Thanks for your reply, I appreciate it. So basically no encryption has been
compromised and only traffic originally intended for the VPN has been
mis-directed?
On Wednesday, May 15, 2024 at 01:32:31 AM CDT, Gert Doering
<g...@greenie.muc.de> wrote:
Hi,
On Wed, May 15, 2024 at 02:39:42AM +0000, Leroy Tennison via Openvpn-users
wrote:
> Published articles say it affects all VPNs due seemingly to a DHCP
> man-in-the-middle attack. I was under the impression that VPNs were
> encrypted end-to-end from the very start and thus don't see how a
> man-in-the-middle could have any effect. Am I mis-understanding the
> architecture for OpenVPN or are the published statements in error? If so,
> how does startup actually work? Thanks for the clarification.
Rogue DHCP server in an "bad" Wifi sets options that install extra routes
in the client, to direct traffic away from VPN.
So, OpenVPN wants "redirect gateway def1" and installs routes for
0.0.0.0/1 and 128.0.0.0/1, matching "all Internet traffic".
DHCP server sends "please do a route for 8.8.8.0/24 to me", so the underlying
OS installs that route - and when a packet needs to get sent, "most specific
route wins", so DNS packets to 8.8.8.8 will not get "into the VPN" but
"to the rogue DHCP server".
This is an old attack, just re-hyped again - and to successfully exploit
it, you need to be on the same network as the target of the attack, you
need to know "which network do they want to connect?", and also you need
to redirect something which is not reachable "without VPN" - so it would
work for 8.8.8.8, but not for "your internal corp web site which is not
reachable from the outside". It's a risk for high-profile targets, but
not so much for occasional starbucks wifi users.
That said, any route-based VPN is vulnerable to this - so it's not a
particular problem for OpenVPN. We do have patches pending that will
fix it on Windows, by using the windows firewall to just block packets
leaving over "non VPN" ('block-outside-dns' revamped). In this case,
packets to 8.8.8.8 will still not go "into the VPN" (route), but instead
will be dropped by the firewall, and the user will know "something is
broken here" without leaking secrets.
On Linux, Heiko is working on something using "ip rule" which is even
better :-)
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
