Menu
What's new
By:
Filters Better Search

OpenVPN Vulnerability

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

SMS786

SMS786

Senior Member
Ahamed Nafeez said his VORACLE attack works against VPN services that use the highly regarded OpenVPN protocol (or similar protocols) by default and also compress user data before encryption. One service, TunnelBear, stopped compressing data after it was informed of Nafeez's attack earlier this summer. (Another VPN service, Private Internet Access, contacted Tom's Guide after this story was first posted to say it had stopped compressing data in 2014.)

You can avoid falling victim to the VORACLE attack by switching to other VPN protocols, such as IKEv2/IPsec or WireGuard, if your VPN service lets you. For technical reasons, Google Chrome is immune to the VORACLE attack, as are HTTPS websites, but everyone's computer still has many other internet-facing applications that communicate with plaintext HTTP servers. However, this problem wouldn’t exist if all websites used HTTPS encryption.
Click to expand...

https://www.tomsguide.com/us/vpn-voracle-attack-defcon26,news-27784.html

https://www.bleepingcomputer.com/ne...k-can-recover-http-data-from-vpn-connections/

This attack was revealed at DEF CON last week. Apparently protecting against this vulnerability is as easy as disabling compression on our OVPN servers?

@RMerlin, do you have any recommendations?
 
Last edited:
SMS786 said:
@RMerlin, do you have any recommendations?
Click to expand...

Nothing more than what's already said in the article: avoid using LZO compression. Most of today's Internet data can't be compressed any further anyway (either it's encrypted, or it's jpeg/mp3/mp4/zip).

It's another one of these "security exploits" over which I won't be losing any sleep, personally... Likelyhood of this being actively exploited in the wild against generic/random victims is next to nil.
 
RMerlin said:
Nothing more than what's already said in the article: avoid using LZO compression. Most of today's Internet data can't be compressed any further anyway (either it's encrypted, or it's jpeg/mp3/mp4/zip).

It's another one of these "security exploits" over which I won't be losing any sleep, personally... Likelyhood of this being actively exploited in the wild against generic/random victims is next to nil.
Click to expand...
Got it, thanks much for the clarification!
 
LZ4 compression is much better and faster. Does the above vulnerability affects the LZ4 also?
And second question is: Does setting of tls-crypt option helps in such circumstances?
And finally third question: What about TAP configurations when the OpenVPN encapsulates not IP packets but Ethernet frames?
 
Last edited:
netware5 said:
LZ4 compression is much better and faster. Does the above vulnerability affects the LZ4 also?
And second question is: Does setting of tls-crypt option helps in such circumstances?
And finally third question: What about TAP configurations when the OpenVPN encapsulates not IP packets but Ethernet frames?
Click to expand...

since the VORACLE attack report refers to compression only and makes no distinction between LZO , adaptive or LZ4 then you can assume that LZ4 is included.
 
Wadadli said:
https://nordvpn.com/blog/voracle-attack/
Click to expand...
Looking at the requirements needed to complete that Attack..
it is not easily to hack.

  1. They need to be on the same network as you;
  2. You need to be using an HTTP connection;
  3. You need to be using a browser vulnerable to VORACLE (anything but Chrome);
  4. You need to visit a website that the hacker controls;
  5. You need to be using OpenVPN with compression engaged.
The only chance will only be if you using a unknown wifi hotspot and they used a http log-in page. Otherwise, the chance is very Low.

But I think turning off the compression is a good way to totally prevent things from happening.
 
Set compression to "NONE" or "DISABLE" ?
 
58chev said:
Set compression to "NONE" or "DISABLE" ?
Click to expand...

Here's some clarification on both options:

RMerlin said:
OpenVPN's LZO settings are highly confusing... It can be set to "no", and it can be set to "disabled", both of which are different. One will instruct the other end you don't want to use compression right now, without disabling the feature itself. The other will completely disable the feature.

You have unfortunately to match what the server requires, in most cases.
Click to expand...

I use 'Disabled' for the VPN Server running on my router. My VPN provider (and several others) have completely disabled compression as well (source: https://protonvpn.com/blog/voracle-attack/), so regardless what a client requests, it won't offer any compression on negotiating.
 
@RMerlin Would it be possible to set the Compression value to 'Disable' by default?

Unrelated to Voracle, but would you please consider setting "Username / Password Auth. Only" to 'No' by default? @Martineau pointed out yesterday that 'Yes' is less secure. For people with less knowledge, like yours truly, I think setting ('the most') secure options by default would definitely come in handy.
 
M@rco said:
@RMerlin Would it be possible to set the Compression value to 'Disable' by default?
Click to expand...

Worth considering, tho personally I'm not losing any sleep over that particular issue since the issue is more likely to affect you when you are using a client to access the Internet, not when using it just to connect remotely into your home network. Therefore that makes it far more critical for all those VPN tunnel providers whose sole purpose is to let you redirect your traffic through them.

M@rco said:
Unrelated to Voracle, but would you please consider setting "Username / Password Auth. Only" to 'No' by default? @Martineau pointed out yesterday that 'Yes' is less secure. For people with less knowledge, like yours truly, I think setting ('the most') secure options by default would definitely come in handy.
Click to expand...

Less does not mean it's insecure, just like your home doorlock is less secure than one used on a store or a bank, or AES-128-GCM is less secure than AES-256-GCM. The learning curve to deal with generating your own client certificates is far too steep for the vast majority of users, so I have no intention of changing the default settings.

EDIT: actually, the reasons for this default choice are historical. My original implementation didn't generate a client key/cert pair, it had to be done manually by the end user. Afterward Asus implemented the functionality to automatically generate a key/cert pair for the client. I just rechecked that code, and I see they are automatically used in the exported client config file now, therefore it should be possible to change the default to not be username/password only. That wasn't the case back then.
 
Last edited:
M@rco said:
Here's some clarification on both options:

I use 'Disabled' for the VPN Server running on my router. My VPN provider (and several others) have completely disabled compression as well (source: https://protonvpn.com/blog/voracle-attack/), so regardless what a client requests, it won't offer any compression on negotiating.
Click to expand...
Thank you M@rco for the clarification.
 
So just to check: is the compression option ‘None’ also safe from this exploit?

On my OpenVPN server setup it seems that ‘Disabled’ kills access for the clients (they connect but cannot access anything), while ‘None’ seems to work. I’d prefer to not have to reissue all client configs...
 
TheStork said:
So just to check: is the compression option ‘None’ also safe from this exploit?

On my OpenVPN server setup it seems that ‘Disabled’ kills access for the clients (they connect but cannot access anything), while ‘None’ seems to work. I’d prefer to not have to reissue all client configs...
Click to expand...

I had a similar predicament. After "Disabling" compression on my server I had to delete the following line from my config files:
Code: 
comp-lzo XXXXX
The connections worked fine afterwards.

As to having the "None" option being as secure as "Disabled" - I can't speak to that..but I would definitely err on the side of caution.
 
You must log in or register to reply here.

Similar threads

C
These VPN Services Can Easily Be Hacked
2
Replies
38
Views
13K
st3v3n
st3v3n
Xentrk
TorGuard OpenVPN 2.4 Client Setup for ASUS Merlin 380.65 & 380.65_2 Part III
2
Replies
21
Views
9K
unclebuk
unclebuk
Similar threads
Thread starter Title Forum Replies Date
D Solved Openvpn client dns Asuswrt-Merlin 2
PR3MIUM WireGuard removing OpenVPN on ASUS Routers ? Asuswrt-Merlin 2
T [Help] Problems setting up OpenVPN Asuswrt-Merlin 7
N dedicated router for OpenVPN Asuswrt-Merlin 4
N Solved OpenVPN Server split tunnell config Asuswrt-Merlin 5
C Connection to router by ip fails while remote over OpenVPN Asuswrt-Merlin 17
S OpenVPN LAN access + one external IP Asuswrt-Merlin 3
J VPN director Multiple OpenVPN clients Asuswrt-Merlin 7
G OpenVPN Server log, is this in error ? Asuswrt-Merlin 7
H Extremely low speed on ac86u with openvpn client Asuswrt-Merlin 7

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 686 (members: 22, guests: 664)
Top