-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hello!
Vulnerabilities affecting multiple VPN softwares, including OpenVPN and OpenVPN-NL are going to be presented at the Usenix Security conference today. If the local network is operated by a malicious party, the VPN user's routing table can be manipulated so that data that should go through the VPN is sent as plaintext.
The OpenVPN developers are currently considering ways to mitigate these vulnerabilities. For now, users can mitigate them as follows:
* Specify the VPN server by an IP-address, not by a hostname. If that is not possible, authenticate DNS traffic in some way (e.g., DNSSEC, DNS over HTTPS) *before* setting up the VPN tunnel. * Do not connect to untrusted networks. VPNs do not offer perfect protection against malicious local network operators. * If you have to use an untrusted network, add the block-local flag to redirect-gateway in the client configuration. (Note that this disables all traffic to the local network, so it cannot be added to every configuration.)
You can find an explanation of these attacks, including a link to the paper on https://tunnelcrack.mathyvanhoef.com. I include a brief summary below.
Typically, routing when running a VPN looks as follows: * All traffic not matching any other rules is sent through the VPN * Traffic to an address in the local network is *not* sent through the VPN. This way, machines in the local network can still be accessed. * Traffic to the VPN server is sent out to the router.
# LocalNet Attack In the LocalNet Attack, a malicious DHCP server claims that a public IP address is in the local network. For example, if the attacker wanted to leak traffic to wikipedia.org (91.198.174.192) it would claim that the local network is 91.198.174.0/24. Of course, traffic to websites will usually be encrypted, but it will still leak whether the website is visited or not.
This can be prevented by adding the block-local flag to redirect-options (see manual), but it will also block access to any machines in the local network when using the VPN.
# ServerIP Attack The ServerIP Attack affects clients that have the VPN server specified by a hostname rather than an IP address. The attacker spoofs the DNS response to make the client use an IP under their control as VPN server. Let's say this IP address is 1.2.3.4. This server proxies the VPN traffic to the actual VPN server so that the user does not notice anything is wrong.
Now, the attacker can spoof the DNS responses for other hosts to send traffic to the same server at 1.2.3.4. Because this is the same address as the VPN server, this traffic bypasses the VPN and goes directly to the router.
This attack can be prevented by using a hard-coded IP address for the VPN server, or by authenticating DNS in some way (e.g., DNSSEC or DNS over HTTPS) *before* setting up the tunnel.
Best regards, Max Fillinger