Upload
cosasdeangel
View
219
Download
0
Embed Size (px)
Citation preview
7/30/2019 Hardening Your VPN Setup With Iptables
1/4
InputOutput.io
The free-thinkin free-speakin rabble-rousin geek.
HomeContact
Pages
Contact
Archives
January 2013July 2012June 2012July 2011January 2011July 2010January 2010November 2009April 2009March 2009February 2009November 2008July 2008June 2008May 2008
Jul 14 2011
Hardening your VPN Setup with iptables
Category: Hacks, How-Tos | Tags :iptables, openvpn, routes, security, SSL,vpn | NoComments
Ill be heading out to Defcon 19 next month, so I want my VPN connection to be stableand secure.
You probably know the situation. Youre at your local coffee shop, using their (hopefully
dening your VPN Setup with iptables - InputOutput.io http://www.inputoutput.io/hardening-your-vpn-setup
4 06/05/1
7/30/2019 Hardening Your VPN Setup With Iptables
2/4
not) wide-open unsecured wifi hotspot. But youre smart enough not to send all your dataout over the clear, since there might be malicious script kiddies ready to take yoursensitive data and sell it to kids on the street. So you use a VPN. You fire up OpenVPNand connect to your VPN service. Then you start browsing, comforted by the fact thatyour traffic is encapsulated in a secure SSL tunnel. Better yet, the user experience istransparent: you dont have to configure your applications to manually use a SOCKS5proxy. OpenVPN handles your routing tables and creates a virtual interface using the tunmodule. Its so simple, you dont need to think about it. But theres a problem with thissetup.
No one can reach into your stream and extract or insert data, but theres a caveat.Anyone can destroy your TCP stream by sending you a spoofed RST packet from theremote server, or otherwise making the service unavailable to you. Destroying the TCPstream destroys the virtual (tun) interface, which, in turn, destroys the routes associatedwith that interface. Now youre using your physical interface unprotected from thosepesky hackers. Worse still, you dont realize it. Not a thing has changed from theperspective of user experience. Since everything is transparent, you dont notice anychange at all. Now youre screwed.
Little did you know that this all could have been avoided by our friend iptables. Sure, youcould modify your routes further to ensure that only traffic going to the remote servergoes over your physical interface, but thats too easy. Plus, routing tables arent intendedfor security, theyre inteded to move packets along. iptables seems like the tool for thetask, so I modified a script I found here to make sure that we disallow any traffic that wedont want:
#!/bin/bash
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
fi
# name of primary network interface (before tunnel)
PRIMARY=wlan0
# address of tunnel server
SERVER=seattle.vpn.riseup.net
# address of vpn server
VPN_SERVER=seattle.vpn.riseup.net
# gateway ip address (before tunnel - adsl router ip address)
# automatically determine the ip from the default route
GATEWAY=`route -n | grep $PRIMARY | egrep "^0\.0\.0\.0" | tr -s " " | cut -d" " -f2`
# provided by pppd: interface name
TUNNEL=tun0
openvpn --config /my/path/to/riseup.ovpn --auth-user-pass /my/path/to/authentication.conf &
# iptables rules - important!
#LOCAL_NET=192.168.0.0/16
LOCAL_NET=$GATEWAY
# Flush all previous filter rules, you might not want to include this line if you already have other r
iptables -t filter --flush
dening your VPN Setup with iptables - InputOutput.io http://www.inputoutput.io/hardening-your-vpn-setup
4 06/05/1
7/30/2019 Hardening Your VPN Setup With Iptables
3/4
iptables -t filter -X MYVPN
iptables -t filter -N MYVPN
# Exceptions for local traffic & vpn server
iptables -t filter -A MYVPN -o lo -j RETURN
iptables -t filter -A MYVPN -o ${TUNNEL} -j RETURN
iptables -t filter -A MYVPN --dst 127.0.0.1 -j RETURN
iptables -t filter -A MYVPN --dst $LOCAL_NET -j RETURN
iptables -t filter -A MYVPN --dst ${SERVER} -j RETURN
iptables -t filter -A MYVPN --dst ${VPN_SERVER} -j RETURN
# Add extra local nets here as necessary
iptables -t filter -A MYVPN -j DROP
# MYVPN traffic leaving this host:
iptables -t filter -A OUTPUT -p tcp --syn -j MYVPN
iptables -t filter -A OUTPUT -p icmp -j MYVPN
iptables -t filter -A OUTPUT -p udp -j MYVPN
echo "nameserver 8.8.8.8" > /etc/resolv.conf
Youll want to modify the openvpn command, interfaces, and servers to meet your needs.And thats it! If your stream is taken down, you have these rules to protect you. I havethis script as a post-connect hook for any untrusted networks I connect to (wicd is a nicenetwork manager for adding hooks). Later, if you want your traffic to go over the clearagain, you can use this script:
#!/bin/bash
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
fi
iptables -t filter --flush
iptables -t filter -X MYVPN
Respond to this post
Name (required)
Mail (will not be published) (required)
Website
dening your VPN Setup with iptables - InputOutput.io http://www.inputoutput.io/hardening-your-vpn-setup
4 06/05/1
7/30/2019 Hardening Your VPN Setup With Iptables
4/4
Submit Comment
2013 InputOutput.io | Theme wpBurn Blue by wpburn.com
dening your VPN Setup with iptables - InputOutput.io http://www.inputoutput.io/hardening-your-vpn-setup
4 06/05/1