DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
Old 24th January 2018
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by ucharfli View Post
@jggimi;
No domain services. I'm a normal internet user.
Every "normal" Internet user is a user of the Domain Name System ("DNS"). Including you. When you tell your browser to reach out to daemonforum.org, your browser requests this website's IP address from a DNS server. The browser MUST do this, in order to connect to this website.

I'll restate my question, because your OpenVPN client may need to translate a domain name into an IP address in order to connect and establish a connection to the VPN.
When you provisioned your VPN service, did you use an IP address the VPN service provider gave you, or did you use a domain name they have given you?
I ask because the translation of a domain name into an IP address requires the use of a domain server, and the domain protocol.

I'll ask a second question, related to configuring the IP address on your wireless network connection.
Do you use DHCP to provision your wireless NIC's IP address?
If you don't know the answer, look in your /etc/hostname.ral0 file. I ask because if you use DHCP, then this protocol must also be permitted through your wireless interface. (And you have a typo in your pf.conf file you posted here. There is no such device as "ra0." I assume this must be "ral0" instead.)

If you use DHCP, then your system uses the DHCP protocol at boot time to configure:
  • an IP address
  • an IP netmask, required for routing
  • a default route, required for routing
  • the address of one or more DNS nameservers, to resolve domain names to IP addresses
Reply With Quote
Old 24th January 2018
ucharfli ucharfli is offline
Port Guard
 
Join Date: May 2017
Posts: 22
Default

@e1-531g;
Thanks for the warning. Sorry, I understand now.

@jggimi;
hostname.ral0
Code:
-chan -bssid -wpakey
nwid "MyNet" lladdr "random"
wpakey "**********"
dhcp
Yes, DHCP.
file ProtonVPN.ovpn
Code:
client
dev tun
proto tcp

<connection>
remote jp-free-01.protonvpn.com 443
</connection>

<connection>
remote nl-free-01.protonvpn.com 443
</connection>

<connection>
remote nl-free-02.protonvpn.com 443
</connection>

<connection>
remote us-free-01.protonvpn.com 443
</connection>

<connection>
remote us-free-02.protonvpn.com 443
</connection>

remote-random
resolv-retry infinite
nobind
cipher AES-256-CBC
auth SHA512
comp-lzo
verb 3

tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun

ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0

remote-cert-tls server
auth-user-pass file.txt
pull
fast-io

script-security 2
#up /etc/openvpn/update-resolv-conf
#down /etc/openvpn/update-resolv-conf
I can change domain names to IP. No problem.!

hostname.tun0
Code:
up
group openvpn
description "ProtonVPN"
!/usr/local/bin/ossl-openvpn --daemon --config /etc/protonvpn/proton.ovpn

Last edited by ucharfli; 24th January 2018 at 05:10 PM.
Reply With Quote
Old 25th January 2018
Prevet Prevet is offline
Shell Scout
 
Join Date: Oct 2017
Posts: 84
Default

These are my notes. They are not complete. I refer to the books to get other information.. If you use them and screw up, its your funeral.

I have not tested torrenting with these rules, as I couldn't be bothered after the trouble I went to get this far. I only set it up to work on my desktop machine, so I don't know if it will work in a router type situation.

These notes will only give you clues to help you though roadblocks if you read the books I mentioned, as well as related man files. If you don't read up on this, you will have no clue what it all means. I don't have a clue either and I read everything there was to read. lol

If you get tired of trying take my advice in the post above. Install an operating system a VPN makes a GUI client for that does all this for you and get on with your life. If your VPN does not make such a client, cut your losses with them and find one that does.

Even them writing 3 little files you need to use OpenBSD safely can't be that hard for them can it? If they won't do that much for you. they obviously don't need your business.

Fix DNS Leaks For OpenBSD And AirVPN

https://airvpn.org/topic/22329-openbsd/

https://www.openbsd.org/faq/faq6.html#DHCP

1. Get AirVPN's DNS server addresses here:

https://airvpn.org/specs/

1. Add the following line to /ect/dhclient.conf:

supersede domain-name-servers 1.2.3.4;

(1.2.3.4 is a junk DNS address that will be inserted in resolv.conf)

2. Add the AirVPN DNS addresses to /ect/resolv.conf.tail

nameserver 10.4.0.1
nameserver 10.5.0.1

(The contends of this file will be appended to resolv.conf)

3. This command rewrites the resolv.conf file with the above values:

dhclient em0

em0 is the interface from hostname.em0

OpenVPN

Change the ownership and permissions of the OpenVPN configuration
and credential files, so only root has read-only access to them.

# chown root:wheel /etc/openvpn/*.ovpn
# chmod 400 /etc/openvpn/*.ovpn

MY PF Rule for AIRVPN

The first link is where I got the main fragment. My pf file has a version of it pasted at the bottom of the original one. Or perhaps it should be at the top? You better read The Book of PF or you will not know.l

https://airvpn.org/topic/1713-win-ma...nbsd#entry1764

https://www.openbsd.org/faq/pf/index.html

"Various Internet bodies have set aside three subnets for use on private
networks. You cannot use them on the public Internet, but anybody can use
them on a private network. The networks 10.0.0.0/8, 172.16.0.0/12, and
192.168.0.0/16 are freely usable by organizations. You’ll see these
addresses in huge organizations and home networks, and have probably
encountered some of them already. These addresses are also globally
unique, within your organization. Your hosts should never see these
addresses elsewhere, and other networks should never see these addresses
on your network." - From Networking for Systems Administrators, by Michael Lucas


"The following very basic rules would block all traffic outside the tunnel
(edit with any text editor /etc/pf.conf) assuming that your ethernet or wifi
interface has the address 192.168.*.* and that the tun interface used by
OpenVPN is tun0:"

block out on <your_network_interface> from 192.168.0.0/16 to any
pass out quick on <your_network_interface> from 192.168.0.0/16 to <AirVPN_server_entry_IP>
pass out quick on tun0 from any to any

Note the IP address in OpenVPN is slightly different to the one reported in the webpage that tests leaks. You want the one OpenVPN reports obviously.
# The OpenVPN IP for each server is marked by: [AF_INET]

For my machine:
block out on em0 from 192.168.0.0/16 to any
pass out quick on em0 from 192.168.0.0/16 to <insert 1st vpn server IP here>
pass out quick on em0 from 192.168.0.0/16 to <insert 2nd vpn server IP here>
pass out quick on em0 from 192.168.0.0/16 to <insert 3rd vpn server IP here>
pass out quick on em0 from 192.168.0.0/16 to <insert 4th vpn server IP here>
pass out quick on tun0 from any to any

Then execute

pfctl -e
pfctl -f /etc/pf.conf

to enable pf and load your ruleset.

If the connection drops, no packets will go out, so you will only be able to
reconnect to the VPN and nothing else until you disable pf with

pfctl -d

Read the man page for pfctl

Last edited by Prevet; 25th January 2018 at 10:26 AM.
Reply With Quote
Old 26th January 2018
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by ucharfli View Post
Yes, DHCP.

file ProtonVPN.ovpn
Code:
client
dev tun
proto tcp

<connection>
remote jp-free-01.protonvpn.com 443
</connection>

<connection>
remote nl-free-01.protonvpn.com 443
</connection>
.
.
.
As currently configured, I see two types of communication that are required outside of your VPN, as they are needed to connect to the VPN. If you block all traffic other than over VPN, you must (at this time) still permit the direct passing of these communications:
  1. DHCP. This protocol uses UDP ports 67 and 68 to assign the client -- your system -- with an IP address, and to provision netmask, routing, and domain name services. As your workstation is configured to use DHCP, you must permit this traffic to obtain a network connection.
  2. Domain Name Resolution. This translates domain names to IP addresses, via UDP port 53. Large responses (greater than 512 bytes) use TCP, so TCP port 53 should also be permitted. This is needed in order to resolve all of the domain names in your OpenVPN configuration into IP addresses.
The VPN "tunnel" connections must also be permitted to flow. As configured, these are TCP connections to a variety of servers, using the destination port 443. This is the same port number used for by the HTTPS protocol, and your service provider may have selected it because most firewalls will not hinder this traffic.

A PF configuration can be established with a default block of all traffic, then permitting this select traffic to be passed. There are some considerations:
  • Domain traffic (UDP and TCP port 53) can be allowed to be passed to any destination, or, passed only to specific domain name servers. This latter choice will prohibit the use of untrusted domain name servers, as well as making it difficult to use port 53 for other purposes.
  • Your VPN traffic cannot be easily discerned from HTTPS traffic, since they share the same destination port number and the same underlying protocol, TCP. There are ways to classify them so that PF can choose to pass or block correctly. The options available vary depending on whether the OpenVPN client is being run on a workstation or on a gateway router.
  • PF is a kernel function, and does not do domain name resolution. The pfctl(8) management tool will resolve domain names when it loads the rules. This will complicate the boot process, since PF rules are first loaded before access to a resolver has been established.
Quote:
I can change domain names to IP. No problem.!
That would simplify PF rules at boot, though it may complicate your life if your service provider re-addresses their VPN servers.
Reply With Quote
Old 27th January 2018
ucharfli ucharfli is offline
Port Guard
 
Join Date: May 2017
Posts: 22
Default

@Prevet;
I applied what you wrote, but I do not get internet.
Am I making a mistake somewhere?
My pf.conf
Code:
#	$OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

wlan_if="ral0"

vpn="{ 2.*.*.*, 7.*.*.*, 6.*.*.*, 9.*.*.*, 8.*.*.*, \
1.*.*.*, 5.*.*.*, 7.*.*.*, 8.*.*.*, 2.*.*.* }"

set skip on lo

block return	# block stateless traffic
pass		# establish keep-state

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild

####################### VPN ########################## 
######################################################
block out on $wlan_if from 192.168.0.0/16 to any
pass out quick on $wlan_if from 192.168.0.0/16 to $vpn
pass out quick on tun0 from any to any
Do I have to use this?
Code:
net.inet.ip.forwarding=1
My net.inet.ip.forwarding=0
@jggimi;
It was nice, but I do not know how to write a rule with PF from where. That's why I asked for help.

I found something simple, but is it a benefit?
This is something that will not make me feel good.
Code:
set skip on tun0
pass in quick on tun0
Reply With Quote
Old 28th January 2018
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by ucharfli View Post
@jggimi;
It was nice, but I do not know how to write a rule with PF from where. That's why I asked for help.
You have a choice:
  1. Blindly copy/paste a configuration someone prepares for you, and hope that it works, and hope that it does not cause problems.
  2. Learn how to provision your own network connections, so that you are able to manage and maintain them the way you wish.
I'm happy to help you with "b." Step by step. But I have no interest in providing a PF configuration file for you to copy/paste.
Quote:
I found something simple, but is it a benefit?
These two rules conflict with each other. The set skip rule instructs PF to ignore traffic on the interface, the pass rule instructs PF to pass traffic on the interface.

The two rules have a similar result, but they are not exactly equivalent.

The set skip rule will only be applied at the time the rules are loaded, and if the tun0 interface does not exist at that time, the first rule will not be applied.

Last edited by jggimi; 28th January 2018 at 02:03 AM. Reason: clarity
Reply With Quote
Old 28th January 2018
Prevet Prevet is offline
Shell Scout
 
Join Date: Oct 2017
Posts: 84
Default

Quote:
Originally Posted by ucharfli View Post
@Prevet;
I applied what you wrote, but I do not get internet.
Am I making a mistake somewhere?
My pf.conf
Code:
block out on $wlan_if from 192.168.0.0/16 to any
pass out quick on $wlan_if from 192.168.0.0/16 to $vpn
pass out quick on tun0 from any to any
The value in $wlan_if you get with a program called ifconfig. Read the man page on ifconfig. For mine it is the entry titled em0, yours might be different. It has a section under it marked media: Ethernet ...

$vpn variable should be the full number of the IP address of what you are connecting to. You can get that when OpenVPN is up and running. Look for the entry marked [AF_INET] in the terminal screen that pops up when OpenVPN is running.

Don't try to use these PF rules until you have made OpenVPN connect to one of your VPN's servers, then you can get [AF_INET] from it.

Last edited by Prevet; 28th January 2018 at 05:25 AM.
Reply With Quote
Old 28th January 2018
Prevet Prevet is offline
Shell Scout
 
Join Date: Oct 2017
Posts: 84
Default

This is the link that has the PF rules I put in:

https://airvpn.org/topic/1713-win-ma...nbsd#entry1764

If you search that page for "your_network_interface" you will see them discussing it.

Also this number could be different on your machine. I can't remember what program I used to report what it is on my machine.

Quote:
"Various Internet bodies have set aside three subnets for use on private
networks. You cannot use them on the public Internet, but anybody can use
them on a private network. The networks 10.0.0.0/8, 172.16.0.0/12, and
192.168.0.0/16
are freely usable by organizations. You’ll see these
addresses in huge organizations and home networks, and have probably
encountered some of them already. These addresses are also globally
unique, within your organization. Your hosts should never see these
addresses elsewhere, and other networks should never see these addresses
on your network." - From Networking for Systems Administrators, by Michael Lucas
Quote:
For my machine:
block out on em0 from 192.168.0.0/16 to any
pass out quick on em0 from 192.168.0.0/16 to <insert 1st vpn server IP here>
pass out quick on em0 from 192.168.0.0/16 to <insert 2nd vpn server IP here>
pass out quick on em0 from 192.168.0.0/16 to <insert 3rd vpn server IP here>
pass out quick on em0 from 192.168.0.0/16 to <insert 4th vpn server IP here>
pass out quick on tun0 from any to any

****

I just noticed you can find the number (192.168.0.0/16) for your machine, if you use ifconfig command. Look in the section that has the media: Ethernet that I mentioned in the post above. For me it is the last line that has netmask 0xffffff00 broadcast 192.168.... Netmasks are explained in the Michael Lucas book.

Last edited by Prevet; 28th January 2018 at 01:14 PM.
Reply With Quote
Old 29th January 2018
ucharfli ucharfli is offline
Port Guard
 
Join Date: May 2017
Posts: 22
Default

Thank you all very much. Now I will try to solve the problem. I am looking for more information.
again I can bother!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Where should I put my config? "rc.conf" or "rc.conf.local"? fender0107401 OpenBSD General 2 2nd April 2012 02:53 AM
Help with pf.conf A_Sorenby OpenBSD Security 14 21st June 2011 09:52 PM
Pf.conf erict35 OpenBSD Security 1 30th January 2010 10:19 PM
pf.conf lumiwa FreeBSD Security 11 20th September 2008 01:01 AM
difference between rc.conf and loader.conf disappearedng FreeBSD General 5 3rd September 2008 05:54 AM


All times are GMT. The time now is 09:00 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick