contain
> 'push "route..."' and 'push "redirect-gateway...."' lines.
> 
> See the heading:
> "Routing all client traffic (including web-traffic) through the VPN"
> 
> in page
> https://openvpn.net/index.php/open-source/documentation/howto.html
> 

Yep, this looks like what I was after. This actually claims to redirect 
ALL traffic through the VPN, and hints that this can cause trouble with 
DHCP, which sounds like a bit of a problem to be frank. Would have 
thought that would break a lot of networks. But I suppose I might get 
away with it if the hotel / whatever untrusted WiFi doesn't reassign IP 
addresses a lot. I just might have to do something on my home network's 
firewall to stop it attempting to service locally DHCP requests coming 
through the TUN.

> It would also help if you have control of the tablet firewall code.
> I've no idea if this is possible on Android. I have multiple iptables
> rulesets for my netbook, two of which allow DHCP, web and either ssh
> or openvpn out of the wifi interface, and a controlled set over the tun,
> with only established and related connections allowed back in. 

Yes, this part would be necessary to stop the tablet responding to 
requests coming from the untrusted WiFi network, except maybe necessary 
things from the access point itself, eg DHCP... Anything coming from 
anyone else on the untrusted WiFI LAN I'd want to regard with extreme 
prejudice...

I don't know if Android has iptables, but I will dig around to see what 
it does have.

> 
> But the gateway redirect must be working for the right signals to get
> to the right firewall rules. Without control of the firewall, the
> redirect will still do most of what you want, but you would be able to
> send packets to the local wifi network explicitly. 

I'm less worried about the tablet being able to send to the untrusted 
WiFi than I am about the untrusted WiFi being able to send to the 
tablet. ie if some service I'm unaware of (it's stuffed with Samsung 
bloatware after all) is listening on the device, I don't want it talking 
to strangers as it were...

Thanks for your reply, sorry I took a while to respond but I was 
travelling for business.

Mark