Discovered flaw in automatically connecting to VPN in Ubuntu

Discussion in 'privacy problems' started by krustytheclown2, Dec 13, 2014.

  1. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    In network manager I set my Wifi to "Automatically connect to VPN"

    When you click to connect, you'll see the Wifi applet blinking for about 10 seconds before you connect to the VPN server

    In this short time frame, you're able to access the actual network you're on without the VPN. I tested this by setting whatismyip.com as my homepage, and opening the browser in that brief moment, and seeing my actual ip address

    Practically speaking, this can be a concern if you trying switching VPN exit nodes in the middle of a browsing session using the "Automatically connect" in an attempt to not expose the session- the sites you have open might be visible to your ISP for that brief glimpse

    Just thought I'd like to point out the minor issue. Debian handled "Automatically connect" the same way as Ubuntu
     
  2. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    This likely would expose the session, and that's surely a risk as you point out.
     
  3. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    It's entirely possible that automated update checking and other features that "call home" would also deanonymize you unless your system is prevented from making any direct connections.
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    One solution is not switching VPN routes while browsing.

    Another is installing <https://github.com/adrelanos/VPN-Firewall>. Configure it to allow traffic to all of the VPN server IPs that you'll be using. To do that, you edit /usr/bin/vpnfirewall:

    ###########################
    ## configuration
    ###########################
    ## IP address of the VPN server.
    ## Get the IP using: nslookup vpn-example-server.org
    ## Example: seattle.vpn.riseup.net
    ## Some providers provide multiple VPN servers.
    ## You can enter multiple IP addresses, separated by spaces
    VPN_SERVERS="198.252.153.26"

    ## For OpenVPN.

    VPN_INTERFACE=tun0

    ## Destinations you don not want routed through the VPN.
    LOCAL_NET="192.168.1.0/24 192.168.0.0/24 127.0.0.0/8"

    If you're using WiFi, "VPN_INTERFACE" should probably be "wlan0".

    Then start VPN-Firewall as explained.

    Now no traffic can get out, except to VPN servers. Not even DNS lookups.
     
  5. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    This is similar to what we do to static. We static through the VPN, but provide no static's outside of the VPN. Therefore its impossible for any traffic to transverse outside of the VPN static route.
     
  6. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    Like Mirimir I prefer to use a firewall structure to protect me (from myself) even if I make a mistake. Once I bring up the machine, start IP tables locking down to tun0, it becomes the only way in and out. I would like to think I wouldn't make such a stupid mistake, but hey I've seen "ME" do it before.

    Being lazy I simply use an auto-revolving TOR circuit at the end of the chain. No need to drop the browser it all happens every 10 minutes in the background.
     
Loading...