[Whonix-devel] VPN Fail Closed Mechanism - was: Development Discussion: Should Network Manager get installed by default?

[adrelanos <adr...@ri...>]

Vladimir Arseniev:
>>> I've used it with network-manager-openvpn as VPN client, and it's very
>>> intuitive. But I'm not sure that I'd trust it managing Whonix's internal
>>> network interface.
>>
>> Well, in Whonix-Workstation case in worst case it leaks through Tor.
>>
>> Just expanded that page.
>>
>> Quote https://bugzilla.gnome.org/show_bug.cgi?id=689339#c4
>>
>>> "*Please also understand that currently networkmanager is not a
>> security tool at
>> all. VPN plugins are regarded as connectivity plugins, not security
>> plugins.*"
>>
>> Missing auto-reconnect feature:
>> https://bugzilla.gnome.org/show_bug.cgi?id=349151
>>
>> So perhaps using NM to set up VPNs for security isn't a good idea.
>>
>> Doesn't look like it has a fail closed mechanism:
>> https://sourceforge.net/p/whonix/wiki/VPN/#fail-closed-mechanism
> 
> It's easy to install shorewall and rules that prevent leaks. See
> https://www.wilderssecurity.com/showthread.php?p=2201706#post2201706

I don't think the following rule is very safe.

# Allow this machine to connect to any server using UDP port 1194
[change if using TCP or other port]
ACCEPT  fw              net             udp     1194

Finally, I looked into the linux route command and tries to find a
solution for the VPN fail closed mechanism.

The problem is, once the VPN breaks down, traffic will be send in the
clear (and in Whonix-Workstation case, "only" over Tor). Got started
with the solution...

Check:
ip route show

Stop applications which are not using proxy settings from using the
clearnet (or in Whonix-Workstation case, "only-Tor" fallback):
ip route del default via 192.168.0.10 dev eth0

If you want to undo it:
ip route add default via 192.168.0.10 dev eth0
(or reboot)

Perhaps adding a up script to configfile.openvpn could do it.
(up ip route del default via 192.168.0.10 dev eth0)

In case of Whonix-Workstation many applications (ex: Tor Browser, wget,
curl...) are pre-configured to use a SocksPort (for stream isolation)
would still use "only-Tor". I recognize this must be quite confusing for
post-Tor-VPN users (user -> Tor -> VPN).

There is still a route (sudo route) to 192.168.0.10 (Whonix-Gateway,
where Tor's SocksPorts are listening). Somehow I would have to configure
"the VPN may use 192.168.0.11, but nothing else". I don't know how to do
that.

Maybe I have very high security goals here. The goal is to rely on
OpenVPN to check if we're connected to the VPN server we expect and let
only OpenVPN connect to it and no other application.

Using a firewall doesn't 100% enforce only using the VPN server. When
the IP of the VPN service gets assigned to another server, you could end
up connecting to a malicious server. Firewalls don't understand the VPN
authentication status, only OpenVPN does.

Ultimately, having a dedicated VPN-Gateway may be the most secure
option. - If people can and want to pay the price (cpu, ram, disk
space). Having a dedicated Gateway is the only possibility to prevent
malware (with root) from deactivating the VPN* (to the extend of the
vulnerability resistance of the isolation box).

Anyway, I could perhaps think about an iptables firewall designed to be
run inside Whonix-Workstation, which forbids any outgoing traffic from
users other than openvpn.