Jump to content
Not connected, Your IP: 3.142.40.195
JamesDean

explicit-exit-notify in .ovpn

Recommended Posts

While we all know that the best way to block all traffic if the VPN drops, is to use firewall rules, there is some talk on other forums that is saying that traffic is blocked with other providers that also just use the OpenVPN client, with no firewall rules.

 

Does explicit-exit-notify 5 dictate that if the connection to the VPN is lost, to kill the TAP adapter and route all traffic back through the physical NIC?

 

If we remove that line, would the TAP adapter stay active, even with no connection to a server, and effectively keep traffic from leaking out of the physical NIC?

 

If so, are there any forseeable problems?

Share this post


Link to post

Hello!
 
The directive has nothing to do with that, please see the OpenVPN manual:
 
--explicit-exit-notify [n]

In UDP client mode or point-to-point mode, send server/peer an exit notification if tunnel is restarted or OpenVPN process is exited. In client mode, on exit/restart, this option will tell the server to immediately close its client instance object rather than waiting for a timeout. The n parameter (default=1) controls the maximum number of attempts that the client will try to resend the exit notification message. OpenVPN will not send any exit notifications unless this option is enabled.
 

You can prevent leaks without firewall rules anyway, please see here https://airvpn.org/topic/9797-blocking-non-vpn-traffic-without-firewall-using-routing-router

 

Kind regards

Share this post


Link to post

I'm using a router with librecmc, and just switched to AirVPN. The provided AirVPN_foo.ovpn file only works if the explicit-exit-notify line is commented. What might be the cause, and should I be worried about it?

Share this post


Link to post

Probably something you can't change in the UI. It's a user-defined directive which a small minority of clients don't even know. You can of course just leave it commented, it just means that the server is notified if the client disconnects. If it's not there and you disconnect, after 60 seconds your connection slot is being recycled. It's safer to have it, though.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

giganerd, thanks - at least now I know what it does, though I'm not sure how seriously to take the vulnerability. Is the threat model a correlation attack?

 

However, I still wonder why my openvpn doesn't like it.

 

I'm not using Eddie or any GUI by the way - just openvpn itself.

Share this post


Link to post

The OpenWRT version of OpenVPN on arm/mips doesn't support this directive.

See here:

 

https://airvpn.org/topic/16532-solved-with-minor-issue-openvpn-on-openwrt-cc-1505-and-dd-trunk/

 

There is no risk in commenting this directive, as long as you don't frequently reconnect to VPN servers

and need all the 3 slots simultaneously. Not using it does not open a new attack vector, since this has

nothing to do with security at all, it only notifies the server when you decide to gracefully disconnect.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

zhang888, thank you. Looking at the thread you link to, it sounds as if this may eventually be fixed with an upgrade. It's good to know it doesn't really matter, meanwhile.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...