These VPN Services Can Easily Be Hacked

[HowIFix]

@john9527

Then I refund this VPN?

Last Test: (Public: Gives me IP)

• comp-lzo no
• push "comp-lzo no"

Spoiler: Screenshot

 

[st3v3n]

HowIFix, well, you might ask the VPN if they're working on a fix and see if they'll refund you, or give you extra time, while they work on it, if they're actually trying to fix their configs. We received a reply from our 2nd VPN last night; they're working on fixes for all their LZO configs. Everyone is scrambling at catch up, as usual. If the VPN doesn't respond or isn't instituting a fix, if it were us, we'd request a refund and move on. Cheers.

 

[somms]

In VPN Client when using Compression Disabled or None, you have to add:

• comp-lzo no

https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

According to the OpenVPN man page this command is DEPRECATED This option will be removed in a future OpenVPN release. Use the newer --compress instead.

FWIW: If using comp-lzo no in my OpenVPN client config fails to connect to my AC86U OpenVPN gateway server w/Merlin 384.6 flashed and I have to use just compress with empty value instead because the OpenVPN server running on my router is set for no compression...

 

[st3v3n]

somms, keep the good news coming. Long day, needed light humor, so 'According to the OpenVPN man page' helped Whatever will the goils do? Cheers.

 

[HowIFix]

FWIW: If using comp-lzo no in my OpenVPN client config fails to connect to my AC86U OpenVPN gateway server w/Merlin 384.6 flashed and I have to use just compress with empty value instead because the OpenVPN server running on my router is set for no compression...

Thank you, then the new option compress with empty value, turned off the compression

Is there any way to know if the Compression is Disabled? (or just Goku with his Ultra Instinct knows it)

Test with compress: (Public: Gives me IP)

Spoiler: Screenshot

 

[john9527]

Thank you, then the new option compress with empty value, turned off the compression

Is there any way to know if the Compression is Disabled? (or just Goku with his Ultra Instinct knows it)

The compress option is the equivalent of comp-lzo, off but the server can override it.

To check compression status, look at the VPN Status page and compression statistics. If it's off, they will all be zeros. (an example from my PIA connection)

 

[RMerlin]

The compress option is the equivalent of comp-lzo, off but the server can override it.

To check compression status, look at the VPN Status page and compression statistics. If it's off, they will all be zeros. (an example from my PIA connection)
View attachment 14117

Also. System Log should provide the necessary info (provided sufficient verbosity level).

 

[HowIFix]

The compress option is the equivalent of comp-lzo, off but the server can override it.

To check compression status, look at the VPN Status page and compression statistics. If it's off, they will all be zeros. (an example from my PIA connection)

View attachment 14117

Thanks! @john9527

NordVPN + these options gives me Public IP and Compression Statistics on the VPN Status page show zerotes:

• Old:
  • comp-lzo no
  • push "comp-lzo no"
• New:
  • compress

Compression Statistics:

Spoiler: Screenshot

ExpressVPN only with the old option gives me Public IP and Compression Statistics on the VPN Status page show zerotes:

• Old:
  • comp-lzo no
  • push "comp-lzo no"
• New:
  • compress (This does not give me Public IP, then the internet does not work)

Compression Statistics:

Spoiler: Screenshot

I hope that I am not wrong.

 

[john9527]

I hope that I am not wrong.

That actually makes sense....I forgot that NordVPN is the only VPN so far that I know that has been confirmed to have updated their servers to OpenVPN 2.4.x The rest seem to be stuck on 2.3.x
So NordVPN works with the 'new' compress option and ExpressVPN works with the 'old' comp-lzo option.

I remember that I looked for some way to tell for sure what the server level was and could never find it.

 

[RMerlin]

That actually makes sense....I forgot that NordVPN is the only VPN so far that I know that has been confirmed to have updated their servers to OpenVPN 2.4.x The rest seem to be stuck on 2.3.x

StrongVPN seems to be running 2.4.x as well, since they support NCP and AES-256-GCM:

Aug 18 20:13:14 ovpn-client3[813]: Data Channel: using negotiated cipher 'AES-256-GCM'
Aug 18 20:13:14 ovpn-client3[813]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug 18 20:13:14 ovpn-client3[813]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

 

[HowIFix]

@RMerlin @john9527

The same thing appears in log when I use NordVPN: (But I'm not using that option in VPN Client)

In ExpressVPN it's different:

 

[RMerlin]

@RMerlin @john9527

The same thing appears in log when I use NordVPN: (But I'm not using that option in VPN Client)

In ExpressVPN it's different:

First one indicates OpenVPN 2.4.x with AES-256-GCM. Second one is old-school AES-256-CBC + HMAC, which probably indicate OpenVPN 2.3.x.

GCM ciphers don't need a separate HMAC, making them more efficient.

 

[HowIFix]

Thank you @RMerlin

 

[CaptainSTX]

Here is a statement from PIA posted on their web site regarding the article:

We’ve seen recent reporting that implies PIA is vulnerable to the ‘VORACLE’ exploit. From our internal investigation, we are not vulnerable as compression is not enabled on the Private Internet Access service.


Compression was disabled on the 26th December 2014 within the server configuration which supersedes the local configuration and will overrule potential settings presented by the configuration file.

This prevents the VORACLE exploit from occurring as according to the researcher’s slides and results, compression must be enabled for the attack to be used against a VPN service.


To confirm that compression was disabled from the server-side, we checked the configuration settings from the OpenVPN command line (with verb 4 enabled) to show the exact push statement disabling it:

“Mon Aug 13 16:12:59 2018 us=472321 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.31.10.1,topology net30,ifconfig 10.31.10.6 10.31.10.5,auth-token'”
We also confirmed that our Mobile platforms (Android and iOS) are also superseded by the server configuration and do not allow compression.


We are in contact with the researcher and will keep you updated if we see any evidence to the contrary. Additionally, we will endeavour to make sure any such reporting around this in relation to Private Internet Access is correct. For clarity;

“The list of VPN providers on my slides were just to help the audience understand the kind of vpns that the talk was dealing with. Not that all of those vpns were vulnerable. In fact, there are many VPN providers using OpenVpn and they could have this. This is why I worked with the OpenVPN team directly. Their usage [guidelines] now clearly talk about the security issues when compression is enabled."- Ahamed Nafeez
As always, we would like to thank the researcher, and all security researchers, for helping expose issues in security software and making end users safer.

 

[doczenith1]

I believe PIA is using 2.4.x also as their Android app lists the GCM ciphers as options.

 

[RMerlin]

I believe PIA is using 2.4.x also as their Android app lists the GCM ciphers as options.

They still use AES-128-CBC tho (or at least they never enabled NCP).

 

[parker55]

So we should avoid vpn? which vpn is best now to use online anonymity

 

[st3v3n]

Parker55, No need to avoid using OpenvVPN at all. Most of the VPN providers either fixed/changed their configurations to address the problem or stated they were working on a fix. Whatever provider you're interested in, the best way to find out about how they address this, is to contact their tech support and ask. If they're on the ball, they'll get back to you quickly if you ask the correct questions. As always, continue researching and reading; there are always new threats popping up every day. Cheers.

 

[st3v3n]

As usual with all providers, YMMV with each provider; they try to provide consistency across their network, and it depend on location, the customer's ISP/provisioning deliver, user's equipment/skill, etc. The more work a user puts into it, the better results you get. Many providers have disabled LZO and will usually advise customers to disable or turn it off in certain configs. Others instituted fixes, but it's the tip of the iceberg. The bad guys will never quit. As long as your VPN provides the security and level of privacy you need and pay for, that's what counts. We spent months evaluating different VPN providers then selected the two we've stayed with. Different parts of their network provides different levels of performance. The bad actors also use VPN providers, who have to play a balancing act, by not snooping on legitimate customer traffic, yet weeding out and removing bad actors. We thank the researchers who work to locate and publicize the exploits. Cheers