[Openvpn-devel] windows client tests needed

Thu, 06 Jun 2024 05:24:43 -0700 

Hi,

we have new code in master that helps with the "TunnelCrack" and
"TunnelVision" attacks, that is, packets intended to go into the
VPN being leaked away by means of a malicious DHCP server (= routing
points outside the tunnel, so packets never hit OpenVPN).

We used to have

  block-outside-dns

to prevent Windows from doing DNS lookups "around the VPN" - the main
intent of this was "make sure split DNS works", but a side effect has
also been "avoid DNS leaks".

Heiko has now extended this code to be able to "block everything not
going into the VPN".  To activate this, you need

  redirect-gateway def1 block-local

in your config ("block-local" is the keyword, but without "def1" you
end up with a split-tunnel and "nothing else is allowed", which is rarely
a really good combination).

Repeat: if "redirect-gateway block-local" is active, NO packets leave
via LAN/WiFi/... interfaces, except those sourced by the openvpn.exe
process.  This is important for maximum privacy, especially if you
roam into a network with an untrusted DHCP server.


Now - this code has been merged into "git master", and installers
are here:

   https://github.com/OpenVPN/openvpn-build/actions/runs/9391365526?pr=641

(bottom of the page, "Artifacts", .zip files with a .msi inside).


I want to have this in 2.6 as well, as it's sort of important for certain
classes of users (and also VPN providers, offering this as a service) - but
I do not feel it has been tested enough yet.

So: PLEASE test these windows installers, in all 3 variants

 1.  <nothing special in the config>
 2.  block-outside-dns
     (DNS is blocked, everything else not routed into the VPN tunnel - like
     "your local printer" etc - still works)
 3.  redirect-gateway def1 block-local
     (ONLY VPN works)

and report back to us.

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to