PSA: Serious OpenVPN Vulnerability w/ PureVPN (et al.)

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 7463
Location: Netherlands

PostPosted: Thu Feb 16, 2017 14:25    Post subject: Reply with quote
Big thanks for all your work, much appreciated.

I have tested Private internet Access (PIA) which is my VPN and get destination unreachable. So my limited testing shows that PIA is behaving well Smile

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
WireGuard Documents & Guides:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397
OpenVPN Documents & Guides: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
IPSET: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Sponsor
phatbob
DD-WRT User


Joined: 03 Jan 2017
Posts: 215

PostPosted: Thu Feb 16, 2017 16:16    Post subject: Reply with quote
Being a PureVPN user I was certainly alarmed to find this out. My thinking is that they want to sell their Nat firewall addon. The thing is from what I can see the addon can be gotten for $0.99 a month. I got their 2 year package which was $59.95, or about $2.50 a month. Why wouldn't they just include the firewall and charge $3.50 a month. It's still less than most out there.

The biggest issue is that they don't tell you that you're unprotected, in fact they lead you to believe the total opposite. At least thanks to eibgrad I am now secure and I don't need the firewall.
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 306
Location: California

PostPosted: Mon Feb 20, 2017 2:43    Post subject: Well... Reply with quote
Well atleast I know what VPN allows this by default that I can recommend to my customers who need the ports open.

That is laughable that they think in the reverse lol.

I had been referring customers to StrongVPN for opening up ports and dedicated IP's.

I might get a purevpn account to test with.... I have some things I'd like to experiment with for a week or so with open ports through a VPN service.

_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
phatbob
DD-WRT User


Joined: 03 Jan 2017
Posts: 215

PostPosted: Mon Feb 20, 2017 3:23    Post subject: Reply with quote
Quote:
Well atleast I know what VPN allows this by default that I can recommend to my customers who need the ports open.


Just so you know, within days after this topic was started all the ports were closed up on their end. I did go ahead and purchase their Nat firewall so I could open up the ports I needed. It does give you the option of opening them all if you really are looking to test some things.
phatbob
DD-WRT User


Joined: 03 Jan 2017
Posts: 215

PostPosted: Mon Feb 20, 2017 5:36    Post subject: Reply with quote
Quote:
If this does prove to be the case, I still recommend the changes I described above as a second line of defense. Personally, I don't even want ping to respond. And I suspect PureVPN isn't the only one NOT firewall'ing their end of the tunnel.


I agree and I do keep your changes implemented. The more protection the better. Also you're right to be skeptical, because they left their side open for however long, we can't be confident it will remain blocked.

Of course that other persons Gui that you found accessible, it is also possible that he or she intentionally has all their ports open, all though I can't imagine why.
ian.wright
DD-WRT Novice


Joined: 20 Feb 2017
Posts: 3

PostPosted: Mon Feb 20, 2017 14:50    Post subject: Reply with quote
eibgrad wrote:
phatbob wrote:
Quote:
Well atleast I know what VPN allows this by default that I can recommend to my customers who need the ports open.


Just so you know, within days after this topic was started all the ports were closed up on their end. I did go ahead and purchase their Nat firewall so I could open up the ports I needed. It does give you the option of opening them all if you really are looking to test some things.


You may be right, but it's hard to say for sure. If PureVPN is in fact listening, then I wish someone there would just respond.

I just tested my own public IP on the VPN (w/o the changes I recommended above) and can no longer get into either the GUI or telnet. But I can still ping.

I then visited another PureVPN public IP (some other unknown user I found by searching w/ a script) and found his GUI is still accessible. It may be a long-lived connection, and if he disconnects and reconnects in the future, perhaps access to his GUI may be denied. But until that happens, I remain skeptical.

Remember too, these guys have 100's of VPN servers, and if indeed they made a change, it would have to be replicated across every server. Not something that's likely to happen overnight.

If this does prove to be the case, I still recommend the changes I described above as a second line of defense. Personally, I don't even want ping to respond. And I suspect PureVPN isn't the only one NOT firewall'ing their end of the tunnel.


I'm also a user of PureVPN. After reading your post I went on to talk to their customer support. And they gave me this statement; "Service that blocks unsolicited ports for customers malfunctioned in some of our servers which has been fixed now."
I'm really concerned if the issue has been resolved.
SisyphusBond
DD-WRT Novice


Joined: 26 Jan 2017
Posts: 38

PostPosted: Mon Mar 06, 2017 0:35    Post subject: Reply with quote
Can I piggy-back on this to ask a few questions? I'm only just dipping my toes in the world of VPNs and I'm still learning a lot of the technical stuff.

Firstly, is this still an outstanding issue? There appear to be some suggestions that it was a temporary error, and some scepticism at these claims.

Secondly, does their NAT Firewall add-on that they sell basically cover this whole issue or are there still concerns? Adding an extra $1/month still puts them at a good price for what I was looking for.

My final question is a bit off-topic, so feel free to ignore it, but I read instructions for setting up an OpenVPN connection directly on a Netgear ReadyNAS Network Attached Storage device:

https://community.netgear.com/t5/New-to-ReadyNAS/Installing-and-running-OpenVPN-boot-PrivateInternetAcces/m-p/941794#M7559

and wondered how someone might go about adding in the code you've provided to that. Is it something fairly straightforward?
phatbob
DD-WRT User


Joined: 03 Jan 2017
Posts: 215

PostPosted: Mon Mar 06, 2017 15:25    Post subject: Reply with quote
It seems that it was PureVPN's claim that it was a malfunction that caused the security issue and it is now fixed. Whether you want to believe that or not is up to you. Being a user of their service myself, I feel much more secure using eibgrad's scripts to block traffic on my end so I'm protected in case they drop the ball again. I have also purchased the nat firewall from them and can tell you that it gives you the options to:

1-Block all ports
2-Open all ports
3-Open selected ports(up to 15 ports)

I have also noticed on 1 occasion that when their site was down that the port I have opened for my plex to work was not open, but that's preferable to having them all open I guess.

I guess it's possible for any VPN provider to have a breach of some sort that would cause the same issue that PureVPN was having and one would have to be checking constantly to know for sure that you are protected.

One thing I can tell you for sure is if you do decide to use PureVPN, their Tech support blows and for the most part their setup guides are inaccurate at best.
phatbob
DD-WRT User


Joined: 03 Jan 2017
Posts: 215

PostPosted: Thu Mar 16, 2017 14:39    Post subject: Reply with quote
Currently I havesaved in my firewall:

Code:
# allow only outbound connections to the VPN (no inbound)
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I INPUT -i tun0 -m state --state NEW -j DROP
iptables -I FORWARD -i tun0 -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE

# port forward from the VPN and into the LAN
iptables -t nat -I PREROUTING -i tun0 -p tcp --dport 32400 -j DNAT --to 192.168.101.125:32400
iptables -I FORWARD -i tun0 -p tcp -d 192.168.101.125 --dport 32400 -j ACCEPT

# block all access to the WAN by the LAN
WAN WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -I FORWARD -i br0 -o $WAN_IF -m state --state NEW -j REJECT


which works perfectly for running plex through the vpn. Just last night I noticed however that when the vpn is down, the only thing that is blocked is plex. Everything else connects via my ISP.
SisyphusBond
DD-WRT Novice


Joined: 26 Jan 2017
Posts: 38

PostPosted: Wed Mar 29, 2017 22:09    Post subject: Reply with quote
Just to clarify, do we still need any/all of the above when using your new Basic or Advanced scripts?
joeyacker
DD-WRT Novice


Joined: 13 Apr 2017
Posts: 2

PostPosted: Thu Apr 13, 2017 6:52    Post subject: Reply with quote
Can it be fixed by modifying the ovpn-file? I asked their support yesterday about this flaw and their answer was to give me the paid add-on "NAT Firewall" for free. With "NAT firewall" I could still reach my computer from my iPhone (on 3G). It sounds like they have a big problem with their security as mention in other purevpn review blog as well.
DeXB
DD-WRT Novice


Joined: 22 May 2017
Posts: 49

PostPosted: Mon Jun 12, 2017 9:03    Post subject: Reply with quote
Is there any resolution to this issue? It seems that the issue is not isolated to DD-WRT (I have the same issue using Asus - Merlin) or VPN provider. It seems that once you have a private IP (not shared) in place, this is the way it should work. I am also facing exactly the same issue, using different VPN provider with private IP. All my router is exposed, despite remote access is disabled. That's because a VPN tunnel is not considered as remote access at all but local access.

Is there any way to fix this, so to use private IP VPN with firewall rules?
srwal
DD-WRT Novice


Joined: 04 Jul 2013
Posts: 44

PostPosted: Fri Jun 16, 2017 22:51    Post subject: Reply with quote
Are they any special setting for those using ASUS Merlin?
DeXB
DD-WRT Novice


Joined: 22 May 2017
Posts: 49

PostPosted: Fri Jun 16, 2017 22:52    Post subject: Reply with quote
srwal wrote:
Are they any special setting for those using ASUS Merlin?


In the end buying a NAT firewall add-on at my VPN provider helped with this issue and my router is no longer exposed.
spuriousoffspring
DD-WRT Guru


Joined: 05 Apr 2017
Posts: 982
Location: South of Heaven, USA

PostPosted: Fri Jun 15, 2018 0:11    Post subject: Reply with quote
@eibgrad Thank you so much for the catch & the fix! Mr. Green
_________________
DD-WRT Installation & Setup TUTORIAL
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=311117

WRT32X DD-WRT Installation Procedure
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=315569

IPVanish OpenVPN Client Setup TUTORIAL
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=308565

FIRMWARE: OpenWrt SNAPSHOT r8217-2cc821e / LuCI Master (git-18.276.41146-280dd33)
MODEM: ARRIS SURFBoard SB8200
ROUTER: Linksys WRT32X
USB NAS: Western Digital BLACK 1 TB Hardrive + Startech USB 3.0 External SATA III Enclosure
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum