IP Leak over VPN - Urgent Patch Required!

Technical Support for Routers
1

Hi.
I have discovered an IP leak. If you change the server (ovpn file), then click “Apply” there is a short window where your traffic goes direct, thus leaking your real IP. This is easy to reproduce:

  1. Open browser and navigate to This cooling system requires only water (shows VPN IP)
  2. Open the GL UI and go to the OpenVPN menu, click on the “Apply” button.
  3. Refresh URL (1.) in your broswer (show ISP/real IP).

Thus, we need a further security measure to stop this - previoulsy when using DD-Wrt on a router, I used this firewall command:
iptables -I FORWARD ! -o tun+ -j DROP
which worked perfectly. Unfortuntely, I did not find a way of using this command under OpenWrt.

This needs sorting out urgently, especially as I have to click the “Apply” button several times a day to reset my connection (working on a script to fix that too - see other thread)!

Glitch

2

Yes you are right.

When shifting server, the vpn stops first then start again. When it is stopped, it revert to normal Internet status. So this is a problem.

Will patch asap.

Thanks for reporting.

3

Thank you - kindly update here when a testing firmware with the fix is posted and I will test it and report back!

4

http://www.gl-inet.com/firmware/testing/

Please try v2.261. Upgrade openvpn to v2.243 and fix the leak problem when changing openvpn profile.

5

Hello Alzhao.
I briefly tested this and the leak seems to be fixed. Thank you kindly for the speedy patch! It is much appreciated.
FYI, the “apply” button seems to re-establish connection much faster now.

6

Thanks for testing. Before when you change ovpn, it stop then start again, goes to a full cycle. Now it just kill openvpn and start. So it is faster.

7

Hi Alzhao.
What script/action does clicking apply run? (I want to run this action from my own script).

Glitch

8

killall openvpn

/etc/init.d/startvpn start

9

I want to upgrade to 2.261 (mainly because of OpenVPN 2.4.3), but this can only be manually. The Web Interface then shows ‘Version: Unknown’. Is this correct and can I flash safely?

10

@Tomba - this has already been pointed out elsewhere - answer ise “yes”.

11

Going back to IP leaks, I found the following on the NordVPN site:

1). To Prevent traffic leakage in case VPN-tunnel drops you can edit the file /etc/firewall.user with following content:

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
        iptables -I forwarding_rule -j REJECT
fi

:::::::::::::::::::::

2). You should also create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with following content:
#!/bin/sh
if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then
        iptables -D forwarding_rule -j REJECT
fi
if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
        iptables -I forwarding_rule -j REJECT
fi

::::::::::::::

I'd be interested to read your comments, particularly from Alzhao!

Regards,
Glitch

 

12

I believe this is no needed. In our firmware if tun0 is broken you cannot use the Internet at all.