OpenWRT Drop Invalid Packets breaks TAP Support for Colucci OpenVPN Client

Support requests about OpenVPN Client
Post Reply
Cantenna
Posts: 11
Joined: Mon Dec 16, 2019 12:33 am

OpenWRT Drop Invalid Packets breaks TAP Support for Colucci OpenVPN Client

Post by Cantenna »

Hey guys,

Just advising of this issue, my mates over at OpenWRT advised me that enabling this feature would mitigate CVE-2019-14899 Hijacking Bug how upon doing so, I can no longer communicate remotely via TAP with and clients on my LAN.

I can confirm issue is isolated to this app. Connecting via TAP from my Arch pc works as intended with "Drop invalid packets" enabled.

admin
Site Admin
Posts: 615
Joined: Fri Feb 15, 2019 4:04 pm
Contact:

Re: OpenWRT Drop Invalid Packets breaks TAP Support for Colucci OpenVPN Client

Post by admin »

This settings cannot mitigate CVE-2019-14899, because this security flaw is used on the LAN where is connected the client device, so the server side settings cannot mitigate the problem on the client side.
Anyway I will try to understand why this option block the packets sent by the TAP emulator...

admin
Site Admin
Posts: 615
Joined: Fri Feb 15, 2019 4:04 pm
Contact:

Re: OpenWRT Drop Invalid Packets breaks TAP Support for Colucci OpenVPN Client

Post by admin »

I made some tests with OpenWRT 18.06.05 and on my side the VPN works as expected.
The OpenWRT was configured with a OpenVPN server with the tap interface bridged with the LAN interface.
With and without the option "Drop invalid packets" the client was able to reach the OpenWRT configuration interface, a web server on the LAN interface and surf the Internet

Cantenna
Posts: 11
Joined: Mon Dec 16, 2019 12:33 am

Re: OpenWRT Drop Invalid Packets breaks TAP Support for Colucci OpenVPN Client

Post by Cantenna »

admin wrote:
Mon Dec 16, 2019 9:01 am
This settings cannot mitigate CVE-2019-14899, because this security flaw is used on the LAN where is connected the client device, so the server side settings cannot mitigate the problem on the client side.
Anyway I will try to understand why this option block the packets sent by the TAP emulator...
Thanks mate. Here's where I posted about the issue in OpenWRT Forum;
https://forum.openwrt.org/t/drop-invali ... ts/50129/3

And here is where I received the advice regarding "drop invalid packets" to mitigate this issue;
https://forum.openwrt.org/t/https-m-sla ... 88/50087/3

Cantenna
Posts: 11
Joined: Mon Dec 16, 2019 12:33 am

Re: OpenWRT Drop Invalid Packets breaks TAP Support for Colucci OpenVPN Client

Post by Cantenna »

admin wrote:
Mon Dec 16, 2019 2:40 pm
I made some tests with OpenWRT 18.06.05 and on my side the VPN works as expected.
The OpenWRT was configured with a OpenVPN server with the tap interface bridged with the LAN interface.
With and without the option "Drop invalid packets" the client was able to reach the OpenWRT configuration interface, a web server on the LAN interface and surf the Internet
Yes, I can connect but cannot connect to other devices on the LAN, can you test this as well?

Cantenna
Posts: 11
Joined: Mon Dec 16, 2019 12:33 am

Re: OpenWRT Drop Invalid Packets breaks TAP Support for Colucci OpenVPN Client

Post by Cantenna »

Update; just tried another android device, and it too has the same issue. I used to be able to get DLNA to transverse no issues as well but that is not working either.

And If I try the same keys/certs/client config on my Arch Surface Pro 4 install DLNA works and I can connect to my server as well via ssh which sits on the LAN

admin
Site Admin
Posts: 615
Joined: Fri Feb 15, 2019 4:04 pm
Contact:

Re: OpenWRT Drop Invalid Packets breaks TAP Support for Colucci OpenVPN Client

Post by admin »

Yes, I can connect but cannot connect to other devices on the LAN, can you test this as well?
In my tests the VPN client was able to reach a web server inside the LAN, the OpenWRT's web configuration interface and to surf Internet.
So, maybe the problem is only with DLNA (multicast packets). Do you tried also to use also other proctols like HTTP,HTTPS, etc...?
And here is where I received the advice regarding "drop invalid packets" to mitigate this issue
The option "Drop invalid packets" may mitigate this issue on the server side. Anyway the security bulletin say "allows a malicious access point, or an adjacent user, to determine...", so if yor server is on a trusted LAN, then is very improbable that this attack is done on the server side. Moreover, the attack is related to a tcp connection initiated from the victim device and normally the VPN servers doesn't initiate tcp connections.

Also on the client side, I don't think that the attack can be done as massive attack on all user connected on the compromised AP. This kind of attack is complex, consume a lot of resources and should be directed to a specific users, so I think that for a normal user the probability to receive this attack is very very low.

Cantenna
Posts: 11
Joined: Mon Dec 16, 2019 12:33 am

Re: OpenWRT Drop Invalid Packets breaks TAP Support for Colucci OpenVPN Client

Post by Cantenna »

Good Intel, thank you!

So I made progress, I had to drop from server config;
list push 'route 192.168.1.0 255.255.255.0' to get "drop invalid packets" on OpenWRT to work with TAP on Colucci OpenVPN client. Guess it is a redundant option anyways but its worth noting with option in place, PC client TAP connections continue work fine.

Regarding DLNA, I'll create a new thread.

Post Reply