Hi, if you think this is a useful security enhancement, and would like to have it in a "short term" 2.6.x release, we need test results...
please!
gert
On Thu, Jun 06, 2024 at 02:23:33PM +0200, Gert Doering wrote:
> Hi,
>
> we have new code in master that helps with the "TunnelCrack" and
> "TunnelVision" attacks, that is, packets intended to go into the
> VPN being leaked away by means of a malicious DHCP server (= routing
> points outside the tunnel, so packets never hit OpenVPN).
>
> We used to have
>
> block-outside-dns
>
> to prevent Windows from doing DNS lookups "around the VPN" - the main
> intent of this was "make sure split DNS works", but a side effect has
> also been "avoid DNS leaks".
>
> Heiko has now extended this code to be able to "block everything not
> going into the VPN". To activate this, you need
>
> redirect-gateway def1 block-local
>
> in your config ("block-local" is the keyword, but without "def1" you
> end up with a split-tunnel and "nothing else is allowed", which is rarely
> a really good combination).
>
> Repeat: if "redirect-gateway block-local" is active, NO packets leave
> via LAN/WiFi/... interfaces, except those sourced by the openvpn.exe
> process. This is important for maximum privacy, especially if you
> roam into a network with an untrusted DHCP server.
>
>
> Now - this code has been merged into "git master", and installers
> are here:
>
> https://github.com/OpenVPN/openvpn-build/actions/runs/9391365526?pr=641
>
> (bottom of the page, "Artifacts", .zip files with a .msi inside).
>
>
> I want to have this in 2.6 as well, as it's sort of important for certain
> classes of users (and also VPN providers, offering this as a service) - but
> I do not feel it has been tested enough yet.
>
> So: PLEASE test these windows installers, in all 3 variants
>
> 1. <nothing special in the config>
> 2. block-outside-dns
> (DNS is blocked, everything else not routed into the VPN tunnel - like
> "your local printer" etc - still works)
> 3. redirect-gateway def1 block-local
> (ONLY VPN works)
>
> and report back to us.
>
> gert
>
> --
> "If was one thing all people took for granted, was conviction that if you
> feed honest figures into a computer, honest figures come out. Never doubted
> it myself till I met a computer with a sense of humor."
> Robert A. Heinlein, The Moon is a Harsh Mistress
>
> Gert Doering - Munich, Germany [email protected]
> _______________________________________________
> Openvpn-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
