CVE-2019-14899: Suggested VPN Vulnerability Mitigation

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Contributions Upload
Goto page Previous  1, 2, 3, 4, 5, 6
Author Message
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 499

PostPosted: Thu Feb 27, 2020 2:19    Post subject: Reply with quote
egc wrote:
RTFM

See the link to The open VPN server setup guide in my signature.


This is quite a bit different than my original config. After making changes in the openvpn server config webgui, setting up firewall rules and rebooting, the clients connected but couldn't pass traffic. Continuing reading the server setup, it seems that I need to make additional config for things like routes and ccd files. Too much config to do for this. My understanding is that these firewall rules were suppose to allow traffic to flow with the the cve mitigation enabled:

iptables -t nat -A POSTROUTING -s #.#.#.#/24 -o eth0 -j MASQUERADE
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j
MASQUERADE

Here is an example what I had done for ccd which has worked out OK for a long time.

Administration->Commands->Startup:

mkdir -p /jffs/etc/openvpn/ccd/
echo "ifconfig-push #.#.#.50 255.255.255.0" > /jffs/etc/openvpn/ccd/'wifi-device-linux'
Sponsor
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 499

PostPosted: Thu Feb 27, 2020 16:14    Post subject: Reply with quote
johnnyNobody999 wrote:
egc wrote:
RTFM

See the link to The open VPN server setup guide in my signature.


This is quite a bit different than my original config. After making changes in the openvpn server config webgui, setting up firewall rules and rebooting, the clients connected but couldn't pass traffic. Continuing reading the server setup, it seems that I need to make additional config for things like routes and ccd files. Too much config to do for this. My understanding is that these firewall rules were suppose to allow traffic to flow with the the cve mitigation enabled:

iptables -t nat -A POSTROUTING -s #.#.#.#/24 -o eth0 -j MASQUERADE
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j
MASQUERADE

Here is an example what I had done for ccd which has worked out OK for a long time.

Administration->Commands->Startup:

mkdir -p /jffs/etc/openvpn/ccd/
echo "ifconfig-push #.#.#.50 255.255.255.0" > /jffs/etc/openvpn/ccd/'wifi-device-linux'


I forgot to mention that I can't connect to devices on the LAN, either, as well as from the WAN. Turning off the CVE mitigation allows the VPN to work. I'm going over this again but it looks like this should work with the recommended changes. There were a couple of things that I left as-is, such as AES-256-GCM and the TLS Cipher and TLS-Auth, because the clients connect OK with those settings and work fine without the CVE mitigation. So I believe my issue is with the firewall. But, I could be wrong. Also, I decided to stay with the dh key instead of the elliptical key since I already had the dh key created.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12814
Location: Netherlands

PostPosted: Thu Feb 27, 2020 17:07    Post subject: Reply with quote
some quick words about this (for a longer explanation see the guide)

The CVE 14899 patch breaks local LAN access for clients connection to your VPN server.

There several ways to deal with this:
Disable the patch (I had to fight long and hard to have a choice to disable it, I will spare you the details ).
I personally have it disabled, but it is a security risk and if you are a high level government target maybe keep it enabled.

Second you can use this firewall rule:
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j MASQUERADE

This is the one you are using and for normal setup this should work, if not post your firewall rules (iptables -vnL -t raw, iptables -vnL, iptables -vnL -t nat)

Third, the following firewall rule should also work but it has a slight security risk:
iptables -t raw -I PREROUTING -i br0 -d $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j ACCEPT

BS has changed some code in the latest builds, which, I think, brake the CVE patch (or at least makes it less effective) and so local LAN access might work even with the CVE patch enabled.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 499

PostPosted: Thu Feb 27, 2020 17:17    Post subject: Reply with quote
This is strange. I solved part of the problem when I found a firewall rule copy/paste was bad. That fix enabled me to connect to the server from the WAN side and traffic was OK. But it broke the wifi connections on the WAP but it's strange that all the WDS connections came up OK but only one 5 GHz client connected OK but none of the others. Even the 2.4 GHz AP wouldn't work. It looks like it's an issue with getting a LAN IP address from the LAN DHCP server. Rebooting didn't help. It's the CVE patch that messed things up since disabling it made everything work again. I'm leaving it turned off and wait for a better fix and hope for the best (security-wise).
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14102
Location: Texas, USA

PostPosted: Thu Feb 27, 2020 21:28    Post subject: Reply with quote
Copying and pasting into the webUI doesn't always work as expected. Only ways I have found it to work without a hitch is using vi/vim or pico/nano on OSX or Linux.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Goto page Previous  1, 2, 3, 4, 5, 6 Display posts from previous:    Page 6 of 6
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Contributions Upload All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum