These VPN Services Can Easily Be Hacked

[CaptainSTX]

According to an article by Paul Wagensell which he presented at DEF CON 26 and was published today in Tom's guide many well known VPN service providers (NordVPN, PureVPN, Hotspot Shield, ExpressVPN, PIA) can be hacked. The recommendation it to use another protocol.


https://www.tomsguide.com/us/vpn-voracle-attack-defcon26,news-27784.html

 

[HowIFix]

If you are going to do illegal things, it is better to use the free Pizza Hut WiFi + your VPN service purchased with bitcoins.

 

[john9527]

According to an article by Paul Wagensell which he presented at DEF CON 26 and was published today in Tom's guide many well known VPN service providers (NordVPN, PureVPN, Hotspot Shield, ExpressVPN, PIA) can be hacked. The recommendation it to use another protocol.


https://www.tomsguide.com/us/vpn-voracle-attack-defcon26,news-27784.html

Or turn off compression.....PIA has been pushing the setting to turn off compression for over a year (at least for me)

 

[HowIFix]

Or turn off compression.....PIA has been pushing the setting to turn off compression for over a year (at least for me)

The option found in Advanced settings? (I'm testing NordVPN)

Spoiler: Screenshot

I have Accept DNS Configuration disable, because I'm using DNSCrypt.

 

[john9527]

the option found in Advanced settings? (I'm testing NordVPN)

Yes, that's the one. You may need to try both the 'Disabled' and 'None' setting. Some ISPs have a problem with one or the other.

 

[umarmung]

Voracle

1. OpenVPN compression setting is determined server side. The client settings only determine client capability and default.
2. To gain information or control a VPN tunnel, it requires being redirected to a malicious site.
3. To control a VPN tunnel, it requires being redirected to an unencrypted malicious site, i.e. HTTP on the web.
4. This attack will not work over the Web with a Google Chrome client.
5. VPN providers have known about this attack for a while now. Some have disabled compression server-side over OpenVPN already, e.g. Private Internet Access.

Finally, the attack is not known to affect other protocols. Most VPN providers have multiple protocols available. So, if you are truly paranoid, there are always secure options like Wireguard or IPSEC.

 

[CaptainSTX]

Or turn off compression.....PIA has been pushing the setting to turn off compression for over a year (at least for me)

Turning off compression increases security or at least prevents this hack mentioned in this paper from working but it comes at the the expense of through put.

On PIA with comp-izo set on my VPN device my download is normally 170 Mbps. With compression set to none speed drops to 135 Mbps.

 

[CaptainSTX]

You really can't expect anything faster of PIA. Even with compression ON, its network of VPN servers are slower than the others.

When I tried a gig connection from Comcast I got speeds of up to 400 Mbps using PIA.

Currently I have a 150/20 connection from Comcast and with PIA I get 170/21 typically.

 

[HowIFix]

Yes, that's the one. You may need to try both the 'Disabled' and 'None' setting. Some ISPs have a problem with one or the other.

Change compression to Disabled, then restart the router and the internet did not work, the same happens with None.

In Service state does not give me public IP and appears unknown, when I use Disabled or None.

I have to switch to LZO adaptive, to get IP and that the internet works again.

 

[CaptainSTX]

Any verifiable OpenVPN client dslreports speed test results? RMerlin said it's not possible (300 Mbps & above).

Here is a screen shot from DSL Reports. Several Tests in the low 400s.

 

[john9527]

Change compression to Disabled, then restart the router and the internet did not work, the same happens with None.

Interesting....I thought the server would pick that up during negotiation. Try this
Set Compression to Disabled

and in the custom config section, add
push "comp-lzo no"

 

[RMerlin]

OpenVPN's LZO settings are highly confusing... It can be set to "no", and it can be set to "disabled", both of which are different. One will instruct the other end you don't want to use compression right now, without disabling the feature itself. The other will completely disable the feature.

You have unfortunately to match what the server requires, in most cases.

Personally, I think compression is of very limited benefit anyway. Most of today's traffic is either encrypted through https (making it almost impossible to recompress effectively) or already compressed (jpegs/mp4).

 

[st3v3n]

Being late to the party, I waded through this, spoke with my national tech contact at our ISP and he confirmed all the ISPs are getting pounded. Been trying to contact both of the VPN providers we use but they're slammed full and are struggling to return queries.

We used to leave trend micro AI off, but seeing the amount of bot hits we've taken since two weeks ago, was an eye opener; it's doing more than I can keep up with. We're literally in the middle of nowhere, but where the ISP fiber goes to the data-center is where these turkeys have gotten through to our local level; it never happened until now. We never use the local ISPs servers, never drop to WAN, it's just bare access so we can shoot the VPN out.

To the point, there's not much to be done that I can see, if one needs to accept the settings in the OpenVPN tunnel config from your provider, unless I'm missing something?

Our OpenVPN tunnels auto-start when router is cycled on each morning to sync with the modem, before anything connected is switched on. Any thoughts appreciated, thanks.

 

[CaptainSTX]

Without verifiable links, might be Comcast Network speed test results. Unless you're using DIY, commercial router with faster clock speed & AES-NI support.

I am using a Qotom mini PC with a I7 -3 Ghz Turbo processor which does support AES-NI.

Unfortunately I was not able to do as much testing of VPN speeds as I would have liked to when I had Comcast gig service. The download speed from Comcast was very inconsistent. I was a very early adopter in my county so the techs other than rewiring my drop and inside wiring and making sure the signal levels were good as well as checking the SNR. I went through two x6 Comcast gateways, replaced them with a Motorola modem of my own, changed out my router with a different one. Since I really had no need or purpose for the gig speed I canceled it within thirty days and ended the aggravation of trying to make Comcast deliver what I ordered.

I would have liked to have a stable download speed so I could have at the 95% confidence level calculated the difference between a direct ISP connection and a VPN connection to various VPN servers so it is possible that the 400+ speeds I saw were flukes on PIA since I can't back them up with a data series of speed tests at even the 66% confidence level.

 

[st3v3n]

Ralphort, we gave them PIA a chance when after receiving a free month's run in 12/2017. Glad if was free and wouldn't repeat the experience if waterboarding was at hand. It was excruciatingly slow to the point of being unusable for VPN; they had no OpenVPN configs we could actually use, and regardless which clients they had, they were poorly behaved. Not trying to be unfair/unkind but it was a serious waste of time and ranks as the poorest experience we ever had with any VPN provider. The reps we managed to contact weren't on the same continent, and took two days to reply each time. They were sort of apologetic if scripted apologies count, otherwise clueless. A thousand unrelated series of questions, that had nothing to do with loading a config that wouldn't work. It was the holiday season, but sheesh; kindest words I could manage.

The one answer from the entire experience that actually was written by a human, and made sense referred to the financial and other personnel issues they'd struggled through. The rep who read the entire exchange booted it to management, and that rep stated they were trying to get their clients and all configs re-written to crush bugs, to make everything faster/better for their customers. To be fair, PIA hangs in there and seems to work enough for those nearest their data centers/servers in major urban areas. They've always had the distinction of being the cheapest/lowest priced of all VPNs; not inferring anything by saying cheap.

On the bot attacks/LZO aspect we received a reply from one of our VPN providers; they had already pulled all of their configs with LZO compression some time ago. Still awaiting word from the other provider, who uses LZO adaptive compression on the one OpenVPN config/tunnel we use regularly. Cheers.

 

[CaptainSTX]

That's what I thought so. I was actually referring to common residential routers (made by Asus with AES-NI support) as those were the routers used by most here to get faster OpenVPN results. While it's hard to question the wisdom of RMerlin, I do know 280 Mbps is not that hard to reach (I have the results to prove it on both mobile & desktop speed tests). Not sure though of 400 Mbps.

I'm not highly confident statistically of 400 Mbps but until you or someone else runs a complete series of tests with a stable gig connection using PIA on a rig with an I5- I7 processor we won't know what PIA's top end is. As more VPN users get ultra fast connections some VPN providers will have to step up their offering to attract this crowd. The current business plan of up to 128 users on each run of the mill server with a limited pipe to the Internet just won't work, but then at $2.99 - $3.99 per month that is all they can afford to provide.

I do know that I switched to PIA based on recommendations on this site after using StrongVPN and Astrill and they were faster. With my present 180/23 connection I consistently get 170/21.

If I turn compression to none my speed dropped to 135 Mbps on speedtest, however as Merlin posted real world the impact probably isn't that big as so much is already compressed.

 

[sfx2000]

According to an article by Paul Wagensell which he presented at DEF CON 26 and was published today in Tom's guide many well known VPN service providers (NordVPN, PureVPN, Hotspot Shield, ExpressVPN, PIA) can be hacked. The recommendation it to use another protocol.

And everyone told me it couldn't be done...

It has been done, and it's been done for some time - ever notice that GFW let's things run for a while - they close the pipe when things get political, but then open the tap later on...

 

[doczenith1]

@Ralphort let's not confuse PIA's maximum speed with PIA's maximum speed when using an Asus router as the client. I, as well as others, have documented speeds of 400+ Mbps using PIA. In fact my highest value is 550 Mbps on the upload side. You can't judge a vpn provider's speeds when using a router as the client that is not capable of achieving the vpn provider's maximum speeds.

Ralphort, we gave them PIA a chance when after receiving a free month's run in 12/2017. Glad if was free and wouldn't repeat the experience if waterboarding was at hand. It was excruciatingly slow to the point of being unusable for VPN; they had no OpenVPN configs we could actually use, and regardless which clients they had, they were poorly behaved. Not trying to be unfair/unkind but it was a serious waste of time and ranks as the poorest experience we ever had with any VPN provider.

I had a much different experience. I downloaded the ovpn file, imported it into my 86U and was up and running. As I've previously posted I was getting speeds around 220 Mbps down and 250 Mbps up with the AES-128-CBC encryption when using my 86U as the client.

 

[HowIFix]

Interesting....I thought the server would pick that up during negotiation. Try this
Set Compression to Disabled

and in the custom config section, add
push "comp-lzo no"

Thanks, but these pages shows that push "comp-lzo no" is only for VPN Server:

• François' Blog - OpenVPN and NetworkManager 1.2
• OpenWrt Project: OpenVPN Server (Layer 3: TUN)
• Open VPN - OPTIONS by @somms (Find compress)

In VPN Client when using Compression Disabled or None, you have to add:

• comp-lzo no

Questions:

1. They is right or not?
2. Or I have to use both:
   • comp-lzo no
   • push "comp-lzo no"
3. Which Compression recommended to use Disabled or None

Test with NordVPN:

01. Compression Disabled + push "comp-lzo no" (Public: unknow)

Spoiler: The internet does not work

02. Compression None + push "comp-lzo no" (Public: unknow)

Spoiler: The internet does not work

03. Compression Disabled + comp-lzo no (Public: Gives me IP)

Spoiler: The internet works

04. Compression None + comp-lzo no (Public: Gives me IP)

Spoiler: The internet works

 

[john9527]

In VPN Client when using Compression Disabled or None, you have to add:

• comp-lzo no

Questions:

1. They is right or not?
2. Or I have to use both:
   • comp-lzo no
   • push "comp-lzo no"
3. Which Compression recommended to use Disabled or None

Did some more reading and looking at the code....

Setting just 'comp-lzo no' in the custom config is the equivalent of setting Compression None in the gui options. But the server can override this if your VPN client can support compression, so your test cases 3 and 4 are still using compression.

Unfortunately , the reverse appears to not be true (surprising to me). If you request the server to not use compression via the compression option or push "comp-lzo no" the server will refuse to connect if it's configured for compression (your test cases 1 and 2).

Net is it seems as if disabling compression has to be done by the VPN provider.