Jump to content
Not connected, Your IP: 3.144.47.115
airvpn.teiuxcg

Feature req: Isolation against other LAN users when VPN is connected

Recommended Posts

I'd like to see a check box that allows the user to choose whether they want to isolate themsel against other LAN users. This of course excludes common lan network protocols provided by the LAN network such as dhcp, dns (possibly) and in most cases ARP (ignore all but the gateway). This would provide protection against other rouge hosts on the lan. This way this service acts as our own private natted gateway to the internet and I wouldn't have to worry about what type of users are on the network I'm connecting to...

 

Any Q's regarding specifics let me know

Share this post


Link to post

This is exactly what VPN is used for, protecting your traffic from potentially malicious LAN users, for example on public Wi-Fi hotspots.

As soon as you establish the tunnel, no one will see the content and the protocols you are using on top of AirVPN, except DNS leaks that might occur.

 

As for the question you asked, your OS is usually the part that takes care of LAN isolation without VPNs.

On Windows it is simply the firewall menu that pops up each time a new network is discovered, and if you choose "Public", no traffic should be accepted from other LAN hosts.

Same goes on OSX when the Firewall is just on (Green). On Linux you will have to configure iptables, allowing only your default gateway.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

This is an important element of security for me too.  I use Linux and after connecting the host via Eddie, I simply bring up ufw and close everything down to tun0, and I mean everything!  I can't even see the network printer and that is how I want it configured (I could easily change that).  Many users here have devices on their network that they don't "really" control.  e.g. - a satellite system can do God knows what that you'll never fully understand.  My smart TV is on the network and again do I trust it to play nice and keep out of my stuff?  Nope.  Not trying to go all "tin foil" here, but if a three second call out to ufw can lock the doors from all then I do it every time.

 

There are other posts/threads in this forum discussing this.  Eddie is not designed for INTRA net security in the sense I am presenting.  No one in a coffee shop can read your posts because of the vpn, but devices can still see and "hit" your intra-net connected device unless you prevent it.  As zhang888 mentioned its handled as the OS level and I suggest you at least consider the implications if there are numerous devices on your system.

Share this post


Link to post

doesn't the network lock accomplish this?

 

I don't think so, this blocks any connections that are attempted before the tunnel is up. Stopping leaks, not denying connections to your LAN IP. This is from the FAQ about network lock.

  • Create AirVPN rules: allow local subnet, allow traffic over VPN, allow all IP addresses (under control of AirVPN) used by our authentication or VPN servers

This is an important element of security for me too.  I use Linux and after connecting the host via Eddie, I simply bring up ufw and close everything down to tun0, and I mean everything!  I can't even see the network printer and that is how I want it configured (I could easily change that).  Many users here have devices on their network that they don't "really" control.  e.g. - a satellite system can do God knows what that you'll never fully understand.  My smart TV is on the network and again do I trust it to play nice and keep out of my stuff?  Nope.  Not trying to go all "tin foil" here, but if a three second call out to ufw can lock the doors from all then I do it every time.

 

There are other posts/threads in this forum discussing this.  Eddie is not designed for INTRA net security in the sense I am presenting.  No one in a coffee shop can read your posts because of the vpn, but devices can still see and "hit" your intra-net connected device unless you prevent it.  As zhang888 mentioned its handled as the OS level and I suggest you at least consider the implications if there are numerous devices on your system.

 

Exactly it mr. iwih2gk  What I/we are requesting is a way to block any LAN clients connecting to my LAN IP. Without it services presented on your box can still be accessed and therefore still be compromised. As far as I see it, this is a win win, you don't trust the network you are on anyway (otherwise you wouldn't use a VPN), and you are blocked from any LAN based viruses/worms/hacks as well.

 

Eddie isn't designed to protect against LAN based attacks but they easily have the ability to do so, and therefore aid those users that still could have vulnerable services exposed on the LAN side. Eddie can block any connections with the network lock before the tunnel is up, why not adjust that a little and just leave that on.... no?

 

As for the question you asked, your OS is usually the part that takes care of LAN isolation without VPNs.

On Windows it is simply the firewall menu that pops up each time a new network is discovered, and if you choose "Public", no traffic should be accepted from other LAN hosts.

Same goes on OSX when the Firewall is just on (Green). On Linux you will have to configure iptables, allowing only your default gateway.

 

I agree, this is usually the function of the OS, however all OS's play differently and don't always compensate for VPN connections. If a client is being used as part of the service (AirVPN) then there ought to be consistency on what happens across the OS's otherwise there wouldn't be a point to a client.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...