Page MenuHomePhabricator

check bitmask for shared VPN/Tor server leak bug
Open, WishlistPublic

Description

With openvpn...

If a Tor entry guard is running on the same server (same IP) as the VPN server (same IP), and if VPN breaks down, Tor may connect directly to the VPN if it happened to choose that Tor relay (same IP) as entry guard. This is not that unlikely, because a lot VPN providers support VPN port forwarding, use public IPs and people host Tor servers behind VPN's.

A partial solution for this to set the VPN VM's firewall rules to allow connections only to the VPN server. Specifying destination port in that firewall rule should help a lot. Some cases will not be solved (like VPN running on 443).

A full solution is to allow only user tunnel to connect to the open internet. All other users not.

(Similar to T460.)

TODO:

  • improve above issue description
  • check if bitmask is affected

Details

Impact
Normal

Event Timeline

Patrick created this task.May 4 2016, 6:56 PM
entr0py added a subscriber: entr0py.Jun 2 2016, 9:56 PM
Patrick changed the task status from Open to Review.Aug 15 2016, 10:46 PM
Patrick changed the task status from Review to Open.Mar 7 2018, 1:25 AM
Patrick lowered the priority of this task from Normal to Wishlist.
Patrick removed a project: Whonix 14.