Archive

Articles taggués ‘VPN’

OpenVPN Documentation

13/12/2018 Aucun commentaire

Source: OpenVPN official documentation

OpenVPN daemons (JSON format):

./sacli VPNStatus

Show the number of users currently connected to the VPN:

./sacli VPNSummary

Show the status of internal Access Server services:

./sacli status

Stop internal Access Server services:

./sacli stop

Start/restart internal Access Server services:

./sacli start

The ‘start’ command is smart in the sense that if the Access Server
is already running, and you modified the configuration via
the Config DB, only those services whose parameters are changed
will be restarted. Note that if you modify any parameters in
the Access Server bootstrap configuration file
(/usr/local/openvpn_as/etc/as.conf), you will need to do a full unix
restart in order for those settings to take effect.

Also note that the start/stop commands above don’t actually start or
stop the Access Server daemon itself, only internal services
within the daemon. To start/stop the access server daemon itself,
use the traditional unix syntax:

Start the Access Server daemon:

/etc/init.d/openvpnas start

Stop the Access Server daemon:

/etc/init.d/openvpnas stop

Restart the Access Server daemon:

/etc/init.d/openvpnas restart
Categories: Réseau, Système Tags: , ,

Split OpenVPN configuration files

12/12/2018 Aucun commentaire

Source: npm

Splits OpenVPN (.ovpn) files into separate files for private key, user+ca certificates and tls-auth key, for use with network-manager in debian/ubuntu.

openvpn-config-splitter can be installed using npm:

# NPM:
npm install -g openvpn-config-splitter
# Install globally
$ npm install -g openvpn-config-splitter
# Run it, specifying your unsplit OpenVPN configuration file
$ ovpnsplit path/to/some/config.ovpn
# Config is now split into separate files, new configuration
# linking to the split files has been generated
$ ls path/to/some
ca.crt  client.key  client.ovpn  client.split.ovpn  ta.key  user.crt
var fs = require('fs'),
 configPath = '/some/path/to',
 splitter = require('openvpn-config-splitter');
 
var paths = {
 'caCert': configPath + '/openvpn-ca.crt',
 'userCert': configPath + '/openvpn-user.crt',
 'privateKey': configPath + '/openvpn-private.key',
 'tlsAuth': configPath + '/openvpn-tls.key'
};
 
fs.readFile(configPath + '/config.ovpn', function(err, originalConfig) {
 if (err) {
 console.error('Could not read file (' + err.path + ')');
 process.exit(1);
 }
 
 splitter.split(originalConfig, paths, function(err, parts, missing) {
 if (err) {
 console.error(err);
 process.exit(1);
 }
 
 /**
 * `parts` now contain the matched parts of the config + new config
 * (caCert, userCert, privateKey, tlsAuth, config)
 *
 * `missing` is an array containing the parts that were NOT found -
 * use this if you want to warn the user or fall back if you require
 * a specific part to be present
 */
 // Want to write the split files? 
 splitter.writeToFiles(parts, paths, function(err) {
 if (err) {
 console.log(err);
 process.exit(1);
 }
 
 console.log('Hooray, we split the files and wrote them to disk!');
 });
 
 });
});
Categories: Réseau, Système Tags: , ,

Arethusa le test

07/12/2018 Aucun commentaire

Un nouveau test VPN publié par le blog du VPN. Ici les VPN sont testés , configurés par créer une base de données la plus fiable possible. Arethusa à ses adeptes, il a déjà été l’ objet d’ une publication par alipaxe. Comme toujours on essayera d’ insister sur les particularités: méthode de configuration – protocole rare – tutos techniques.

Arethusa est proposé par S6N.org: une organisation internationale à but non lucratif fondée en 2003, pour promouvoir liberté d’expression sur Internet. La juridiction dont dépend ce VPN est celle des îles Seychelles: « Applicable jurisdiction for the handling of personal data is the Republic of Seychelles. Only Seychelles authorities can ask us to reveal your personal details. The only details we have about you are the ones you entered yourself. » Le whois de S6N.org confirme l’ enregistrement de nom de domaine de  l’ organisation à Victoria, capitale de cette République. Bien que le site soit en Anglais, le support technique et l’ interface sont en français. Lire la suite…

Categories: Réseau, Sécurité Tags: , , ,

Ubuntu Tip:How to Connect/disconnect VPN from the command line

24/11/2018 Comments off

Source: ubuntugeek.com

This tutorial will explain How to Connect/disconnect VPN from the command line

If you want to interact with NetworkManager from the command line you can use the « nmcli » command.
Lire la suite…

Categories: Réseau, Système, Tutoriel Tags: , , ,

IP leak affecting VPN providers with port forwarding

27/11/2015 Comments off

Vulnerability “Port Fail” reveals real IP address

We have discovered a vulnerability in a number of providers that allows an attacker to expose the real IP address of a victim. “Port Fail” affects VPN providers that offer port forwarding and have no protection against this specific attack. Perfect Privacy users are protected from this attack.

This IP leak affects all users: The victim does not need to use port forwarding, only the attacker has to set it up.

We have tested this with nine prominent VPN providers that offer port forwarding. Five of those were vulnerable to the attack and have been notified in advance so they could fix this issue before publication. However, other VPN providers may be vulnerable to this attack as we could not possibly test all existing VPN providers.

Details about the leak

The attacker needs to meet the following requirements:

  • Has an active account at the same VPN provider as the victim
  • Knows victim’s VPN exit IP address (can be obtained by various means, e.g. IRC or torrent client or by making the victim visit a website under the attackers control)
  • The attacker sets up port forwarding. It makes no difference whether the victim has port forwarding activated or not.

The IP leak can then be triggered as follows:

  1. Victim is connected to VPN server 1.2.3.4
  2. Victim’s routing table will look something like this:
    0.0.0.0/0 -> 10.0.0.1 (internal vpn gateway ip)
    1.2.3.4/32 -> 192.168.0.1 (old default gateway)
  3. Attacker connects to same server 1.2.3.4 (knows victim’s exit through IRC or other means)
  4. Attacker activates Port Forwarding on server 1.2.3.4, example port 12345
  5. Attacker gets the victim to visit 1.2.3.4:12345 (for example via embedding <img src=”http://1.2.3.4:12345/x.jpg”> on a website)
  6. This connection will reveal the victim’s real IP to the attacker because of the “1.2.3.4/32 -> 192.168.0.1” vpn route.

The crucial issue here is that a VPN user connecting to his own VPN server will use his default route with his real IP address, as this is required for the VPN connection to work. If another user (the attacker) has port forwarding activated for his account on the same server, he can find out the real IP addresses of any user on the same VPN server by tricking him into visiting a link that redirects the traffic to a port under his control.

Also note that due to the nature of this attack all VPN protocols (IPSec, OpenVPN, PPTP, etc.) and all operating systems are affected.

Mitigation

Affected VPN providers should implement one of the following:

  • Have multiple IP addresses, allow incoming connections to ip1, exit connections through ip2-ipx, have portforwardings on ip2-ipx
  • On Client connect set server side firewall rule to block access from Client real ip to portforwardings that are not his own.

 

Source: Perfect Privacy

Categories: Réseau Tags: , ,