[Bglug] PureVPN Secure or a big hole in security

LP linuxpusher2 at gmail.com
Thu Jan 4 22:56:33 EST 2018


Tim,
Thank you very much.

On 4 January 2018 at 22:02, Tim Scott <tim at treebeaver.ca> wrote:

> This is an old bug in DD-WRT.
>
> Totally safe and needed. Quick run down below of what they are doing.
>
> First rule is to allow traffic through the vpn interface
> Second is to drop NEW connections from the outside to it. If its initated
> from inside the network first its considered established.
> Third is to drop forwarded packets from entering it from outside.
> Last is to masq/NAT the traffic to the vpn ip
>
> I know im not super active in BGLug yet... kind of a lurker haha (3 kids
> kill my time) but have spent most career in some type of iptables hell. If
> you need to ever pick my brain feel free.
>
> Tim
> tim at tscnetworks.net
>
> On Thu, Jan 4, 2018 at 9:48 PM, LP <linuxpusher2 at gmail.com> wrote:
>
>> *I am using PureVPN right now.*
>> *But found information Below on their site.*
>>
>> *Question: Does anyone see an issue following the instructions below. ??*
>> *Thanks*
>> *Chris.*
>>
>> "How to Secure OpenVPN Vulnerability on *DD-WRT*
>>
>> A new vulnerability has come to light with PureVPN on DD-WRT routers.
>> When you set up OpenVPN protocol, the end tunnel remains open. This leaves
>> you exposed to privacy vulnerabilities as anyone looking from outside the
>> WAN can reach your DD-WRT routers GUI using the public IP offered by
>> PureVPN.
>>
>> The alarming aspect of this vulnerability is that a VPN circumvents the
>> standard protection of WAN firewall and anyone using a simple HTTP can
>> access your router’s GUI. Instead, OpenVPN protocol employs its own
>> firewall rules, which is weak. So how do you overcome this vulnerability?
>>
>> According to a user on DD-WRT’s official forum, use the following
>> commands to secure your router while using any commercial OpenVPN software.
>>
>> Under addition config, enter the following command:
>>
>> *dev tun0*
>>
>> Then add the following firewall scripts:
>>
>> *# allow only outbound connections to the VPN (no inbound)*
>>
>> *iptables -I INPUT -i tun0 -j ACCEPT*
>>
>> *iptables -I INPUT -i tun0 -m state –state NEW -j DROP*
>>
>> *iptables -I FORWARD -i tun0 -m state –state NEW -j DROP*
>>
>> *iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE*
>>
>> What this will do is replace the weak OpenVPN firewall rules with more
>> secure ones. It will prevent anyone from creating inbound links to your
>> network using the public IP offered by PureVPN and accessing your DD-WRT
>> routers GUI."
>>
>>
>>
>> _______________________________________________
>> Group mailing list
>> Group at bglug.ca
>> http://bglug.ca/mailman/listinfo/group_bglug.ca
>>
>>
>
> _______________________________________________
> Group mailing list
> Group at bglug.ca
> http://bglug.ca/mailman/listinfo/group_bglug.ca
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bglug.ca/pipermail/group_bglug.ca/attachments/20180104/3a9d9e80/attachment.html>


More information about the Group mailing list