tunnelkit icon indicating copy to clipboard operation
tunnelkit copied to clipboard

Published 20 hours ago verified publisher icon passepartoutvpn

Add support for redirect-gateway block-local

Open fkooman opened this issue 5 years ago • 4 comments

OpenVPN supports the redirect-gateway value block-local:

block-local -- Block access to local LAN when the tunnel is active, except for the LAN gateway itself. This is accomplished by routing the local LAN (except for the LAN gateway address) into the tunnel.

The idea is to avoid the "local" attack vector where devices on the LAN can connect to the iOS device. I am not sure this is a real threat on iOS? Maybe a firewall on the device takes care of this, or maybe iOS doesn't allow you to block "(W)LAN" traffic...

fkooman avatar Apr 02 '19 21:04 fkooman

@fkooman say I'm the client and my LAN is 192.168.12.0/24 with gateway 192.168.12.1. Then I get access to the VPN which connects me to 10.1.2.0/24, with gateway 10.1.2.1.

Am I supposed to block access to 192.168.12.0/24 -except 192.168.12.1- by routing it through 10.1.2.1?

keeshux avatar Apr 30 '19 08:04 keeshux

Am I supposed to block access to 192.168.12.0/24 -except 192.168.12.1- by routing it through 10.1.2.1?

As far as I know this is exactly what happens yes! See below example from the Linux OpenVPN 2.x client. It may be (slightly) different on iOS/macOS, not sure. But this gives you an idea...

IPv4

LAN range is 192.168.178.0/24, VPN client IP range is 10.229.177.0/26.

Before connecting:

$ ip -4 ro show
default via 192.168.178.1 dev wlp3s0 proto dhcp metric 600 
192.168.178.0/24 dev wlp3s0 proto kernel scope link src 192.168.178.23 metric 600

Without block-local:

$ ip -4 ro show
0.0.0.0/1 via 10.229.177.1 dev tun0 
default via 192.168.178.1 dev wlp3s0 proto dhcp metric 600 
10.229.177.0/26 dev tun0 proto kernel scope link src 10.229.177.2 
128.0.0.0/1 via 10.229.177.1 dev tun0 
192.168.178.0/24 dev wlp3s0 proto kernel scope link src 192.168.178.23 metric 600

With block-local:

$ ip -4 ro show
0.0.0.0/1 via 10.229.177.1 dev tun0 
default via 192.168.178.1 dev wlp3s0 proto dhcp metric 600 
10.229.177.0/26 dev tun0 proto kernel scope link src 10.229.177.2 
128.0.0.0/1 via 10.229.177.1 dev tun0 
192.168.178.0/25 via 10.229.177.1 dev tun0 
192.168.178.0/24 dev wlp3s0 proto kernel scope link src 192.168.178.23 metric 600 
192.168.178.1 dev wlp3s0 scope link 
192.168.178.128/25 via 10.229.177.1 dev tun0

It creates two routes, more specific than 192.168.178.0/24 and routes them through the tunnel, this way the existing 192.168.178.0/24 does not need to be removed. This is similar to how def1 flag to redirect-gateway works as you can see with the 0.0.0.0/1 and 128.0.0.1/1 routes.

IPv6

The LAN range here is 2a02:8109:9dc0:42f9::/64, VPN client IP range is fd5b:2c31:bb9:369b::/112.

Before connecting:

$ ip -6 ro show
::1 dev lo proto kernel metric 256 pref medium
2a02:8109:9dc0:42f9::/64 via fe80::e228:6dff:fe56:e55 dev wlp3s0 proto ra metric 600 pref medium
fe80::/64 dev wlp3s0 proto kernel metric 600 pref medium
default via fe80::e228:6dff:fe56:e55 dev wlp3s0 proto ra metric 600 pref medium

Without block-local:

$ ip -6 ro show
::1 dev lo proto kernel metric 256 pref medium
::/3 dev tun0 metric 1024 pref medium
2001:610:0:800f:f816:3eff:fe62:b7a3 via fe80::e228:6dff:fe56:e55 dev wlp3s0 metric 1 pref medium
2a02:8109:9dc0:42f9::/64 via fe80::e228:6dff:fe56:e55 dev wlp3s0 proto ra metric 600 pref medium
2000::/4 dev tun0 metric 1024 pref medium
3000::/4 dev tun0 metric 1024 pref medium
fd5b:2c31:bb9:369b::/112 dev tun0 proto kernel metric 256 pref medium
fc00::/7 dev tun0 metric 1024 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev wlp3s0 proto kernel metric 600 pref medium
default via fe80::e228:6dff:fe56:e55 dev wlp3s0 proto ra metric 600 pref medium

And with block-local:

$ ip -6 ro show
::1 dev lo proto kernel metric 256 pref medium
::/3 dev tun0 metric 1024 pref medium
2001:610:0:800f:f816:3eff:fe62:b7a3 via fe80::e228:6dff:fe56:e55 dev wlp3s0 metric 1 pref medium
2a02:8109:9dc0:42f9::/64 via fe80::e228:6dff:fe56:e55 dev wlp3s0 proto ra metric 600 pref medium
2000::/4 dev tun0 metric 1024 pref medium
3000::/4 dev tun0 metric 1024 pref medium
fd5b:2c31:bb9:369b::/112 dev tun0 proto kernel metric 256 pref medium
fc00::/7 dev tun0 metric 1024 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev wlp3s0 proto kernel metric 600 pref medium
default via fe80::e228:6dff:fe56:e55 dev wlp3s0 proto ra metric 600 pref medium

fkooman avatar Apr 30 '19 09:04 fkooman

@fkooman I manage to block outgoing pings from the phone to another device in the LAN, yet the device is able to ping the phone. That is, pongs escape the "blocking" routes. How could that happen?

keeshux avatar May 02 '19 08:05 keeshux

Not sure, maybe this could be a restriction on iOS?

fkooman avatar May 02 '19 09:05 fkooman