Joined: 10 Nov 2018 Posts: 350 Location: South Carolina
Posted: Sat Nov 10, 2018 16:48 Post subject: Bypassing VPN Exploit or missunderstanding 3200ACM r37582
Greetings!
Been using dd-wrt and monitoring these forums for years, but its the first time I've become frustrated enough to ask for assistance from you wise folk.
Interesting exploit my sons have found which I really need to resolve. Bear with me for its a somewhat complex situation they've discovered. They have a few video games (mmo online type) that do not work through my vpn router. I set up a non vpn router for those few games which is a simple wifi AP connected directly to the ISP cable modem. Now since the cabled connection which they have through the VPN Modem is far friskier, they would rather use the wired connection vs the WIFI. What they have done is find that if they continue to use the ISP wifi ip address assigned to them, switch back to the wired VPN router (and turning off their WIFI), the traffic then seems to bypass VPN through the router, and they can play via the wired VPN connection using the ISP dhcp address assigned by the ISP. Seems sneaky, or I'm not clearly understanding whats going on under the hood of that bait and switch idea. Does anyone understand whats going on, if so, please help me understand and how it can be blocked (I don't want any non-vpn activity on the vpn router).
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Sat Nov 10, 2018 21:26 Post subject:
Bit of a long shot, but I did just discover, with help from the forum (https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=317397), that the third NordVPN kill-switch firewall rule, the udp one, as written does nothing. If you check the firewall using the CLI, you'll discover that rule did not get entered. The problem is the udp-reset, which apparently is not a thing. A working alternative rule is
which is just your rule without the --reject-with udp-reset . As it happens, I just emailed NordVPN support yesterday to notify them of the error in their post on setting up the dd-wrt OpenVPN client for NordVPN using the GUI.
I'll be impressed and amazed if this fixes the problem, but you have nothing to lose.
One option is to use logreject instead of REJECT in that one rule, perhaps temporarily during your testing phase. (You can't use logreject in the others because it's not compatible with the --reject-with thing.) With logreject in the firewall, you can enable Syslogd and Klogd under System Logging on the GUI>Services>Services page and then watch what happens in the log file, if anything, when your kids have a go at their exploit. There's a crude log-viewing window in GUI>Status>Syslog, or sometimes I just use tail -f /tmp/var/log/messages in the CLI, watch the log play out until I'm tired of it, then type a control-C to exit the tail. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 10 Nov 2018 Posts: 350 Location: South Carolina
Posted: Sun Nov 11, 2018 15:52 Post subject:
SurprisedItWorks wrote:
Bit of a long shot, but I did just discover, with help from the forum (https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=317397), that the third NordVPN kill-switch firewall rule, the udp one, as written does nothing. If you check the firewall using the CLI, you'll discover that rule did not get entered. The problem is the udp-reset, which apparently is not a thing. A working alternative rule is
which is just your rule without the --reject-with udp-reset . As it happens, I just emailed NordVPN support yesterday to notify them of the error in their post on setting up the dd-wrt OpenVPN client for NordVPN using the GUI.
I'll be impressed and amazed if this fixes the problem, but you have nothing to lose.
One option is to use logreject instead of REJECT in that one rule, perhaps temporarily during your testing phase. (You can't use logreject in the others because it's not compatible with the --reject-with thing.) With logreject in the firewall, you can enable Syslogd and Klogd under System Logging on the GUI>Services>Services page and then watch what happens in the log file, if anything, when your kids have a go at their exploit. There's a crude log-viewing window in GUI>Status>Syslog, or sometimes I just use tail -f /tmp/var/log/messages in the CLI, watch the log play out until I'm tired of it, then type a control-C to exit the tail.
SurprisedItWorks, unfortunately, that doesn't seem to work, but with a twist outcome. When the router is booted or powered on for the first time with the scripts active, blocking seems to work giving a "Destination unreachable" type error. However, over a length of around 30 mins (purely a guess), the exploit seems to work again. While I have been successful in blocking the address range, I'm still frustrated in understanding why its working at all. P2P traffic seems to find its way around the firewall as well. If I had the ability to sniff the traffic and see where it was going to and from, I would "cut it off at the pass". I would think that a hard coded "nothing leaves without going through the vpn tunnel" would be an obvious need/want option when using OpenVPN.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Sun Nov 11, 2018 16:11 Post subject:
Interesting. Unfortunately, I'm an iptables newbie. To my networking-noob mind it looks like you should be getting the blocking you seek because of your
iptables -I FORWARD -i br0 -o vlan2 -j DROP
assuming your wan is vlan2 rather than the default eth0. (You set up vlans at some point?)
I did just discover a curiosity, that this udp rule we've been discussing shows in my iptables -vL FORWARD output as if it were entered with --reject-with icmp-port-unreachable, but I didn't add such an option.
In any case, this is over my head for sure and calls for someone with more of a networking clue. I'd suggest posting it in the Advanced Networking forum. Gurus seem to cruise that forum more regularly than they do our marvell forum. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 10 Nov 2018 Posts: 350 Location: South Carolina
Posted: Mon Nov 12, 2018 17:11 Post subject:
SurprisedItWorks wrote:
Interesting. Unfortunately, I'm an iptables newbie. To my networking-noob mind it looks like you should be getting the blocking you seek because of your
iptables -I FORWARD -i br0 -o vlan2 -j DROP
assuming your wan is vlan2 rather than the default eth0. (You set up vlans at some point?)
I did just discover a curiosity, that this udp rule we've been discussing shows in my iptables -vL FORWARD output as if it were entered with --reject-with icmp-port-unreachable, but I didn't add such an option.
In any case, this is over my head for sure and calls for someone with more of a networking clue. I'd suggest posting it in the Advanced Networking forum. Gurus seem to cruise that forum more regularly than they do our marvell forum.
Hi Surprised,
Yeah, its over my head as well. I've even wiped the router and tried the eth0 script option. I guess it isn't that big a deal except it seems to be a possible security weakness. I don't quite feel in control of what the ISP can and can't see as long as it continues, though ipleak.net claims its tight unless the exploit is executed. Since I keep the firmware current as long as everything else keeps working, I'll be watching to see if the problem mysteriously vanishes, or someone comes up with some ideas or reasons it acts as it does.
When the router is booted or powered on for the first time with the scripts active, blocking seems to work giving a "Destination unreachable" type error. However, over a length of around 30 mins (purely a guess), the exploit seems to work again. While I have been successful in blocking the address range, I'm still frustrated in understanding why its working at all. P2P traffic seems to find its way around the firewall as well. If I had the ability to sniff the traffic and see where it was going to and from, I would "cut it off at the pass". I would think that a hard coded "nothing leaves without going through the vpn tunnel" would be an obvious need/want option when using OpenVPN.