Web lists-archives.com

Re: [OT a bit] -- OpenVPN and mobile safety




On Tue, Nov 28, 2017 at 02:31:16PM +0000, Joe wrote:
> On Tue, 28 Nov 2017 21:28:55 +0900
> Mark Fletcher <mark27q1@xxxxxxxxx> wrote:
> 
> > On Sun, Nov 26, 2017 at 04:18:12PM +0000, Joe wrote:
> 
> > > 
> > > Note that most (maybe all) free wifi systems will want you to
> > > provide some authentication before you are connected to the Net,
> > > generally through a web page. In some systems, you may have a need
> > > to access the web page after the VPN is up, so it is probably
> > > advisable to allow web access to the wifi network as well as DHCP
> > > and OpenVPN. 
> > That would defeat some of the purpose -- allowing the tablet 
> > (specifically bloatware) to access the local network would (continue
> > to) expose me to gawd alone knows what on unknown and untrusted
> > networks. Obviously the network outside my home LAN is no more
> > trusted than a hotel / coffee shop / airport WiFi is, but bad actors
> > are known to loiter on such public networks waiting for idiots like
> > me to come along, and I'm interested in seeing to what extent I can
> > dodge them.
> 
> But in a network of that kind, you have no choice: you *must* connect
> to the authentication web server, in order to be granted access to the
> rest of the Net. If you try to connect to anything else, you will be
> redirected to that server. If that server has been hacked and malware
> installed, tough, there's no way to avoid it, it's one of the risks of
> using free wifi.

Yes that is true. Perhaps I wasn't clear. At the beginning of this we 
were talking about the state of things after the VPN is up. We weren't 
talking about what happens before the VPN is up.

> 
> Allowing web access *out* through the wifi interface is not optional
> before the VPN is up, and will only allow the tablet to initiate a
> connection to a web server in that local network after the VPN is up. 

Again true, but not what we were talking about, or at least not what I 
thought we were talking about. I'm imagining the firewall in the default 
state at boot, and using a hook script or something to configure the 
firewall as part of connecting to the VPN. I'm dimly aware that is 
possible although on my home LAN I configure the firewall to open the 
VPN port on the server and then manually start the VPN server, and the 
desktop VPN client is on a trusted LAN anyway so its firewall settings 
don't in practice come into it. It is the tablet that is out in the 
wild, hence the focus of this discussion on the tablet.

I realise the realities you point out above leave holes in the tablet's 
protection, but as I believe you are saying there isn't much I can do 
about that except minimise the time the tablet is on and connected to an 
untrusted WiFi without the VPN being on and the firewall in a sensible 
state.

> It
> will not allow anything there to initiate inbound connections at any
> time, nor outbound web connections to anywhere else, they will get
> routed through the VPN. If you have something installed which can make a
> connection to another web server in that local network without action
> on your part, you've already been hacked, and there's nothing left to
> worry about...

I wouldn't imagine the firewall by default is blocking anything. I'll 
need to set it up to do so. Even on Debian that is the case. And the 
point of this sub-thread of the conversation, which unfortunately has 
been lost due to snipping by both of us, was what would happen if I 
could use the redirect-gateway capability of OpenVPN but _couldn't_ 
control the firewall, which fortunately has turned out not to be the 
situation...

Anyway appreciate your engagement on this, and I think I've got what I 
need to set this up now. Thanks!

Mark