Author Topic: ROUTING ‘FEATURE’ CAN EXPOSE VPN USERS’ REAL IP-ADDRESSES  (Read 9694 times)

Offline pkrisnin

  • BolehVPN Subscriber
  • Boatswain
  • **
  • Posts: 84
ROUTING ‘FEATURE’ CAN EXPOSE VPN USERS’ REAL IP-ADDRESSES
« on: December 23, 2015, 08:36:25 PM »
I'm some what worried there hasn't been any client update for bolehvpn for some time now and with the TPPA signed VPN is very important.

https://torrentfreak.com/routing-feature-can-expose-vpn-users-real-ip-addresses-151222/

If so should we be using this patch
https://medium.com/@ValdikSS/another-critical-vpn-vulnerability-and-why-port-fail-is-bullshit-352b2ebd22e2#.2siv7w1it
https://github.com/ValdikSS/openvpn-block-incoming-udp-plugin

OpenVPN 2.3.9 has the a lot of fixes which among which fixes DNS leaks on Windows 8.1 and 10, what version of openvpn are we using with client 3.0.3 ?
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23
« Last Edit: December 24, 2015, 06:22:31 PM by pkrisnin »

Offline PitBoss

  • Administrator
  • Admiral
  • *****
  • Posts: 1250
Re: ROUTING ‘FEATURE’ CAN EXPOSE VPN USERS’ REAL IP-ADDRESSES
« Reply #1 on: December 24, 2015, 08:35:37 PM »
The hack that was mentioned does not affect most of our users who are using our shared IP servers. These servers do not allowed any port forwarding except those initiated by the outgoing traffic from the users devices.

However those who are using the dedicated dynamic IP servers need to protect themselves using their own internal firewall. These servers are configured to give users full access to forward their own services thru the tunnel and if we were to block incoming traffic to their IP then the services are useless to them. Any users using the dedicated IP servers should know the reasons and risks of using those open port servers.

As for openvpn 2.3.9, we are delaying the release until after new year due to a few other fixes that openvpn will release. This will include dropping of support for openssl older versions and operating systems that are no longer supported by their vendors. We are monitoring the development of openvpn on a daily basis and will issue update as and when it is critical and our GUI has addressed the dns leak and routing issues long before the articles or updates were made.

Thank you

« Last Edit: December 24, 2015, 08:40:12 PM by PitBoss »

Co-Founder / Administrator

Offline pkrisnin

  • BolehVPN Subscriber
  • Boatswain
  • **
  • Posts: 84
Re: ROUTING ‘FEATURE’ CAN EXPOSE VPN USERS’ REAL IP-ADDRESSES
« Reply #2 on: December 24, 2015, 10:09:50 PM »
appreciate the response

Offline userjame

  • BolehVPN Subscriber
  • Boatswain
  • **
  • Posts: 44
Re: ROUTING ‘FEATURE’ CAN EXPOSE VPN USERS’ REAL IP-ADDRESSES
« Reply #3 on: December 25, 2015, 05:51:38 PM »
The hack that was mentioned does not affect most of our users who are using our shared IP servers. These servers do not allowed any port forwarding except those initiated by the outgoing traffic from the users devices.

However those who are using the dedicated dynamic IP servers need to protect themselves using their own internal firewall. These servers are configured to give users full access to forward their own services thru the tunnel and if we were to block incoming traffic to their IP then the services are useless to them. Any users using the dedicated IP servers should know the reasons and risks of using those open port servers.

As for openvpn 2.3.9, we are delaying the release until after new year due to a few other fixes that openvpn will release. This will include dropping of support for openssl older versions and operating systems that are no longer supported by their vendors. We are monitoring the development of openvpn on a daily basis and will issue update as and when it is critical and our GUI has addressed the dns leak and routing issues long before the articles or updates were made.

Thank you

What if you are using dedicated ip server and have one port open in firewall for uttorent? Will you be exposed then?
Also, i am only allowing VPN traffic to go on the internet, everything else is blocked in firewall, so if vpn connection drops, nothing gets out.
If i understand correctly, as long as upnp is disabled in the router, then you are fine?
« Last Edit: December 25, 2015, 09:27:57 PM by userjame »

Offline PitBoss

  • Administrator
  • Admiral
  • *****
  • Posts: 1250
Re: ROUTING ‘FEATURE’ CAN EXPOSE VPN USERS’ REAL IP-ADDRESSES
« Reply #4 on: December 26, 2015, 12:47:50 PM »
Dedicated IP that we are using do not use upnp nor does it use forwarding, so it would not be affected by this hack. However you still to make sure that webrtc is disabled while you are using the vpn. webrtc exploits is much more practical and easier to do cause it is enabled by default.

Co-Founder / Administrator

Offline userjame

  • BolehVPN Subscriber
  • Boatswain
  • **
  • Posts: 44
Re: ROUTING ‘FEATURE’ CAN EXPOSE VPN USERS’ REAL IP-ADDRESSES
« Reply #5 on: December 26, 2015, 06:31:51 PM »
Dedicated IP that we are using do not use upnp nor does it use forwarding, so it would not be affected by this hack. However you still to make sure that webrtc is disabled while you are using the vpn. webrtc exploits is much more practical and easier to do cause it is enabled by default.

Thank you for replying and clearing that up  :)
Use this as startpage https://ipleak.net/  it checks for dns leaks and webrtc.

Offline ValdikSS

  • Newbie
  • *
  • Posts: 1
Re: ROUTING ‘FEATURE’ CAN EXPOSE VPN USERS’ REAL IP-ADDRESSES
« Reply #6 on: January 15, 2016, 06:49:21 AM »
It has nothing with port forwarding or UPnP, please read the article more thoughtful.

Offline PitBoss

  • Administrator
  • Admiral
  • *****
  • Posts: 1250
Re: ROUTING ‘FEATURE’ CAN EXPOSE VPN USERS’ REAL IP-ADDRESSES
« Reply #7 on: January 15, 2016, 07:28:06 AM »
Hi Valdik, I've read your articles on this and appreciate your input. Thank you.

Co-Founder / Administrator

Offline Reuben

  • Chief Doraemon
  • Administrator
  • Admiral
  • *****
  • Posts: 6878
Re: ROUTING ‘FEATURE’ CAN EXPOSE VPN USERS’ REAL IP-ADDRESSES
« Reply #8 on: January 20, 2016, 04:09:09 PM »
Got everything to do with it:

https://torrentfreak.com/huge-security-flaw-can-expose-vpn-users-real-ip-adresses-151126/

Quote
The security flaw affects all VPN protocols including OpenVPN and IPSec and applies to all operating systems.

“Affected are VPN providers that offer port forwarding and have no protection against this specific attack,” PP notes.

For example, if an attacker activates port forwarding for the default BitTorrent port then a VPN user on the same network will expose his or her real IP-address (in a setting where users share the same IP-address).

Quote
PIA informs TorrentFreak that their fix was relatively simple and was implemented swiftly after they were notified.

“We implemented firewall rules at the VPN server level to block access to forwarded ports from clients’ real IP addresses. The fix was deployed on all our servers within 12 hours of the initial report,” PIA’s Amir Malik says.
*If you like my service/support, please consider posting a positive feedback here*<3



Co-Founder/Administrator

Offline shadowdrifter

  • BolehVPN Subscriber
  • Boatswain
  • **
  • Posts: 99
Re: ROUTING ‘FEATURE’ CAN EXPOSE VPN USERS’ REAL IP-ADDRESSES
« Reply #9 on: May 02, 2016, 01:12:18 PM »
Are Boleh servers that allow open ports still vulnerable to the attack listed in the above article in this thread?
« Last Edit: May 02, 2016, 01:13:57 PM by shadowdrifter »