Web lists-archives.com

Re: [OT a bit] -- OpenVPN and mobile safety




On Mon, 27 Nov 2017 00:33:02 +0900
Mark Fletcher <mark27q1@xxxxxxxxx> wrote:

> On Tue, Nov 21, 2017 at 05:46:23PM +0000, Joe wrote:
> > On Tue, 21 Nov 2017 22:35:24 +0900
> > 
> > Look at the --redirect-gateway startup option or (without leading
> > --) in the config file. The chances are that the default openvpn
> > configuration does this anyway, as there are two main uses for a
> > VPN, the remote access that you are using now, and the routing of
> > all traffic to a trusted network before it gets out unencrypted
> > onto the Internet. The latter use requires the gateway redirection.
> > 
> > Have a look at the routing table with and without the VPN open to
> > check. Also look at the server configuration, which should contain
> > 'push "route..."' and 'push "redirect-gateway...."' lines.
> > 
> > See the heading:
> > "Routing all client traffic (including web-traffic) through the VPN"
> > 
> > in page
> > https://openvpn.net/index.php/open-source/documentation/howto.html
> >   
> 
> Yep, this looks like what I was after. This actually claims to
> redirect ALL traffic through the VPN, and hints that this can cause
> trouble with DHCP, which sounds like a bit of a problem to be frank.
> Would have thought that would break a lot of networks. But I suppose
> I might get away with it if the hotel / whatever untrusted WiFi
> doesn't reassign IP addresses a lot. I just might have to do
> something on my home network's firewall to stop it attempting to
> service locally DHCP requests coming through the TUN.

'Send everything through the VPN' means everything which would be sent
to the default gateway, which does *not* include traffic destined for
the local network. After all, the VPN packets still have to be sent out
of the wifi interface...

Your link to the local wifi network has set up routing whereby anything
sent explicitly to *that* *network* will pass directly through the wifi
interface and not through the VPN. That will take care of any local
DHCP issues.

> 
> > It would also help if you have control of the tablet firewall code.
> > I've no idea if this is possible on Android. I have multiple
> > iptables rulesets for my netbook, two of which allow DHCP, web and
> > either ssh or openvpn out of the wifi interface, and a controlled
> > set over the tun, with only established and related connections
> > allowed back in.   
> 
> Yes, this part would be necessary to stop the tablet responding to 
> requests coming from the untrusted WiFi network, except maybe
> necessary things from the access point itself, eg DHCP... Anything
> coming from anyone else on the untrusted WiFI LAN I'd want to regard
> with extreme prejudice...
> 
> I don't know if Android has iptables, but I will dig around to see
> what it does have.
> 
> > 
> > But the gateway redirect must be working for the right signals to
> > get to the right firewall rules. Without control of the firewall,
> > the redirect will still do most of what you want, but you would be
> > able to send packets to the local wifi network explicitly.   
> 
> I'm less worried about the tablet being able to send to the untrusted 
> WiFi than I am about the untrusted WiFi being able to send to the 
> tablet. ie if some service I'm unaware of (it's stuffed with Samsung 
> bloatware after all) is listening on the device, I don't want it
> talking to strangers as it were...
> 

If the tablet has firewalling at all, it should prevent uninvited
access from everywhere. The tablet itself is free to contact outside
servers and the firewall should then permit replies. If there is no
firewalling by default, you will need to do something about it, and I
can't help you there, I know nothing about Android.

What control of the firewall would allow is for you to specify only
the outgoing contacts you approve of. While the VPN is open, you may
want to limit the protocols sent along it, and you may also want to
limit what can be sent to the local wifi network, firewall control
would allow both.

Note that most (maybe all) free wifi systems will want you to provide
some authentication before you are connected to the Net, generally
through a web page. In some systems, you may have a need to access the
web page after the VPN is up, so it is probably advisable to allow web
access to the wifi network as well as DHCP and OpenVPN.

-- 
Joe