[Bglug] PureVPN Secure or a big hole in security

Tim Scott tim at treebeaver.ca
Thu Jan 4 22:02:11 EST 2018


This is an old bug in DD-WRT.

Totally safe and needed. Quick run down below of what they are doing.

First rule is to allow traffic through the vpn interface
Second is to drop NEW connections from the outside to it. If its initated
from inside the network first its considered established.
Third is to drop forwarded packets from entering it from outside.
Last is to masq/NAT the traffic to the vpn ip

I know im not super active in BGLug yet... kind of a lurker haha (3 kids
kill my time) but have spent most career in some type of iptables hell. If
you need to ever pick my brain feel free.

Tim
tim at tscnetworks.net

On Thu, Jan 4, 2018 at 9:48 PM, LP <linuxpusher2 at gmail.com> wrote:

> *I am using PureVPN right now.*
> *But found information Below on their site.*
>
> *Question: Does anyone see an issue following the instructions below. ??*
> *Thanks*
> *Chris.*
>
> "How to Secure OpenVPN Vulnerability on *DD-WRT*
>
> A new vulnerability has come to light with PureVPN on DD-WRT routers. When
> you set up OpenVPN protocol, the end tunnel remains open. This leaves you
> exposed to privacy vulnerabilities as anyone looking from outside the WAN
> can reach your DD-WRT routers GUI using the public IP offered by PureVPN.
>
> The alarming aspect of this vulnerability is that a VPN circumvents the
> standard protection of WAN firewall and anyone using a simple HTTP can
> access your router’s GUI. Instead, OpenVPN protocol employs its own
> firewall rules, which is weak. So how do you overcome this vulnerability?
>
> According to a user on DD-WRT’s official forum, use the following commands
> to secure your router while using any commercial OpenVPN software.
>
> Under addition config, enter the following command:
>
> *dev tun0*
>
> Then add the following firewall scripts:
>
> *# allow only outbound connections to the VPN (no inbound)*
>
> *iptables -I INPUT -i tun0 -j ACCEPT*
>
> *iptables -I INPUT -i tun0 -m state –state NEW -j DROP*
>
> *iptables -I FORWARD -i tun0 -m state –state NEW -j DROP*
>
> *iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE*
>
> What this will do is replace the weak OpenVPN firewall rules with more
> secure ones. It will prevent anyone from creating inbound links to your
> network using the public IP offered by PureVPN and accessing your DD-WRT
> routers GUI."
>
>
>
> _______________________________________________
> Group mailing list
> Group at bglug.ca
> http://bglug.ca/mailman/listinfo/group_bglug.ca
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bglug.ca/pipermail/group_bglug.ca/attachments/20180104/465487b0/attachment-0001.html>


More information about the Group mailing list