Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix shared VPN/Tor server leak bug #12

Closed
adrelanos opened this issue May 5, 2016 · 1 comment
Closed

fix shared VPN/Tor server leak bug #12

adrelanos opened this issue May 5, 2016 · 1 comment

Comments

@adrelanos
Copy link
Owner

adrelanos commented May 5, 2016
edited
Loading

problem description:

If a Tor entry guard is running on the same server (same IP) as the VPN server (same IP), and if VPN breaks down, Tor may connect directly to the VPN if it happened to choose that Tor relay (same IP) as entry guard. This is not that unlikely, because a lot VPN providers support VPN port forwarding, use public IPs and people host Tor servers behind VPN's.

(partial solution):

(A partial solution for this to set the VPN VM's firewall rules to allow connections only to the VPN server. Specifying destination port in that firewall rule should help a lot. Some cases will not be solved (like VPN running on 443).)

full solution:

A full solution is to allow only user tunnel to connect to the open internet. All other users not.

TODO:

  • Implement the full solution.
  • Build on top of the development branch.

starting point:

This was fixed in a similar firewall project. This was fixed in whonix-ws-firewall and whonix-gw-firewall. (These are firewalls tailored for Whonix that will not work as drop in replacement for vpn-firewall.)

tickets:

git commits:

documentation and implementation notes [as footnotes]:

The usability-misc package simplifies this by requesting less file creation from the user. [1] [2]

Footnotes:

[1] The user needs to comment in a few things to make it work. Here in vpn-firewall we could emulate/duplicate these configuration files and have them commented in by default.
[2] Can conflict with whonix-(gw|ws)-firewall but not with usability-misc. [3]
[3] Not have same file names as in usability-misc package so these can still be co-installed.

Bounty too low?:

  1. Go to https://www.bountysource.com/issues/33959514-shared-vpn-tor-server-leak-bug
  2. Click on "Developers"
  3. Click on "Get Started"
  4. Select Status "Bounty too low"
  5. Enter your offer and press "Save".
@adrelanos adrelanos changed the title shared VPN/Tor server leak bug fix shared VPN/Tor server leak bug May 5, 2016
@adrelanos adrelanos mentioned this issue May 5, 2016
Closed
adrelanos pushed a commit that referenced this issue May 11, 2016
fixed shared VPN/Tor server leak bug (#12)
f5a0d06 
use ip(6)tables --wait
made ip(6)tables commands configurable
RELATED,ESTABLISHED -> ESTABLISHED for better security (fixes #9)
ported from sysvinit to (systemd) netfilter-persistent
also source configuration folder /rw/config/vpn-firewall.d/*.conf
Debian packaging
licensing
refactoring
comments
@adrelanos adrelanos mentioned this issue May 11, 2016
Closed
@adrelanos
Copy link
Owner Author

This is done in development branch.

@adrelanos adrelanos mentioned this issue Jun 13, 2016
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@adrelanos