Page MenuHomePhabricator
Create Task
Maniphest T460

fix shared VPN/Tor server leak bug
Closed, ResolvedPublic
Actions

Description

If the a Tor entry guard is running on the same server as the VPN Server (variable VPN_SERVERS), if the VPN breaks down, Tor may connect directly to the VPN if it happened to choose that as entry guard. This is a bug if the user wants to hide Tor.

The risk increases, if the VPN supports remote port forwarding, because that allows anyone to host a Tor entry guard and have it show up with the VPN's external IP.

It can be fixed by only allowing user tunnel to establish connections once VPN_FIREWALL has been set to 1. (As opposed to currently to allow connections to all IP defined by variable VPN_SERVERS.

Qubes:
https://github.com/QubesOS/qubes-issues/issues/1941

Details

Impact
Normal

Related Objects

Event Timeline

Patrick created this task.Dec 29 2015, 8:36 PM
Patrick raised the priority of this task from to Normal.
Patrick updated the task description. (Show Details)
Patrick added projects: whonix-gw-firewall, vpn-firewall.
Patrick set Impact to Normal.
Patrick added subscribers: Patrick, HulaHoop.
Herald added a project: Whonix. · View Herald TranscriptDec 29 2015, 8:36 PM
Herald added a subscriber: WhonixQubes. · View Herald Transcript
Patrick changed the task status from Open to Review.Dec 29 2015, 8:42 PM

create user 'tunnel'
https://github.com/Whonix/whonix-gw-firewall/commit/00724fd517e66fed0fb52051635aecb9f8e8dca3

when VPN_FIREWALL=1, allow user 'tunnel'; abolished VPN_SERVERS variable
https://github.com/Whonix/whonix-gw-firewall/commit/c26d7395e1d0a6d03ffca320109869bdb5b383a7

Patrick added a comment.Dec 29 2015, 9:08 PM

simplify running OpenVPN as unprivileged user
https://github.com/Whonix/usability-misc/commit/91482787adedabaea6fa0e369784c0d4a05b41c0

Patrick added a project: usability-misc.Dec 29 2015, 9:08 PM
Patrick added a comment.Jan 9 2016, 4:44 PM
Patrick added a project: Whonix 14.May 1 2016, 5:30 PM
Patrick closed this task as Resolved.May 2 2016, 9:40 PM
Patrick claimed this task.

Works.

Documentation ( https://www.whonix.org/wiki/Next#VPN_before_Tor ) tested.

Patrick updated the task description. (Show Details)May 4 2016, 4:53 PM
Patrick mentioned this in T506: check bitmask for shared VPN/Tor server leak bug.May 4 2016, 4:56 PM
Patrick mentioned this in T158: whonix-ws-firewall needs a VPN_FIREWALL feature.
Patrick renamed this task from fix potential VPN_FIREWALL leak to fix shared VPN/Tor server leak bug.Jun 7 2016, 7:18 PM
Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer