Sometimes my OpenVPN connection is interrupted for reasons other than sleep (hiccup on the openvpn server side of things, i'm guessing?) and in these cases my web and email traffic will flow through the default adapter(?) unencrypted. I'd much prefer to get a warning message and have tunnelblick halt all traffic and wait for reconnection.
I'm reminded of Little Snitch. I wonder how they accomplish their network access interrupt? I wonder if it'd be possible for Tunnelblick to hook in at a similar point and prevent traffic from flowing unencrypte if a tunnel was opening or reconnecting? Just brainstorming a bit, I might be completely off-base in terms of implementation.
> --
> You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.
> To post to this group, send email to tunnelbli...@googlegroups.com.
> To unsubscribe from this group, send email to tunnelblick-dis...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/tunnelblick-discuss?hl=en.
>
> That would be fine, too. But I don't know how to do any of this stuff.
We need to solve the following:
a) block some ports on sleep
b) detect vpn reconnection and delete the blocking rule
blocking some ports with ipfw is easy (as root):
ipfw add 4711 deny log ip from any to any 143,220,585,993,25 out
by using a rulenumber (4711) its also easy to delete this rule if
needet:
ipfw delete 4711
you can check the ipfw rules with
ipfw show
detecting sleep is not to difficult , i once needet to prevent a
machine from sleeping 2 times in a raw, because some software didn't
work after sleep
so i wrote a little program counting the sleeps and initiating a
restart on the second sleep.
(see the attached main.c file)
Maybe it is necessary to integrate the ipfw rule creation and deletion
into a small program which when running initiates the block everytime
a sleep is initiated. an example how to call ipfw as a shell
invocation from c, see the attachment call2.c
(must run as root to access ipfw)
Someone could use this info as a scribble to create a solution for the
op's problem.
Greetings
Ralf
runs on 10.4 and 10.5, didn't test 10.6 but hey it's puse bsd firewall
code!
>
> (2) What happens if there already is a rule 4711? If ipfw returns an
> error, Tunnelblick can try another (random) rule number until it gets
> one that worked. If ipfw replaces the old rule with ours, that is a
> big problem.
yes, one should use 'ipfw show' to test for used rule numbers
>
> (3) Does this ipfw rule allow OpenVPN to reestablish the connection?
this rule just blocks the given ports (143,.....)
the right thing would be to block anything but the ports one needs to
restablish the vpn connection, but i don't know them all
(can i?: bootp, dns, kerberos... ???)
so i started by just blocking mail related ports, i am sure this list
should be *carefully* choosen.
the right thing:
ipfw add <unused low number> <allow any local connections, just don't
remember syntax>
ipfw add <unused low number+1> allow ip from any to any <list of ports
needed to reestablish network> out
ipfw add <unused low number+2> deny ip from any to any
not shure if we really need 3 rulenumbers - maybe adding all with one
number is also ok
btw. OS X used to refuse to install own firewall rules once it detects
other rules are manually installed, that may be a problem.
>
> Assuming these can be dealt with, I could put this into Tunnelblick.
Be careful, i think this may should be another project, something like
little snitch, only for special cases.
>
> I would propose two options (both disabled by default -- at least at
> first): block all connectivity unless there is a VPN connection
for BLOCK_ALL we need to know all needet ports (see above)
> (BLOCK_ALL), and block only when waking up from sleep until a VNP
> connection has been established (BLOCKWAKE). It will be complex to
> implement them to work with the "connect when computer starts" option
> available in Tunnelblick 3.1beta16, though, because Tunnelblick itself
> isn't running -- only OpenVPN is running.
may be we could implement an service started at boot time, reading a
preference which ports to block,
reacting on some special signals ( or hooking into ntework change and
powerdown events ) or ...
just a scribble!
>
> I guess I'll be looking closely at ipfw! I have a lot of stuff stacked
> up, though, so it may be a while before I can get around to it.
sorry to tell you, currently i have no time left to help you
implementing the whole idea,
but don't hesitate to ask questions if you run into problems
(i'am still running tunnelblick 3.0b10 with some custom scripts for
regarding dns)
greetings
ralf
I want to say I really like the tunnelblick program.
First, I am a novice and I realized that every time I see the emails going
back and forth.
I do have a question. I am ussing Tunnelblick to connect to an Astaro
Security Appliance. It works fine and I am able to access the far end
network and web browse through that network, I even am doing my DNS queries
from the far network. (I verified by going a site that showed me the ISP
address, and check the DNS logs).
Should I be concerned about leakage? What type of information is sent out of
un-trusted network that I should be concerned about?
Thanks!
I wouldn't think its necessary to give priority to the use case of
blocking traffic from bootup until the VPN starts. This isn't how most
VPN clients work, and its easier for an admin to supply a solution for
this requirement because both system startup and connection to the VPN
are controlled, user-initiated processes.
An unexpected disconnection, however, seems to be more of a problem. Its
uncontrolled and spills information the user thought was secure out onto
the open net.
Some thoughts:
1. If openvpn would signal that the connection was lost several seconds
before doing anything then maybe another program (like Tunnelblick)
could take action without exposing data.
2. I thought that if the VPN went down the routing tables had to be
restored to their prior 'normal' state so that network traffic can flow
(this is how I think openvpn normally works... it restores routing info
on exit).
If openvpn left the routing info untouched after a connection was lost
then wouldn't net access stay blocked (with zero leakage) until further
action was taken? This behavior would allow a GUI like Tunnelblick to
prompt the user about the lost connection and let them make a decision
-- to quit or reconnect -- in safety. This strikes me as a very natural
course to take involving the least amount of pain.
3. What options are there to persistently reconnect, and are the routing
tables touched while reconnection is being attempted? (Secure answer to
the last part I think would be 'No').
4. You are right: Options like 'redirect-gateway' which redirect all
traffic have an added security connotation to them: It is not up to the
client applications to specifically address a VPN-secured address range.
5. Openvpn and Tunnelblick should differentiate between 'initiated
connect', 'reconnect', 'lost connection' and 'initiated disconnect' as
distinct states or processes so that sessions can be managed securely.
The impression I'm getting is that the openvpn people have treated
reconnection as just being another connection process that happens
later, and that 'connection' isn't so much a conceptual phase that is
satisfied by code but more like just a phase in their code. This
thinking has lead to the leakage problem.
6. I think (1b - 1f) don't really apply to a 'lost connection' state
since that state is very temporary and not a part of system startup.
7. (1a) sounds very nice but I think its a separate feature. Flagging a
Mac OS Location+Interface combination as 'secure' in Tunnelblick could
make this usable.
8. Re: your (1g) point: When multiple connections are involved, only one
can actively have all traffic routed through it. The anti-leakage
measures would automatically act on only that connection.
9. I think its possible to prevent any/all leakage (1h) after a
connection is lost if the OS and openvpn help us out a little (see my #1-3).
10. Maybe you could get some of the openvpn people involved on this issue...