Page MenuHomePhabricator

fix shared VPN/Tor server leak bug
Closed, ResolvedPublic

Description

If the a Tor entry guard is running on the same server as the VPN Server (variable VPN_SERVERS), if the VPN breaks down, Tor may connect directly to the VPN if it happened to choose that as entry guard. This is a bug if the user wants to hide Tor.

The risk increases, if the VPN supports remote port forwarding, because that allows anyone to host a Tor entry guard and have it show up with the VPN's external IP.

It can be fixed by only allowing user tunnel to establish connections once VPN_FIREWALL has been set to 1. (As opposed to currently to allow connections to all IP defined by variable VPN_SERVERS.

Qubes:
https://github.com/QubesOS/qubes-issues/issues/1941

Details

Impact
Normal

Event Timeline

Patrick created this task.Dec 29 2015, 9:36 PM
Patrick raised the priority of this task from to Normal.
Patrick updated the task description. (Show Details)
Patrick set Impact to Normal.
Patrick added subscribers: Patrick, HulaHoop.
Patrick closed this task as Resolved.May 2 2016, 11:40 PM
Patrick claimed this task.

Works.

Documentation ( https://www.whonix.org/wiki/Next#VPN_before_Tor ) tested.

Patrick updated the task description. (Show Details)May 4 2016, 6:53 PM
Patrick renamed this task from fix potential VPN_FIREWALL leak to fix shared VPN/Tor server leak bug.Jun 7 2016, 9:18 PM