Another “critical” “VPN” “vulnerability” and why Port Fail is bullshit

“Critical vulnerability in all VPN protocols on all operating systems.” So scary!

Why is that?

  • OpenVPN (def1) — UDP go via VPN interface, TCP works correctly
  • IPsec IKEv2 — UDP go via VPN interface, TCP is dropped
  • OpenVPN (def1) — UDP goes via VPN interface, TCP is dropped
  • IPsec IKEv2 — UDP goes via VPN interface, TCP works correctly
  • OpenVPN (def1) — both UDP and TCP go via VPN interface if rp_filter is set to 0 and get dropped if rp_filter=1

What could go wrong?

BitTorrent

  1. User with the “real” (routable) IP address connects to the VPN, runs BitTorrent client and downloads or seeds several files. The BitTorrent client opening a port on the user’s router using UPnP if needed.
  2. Copyright monitoring company collects all IP addresses and ports of the users seeding or downloading those files.
  3. Company sends BitTorrent UDP packets to the whole routable internet address range on the ports collected earlier. It could be done within a minutes using 10G link.
  4. Client’s BitTorrent software gets incoming UDP packet via their routable (ISP-supplied) IP address and sends reply via VPN interface.
  5. Company gets real IP address of a client.

Skype

# nping --udp -p 13318 --data-string 'hellothere!' -c 1 serv.valdikss.org.ru

Starting Nping 0.7.00 ( https://nmap.org/nping ) at 2015-12-20 19:54 MSK
SENT (0.0157s) UDP 195.154.127.59:53 > 92.42.31.8:13318 ttl=64 id=10802 iplen=39
RCVD (0.0859s) UDP 185.61.149.121:4272 > 195.154.127.59:53 ttl=54 id=1534 iplen=32

Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A

How to mitigate this issue?

net.ipv4.conf.*.rp_filter
# sysctl net.ipv4.conf.all.rp_filter=1
# sysctl net.ipv4.conf.default.rp_filter=1
# sysctl net.ipv4.conf.tun0.rp_filter=1
# sysctl net.ipv4.conf.wlp3s0.rp_filter=1
# ip6tables -t raw -A PREROUTING -m rpfilter --invert -j DROP
  • Permit all new unicast UDP IPv4 packets from 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, active network adapters subnets; all new unicast UDP IPv6 packets from fd00::/8, fe80::/10 and active network adapters subnets.
  • Block all new unicast UDP IPv4 and IPv6 packets to non-VPN interface.
echo 'pass in quick proto udp from 10.0.0.0/8 to any
pass in quick proto udp from 192.168.0.0/16 to any
pass in quick proto udp from 172.16.0.0/12 to any
pass in quick proto udp from 169.254.0.0/16 to any
pass in quick proto udp from 185.61.149.121/32 to any
block in quick on ! utun1 proto udp to any' | sudo pfctl -Ef -

Post scriptum

iptables -I INPUT -m conntrack -p udp --sport 4455 --ctstate NEW -j LOG

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ValdikSS

ValdikSS

More from Medium

Container Networking and Opening Container Ports

Grep Errors From Log file in Every Two minute.

Wazaterm Features

Running a custom tool in a “single command” container

GitHub (amqp-tool)