Jump to content


Photo
- - - - -

Open ports expose VPN users’ real IP

security ip ipleak

  • Please log in to reply
11 replies to this topic

#1 hugomueller

hugomueller

    Advanced Member

  • Members
  • PipPipPip
  • 129 posts

Posted 22 December 2015 - 11:50 AM

https://www.perfect-privacy.com/blog/2015/12/21/wrong-way-security-problem-exposes-real-ip/

 

 

Another VPN security problem was found: “Wrong Way” may reveal the user’s real IP address like “Port Fail“. This time are not only providers with port forwarding affected but rather all providers, they havn’t fixed the problem. The underlying problem is that packets received over the real IP will be answered via the VPN interface under certain conditions.

 

 

@AirVPN

Does your client handle this problem with the Network Lock?



#2 zhang888

zhang888

    Donald Trump of IT/Security

  • Moderators
  • 2214 posts

Posted 22 December 2015 - 12:36 PM

The Network Lock will prevent this among many other things.

 

However, this vulnerability will only occur when you have:

 

1) A router with UPNP enabled

2) An application that listens on UDP ports


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.


#3 produs

produs

    Member

  • Members
  • PipPip
  • 26 posts

Posted 23 December 2015 - 01:10 AM

Does't  Eddie listens on UDP ports?



#4 Ammonia

Ammonia

    Newbie

  • New Members
  • Pip
  • 4 posts

Posted 23 December 2015 - 09:17 AM

This is mitigated with Network Lock, no problem here.



#5 produs

produs

    Member

  • Members
  • PipPip
  • 26 posts

Posted 23 December 2015 - 03:03 PM

Okay. Thank you!!

#6 airvpnmember

airvpnmember

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 24 December 2015 - 01:30 PM

Hi Guys,

 

how does this affect those who have OpenVPN client running on a router?

 

Thank you.



#7 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7563 posts

Posted 24 December 2015 - 02:23 PM

Hello!
 
1) It's not that Network Lock "mitigates" the issue, it does solve it entirely at its root.
 
2) Again, this is much ado about nothing. According to our instructions, it's since 2010 that we instruct how to avoid correlations of these kinds (disable UPnP for example: 5 years ago it was already written in our proto web site). Those VPNs teams that show much concern and exploit sensationalism are just sending a message to gullible and inexperienced people. All the other persons can clearly see that this sensationalism hints to a lack of competence about the most basic and trivial routing concepts.
 
See also this nice article, which treats so called "Port Fail" in addition to other issues (including the one treated in this thread).

Another “critical” “VPN” “vulnerability” and why Port Fail is bullshit
https://medium.com/@ValdikSS/another-critical-vpn-vulnerability-and-why-port-fail-is-bullshit-352b2ebd22e2#.vgjazzmz8

and how the Great ValdikSS (author of the article and probably reading us) could get (according to his own words which we feel to share) a total of 7300 USD for "such a bullshit issue" (from les incompétents, we would be tempted to add). :D

Kind regards



#8 trekkie.forever

trekkie.forever

    Advanced Member

  • Members
  • PipPipPip
  • 39 posts

Posted 24 December 2015 - 03:10 PM

Hi Guys,

 

how does this affect those who have OpenVPN client running on a router?

 

Thank you.

 

Good question, I connect to Air servers using the included OpenVPN client on Asuswrt Merlin with UPnP off. Are there any further precautions needed and what about those on dd-wrt, tomato or even pfsense?



#9 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7563 posts

Posted 24 December 2015 - 03:26 PM

Hi Guys,

 

how does this affect those who have OpenVPN client running on a router?

 

Thank you.

 

Good question, I connect to Air servers using the included OpenVPN client on Asuswrt Merlin with UPnP off. Are there any further precautions needed and what about those on dd-wrt, tomato or even pfsense?

 

Note these rules (on the guide about how to forward ports in DD-WRT etc.):

 

https://airvpn.org/topic/9270-how-to-forward-ports-in-dd-wrt-tomato-with-iptables

 

iptables -I FORWARD -i tun1 -p udp -d destIP --dport port -j ACCEPT
iptables -I FORWARD -i tun1 -p tcp -d destIP --dport port -j ACCEPT
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport port -j DNAT --to-destination destIP
iptables -t nat -I PREROUTING -i tun1 -p udp --dport port -j DNAT --to-destination destIP

 

Bold is ours to make the answer to your question clearer.

 

Kind regards



#10 Kepler_438b2

Kepler_438b2

    Member

  • Members
  • PipPip
  • 23 posts

Posted 29 December 2015 - 06:23 AM

I had not turned off UPNP until now (but always used Network Block). Would leaving UPNP on have left me vulnerable? Thanks. BTW, you guys do a great job!



#11 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7563 posts

Posted 29 December 2015 - 10:18 AM

I had not turned off UPNP until now (but always used Network Block). Would leaving UPNP on have left me vulnerable? Thanks. BTW, you guys do a great job!

 

Hello!

 

Don't worry, since you had Network Lock on UPnP did not expose your system to correlations.

 

Kind regards



#12 A556

A556

    Advanced Member

  • Members
  • PipPipPip
  • 198 posts
  • LocationUnited States

Posted 05 March 2016 - 05:53 PM

Hello!
 
1) It's not that Network Lock "mitigates" the issue, it does solve it entirely at its root.
 
2) Again, this is much ado about nothing. According to our instructions, it's since 2010 that we instruct how to avoid correlations of these kinds (disable UPnP for example: 5 years ago it was already written in our proto web site). Those VPNs teams that show much concern and exploit sensationalism are just sending a message to gullible and inexperienced people. All the other persons can clearly see that this sensationalism hints to a lack of competence about the most basic and trivial routing concepts.
 
See also this nice article, which treats so called "Port Fail" in addition to other issues (including the one treated in this thread).

Another “critical” “VPN” “vulnerability” and why Port Fail is bullshit
https://medium.com/@ValdikSS/another-critical-vpn-vulnerability-and-why-port-fail-is-bullshit-352b2ebd22e2#.vgjazzmz8

and how the Great ValdikSS (author of the article and probably reading us) could get (according to his own words which we feel to share) a total of 7300 USD for "such a bullshit issue" (from les incompétents, we would be tempted to add). :D

Kind regards

I use ESET Smart Security's Firewall, so Network Lock doesn't work for me because it uses Windows Firewall. I was wondering if maybe you know what rules to set in ESET's firewall and what IPs to allow/deny so that only AirVPN traffic is allowed?







Similar Topics Collapse


2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users

Servers online. Online Sessions: 14223 - BW: 42240 Mbit/sYour IP: 54.166.130.157Guest Access.