explicit-exit-notify in .ovpn

[JamesDean 10]

While we all know that the best way to block all traffic if the VPN drops, is to use firewall rules, there is some talk on other forums that is saying that traffic is blocked with other providers that also just use the OpenVPN client, with no firewall rules.

 

Does explicit-exit-notify 5 dictate that if the connection to the VPN is lost, to kill the TAP adapter and route all traffic back through the physical NIC?

 

If we remove that line, would the TAP adapter stay active, even with no connection to a server, and effectively keep traffic from leaking out of the physical NIC?

 

If so, are there any forseeable problems?

[Staff 9972]

Hello!
 
The directive has nothing to do with that, please see the OpenVPN manual:
 
--explicit-exit-notify [n]

In UDP client mode or point-to-point mode, send server/peer an exit notification if tunnel is restarted or OpenVPN process is exited. In client mode, on exit/restart, this option will tell the server to immediately close its client instance object rather than waiting for a timeout. The n parameter (default=1) controls the maximum number of attempts that the client will try to resend the exit notification message. OpenVPN will not send any exit notifications unless this option is enabled.
 

You can prevent leaks without firewall rules anyway, please see here https://airvpn.org/topic/9797-blocking-non-vpn-traffic-without-firewall-using-routing-router

 

Kind regards

[JamesDean 10]

Thanks Staff.

[mimosa67 1]

I'm using a router with librecmc, and just switched to AirVPN. The provided AirVPN_foo.ovpn file only works if the explicit-exit-notify line is commented. What might be the cause, and should I be worried about it?

[OpenSourcerer 1435]

Probably something you can't change in the UI. It's a user-defined directive which a small minority of clients don't even know. You can of course just leave it commented, it just means that the server is notified if the client disconnects. If it's not there and you disconnect, after 60 seconds your connection slot is being recycled. It's safer to have it, though.

[mimosa67 1]

giganerd, thanks - at least now I know what it does, though I'm not sure how seriously to take the vulnerability. Is the threat model a correlation attack?

 

However, I still wonder why my openvpn doesn't like it.

 

I'm not using Eddie or any GUI by the way - just openvpn itself.

[zhang888 1066]

The OpenWRT version of OpenVPN on arm/mips doesn't support this directive.

See here:

 

https://airvpn.org/topic/16532-solved-with-minor-issue-openvpn-on-openwrt-cc-1505-and-dd-trunk/

 

There is no risk in commenting this directive, as long as you don't frequently reconnect to VPN servers

and need all the 3 slots simultaneously. Not using it does not open a new attack vector, since this has

nothing to do with security at all, it only notifies the server when you decide to gracefully disconnect.

[mimosa67 1]

zhang888, thank you. Looking at the thread you link to, it sounds as if this may eventually be fixed with an upgrade. It's good to know it doesn't really matter, meanwhile.