Hi.
I have discovered an IP leak. If you change the server (ovpn file), then click “Apply” there is a short window where your traffic goes direct, thus leaking your real IP. This is easy to reproduce:
Open the GL UI and go to the OpenVPN menu, click on the “Apply” button.
Refresh URL (1.) in your broswer (show ISP/real IP).
Thus, we need a further security measure to stop this - previoulsy when using DD-Wrt on a router, I used this firewall command:
iptables -I FORWARD ! -o tun+ -j DROP
which worked perfectly. Unfortuntely, I did not find a way of using this command under OpenWrt.
This needs sorting out urgently, especially as I have to click the “Apply” button several times a day to reset my connection (working on a script to fix that too - see other thread)!
Hello Alzhao.
I briefly tested this and the leak seems to be fixed. Thank you kindly for the speedy patch! It is much appreciated.
FYI, the “apply” button seems to re-establish connection much faster now.
I want to upgrade to 2.261 (mainly because of OpenVPN 2.4.3), but this can only be manually. The Web Interface then shows ‘Version: Unknown’. Is this correct and can I flash safely?
Going back to IP leaks, I found the following on the NordVPN site:
1). To Prevent traffic leakage in case VPN-tunnel drops you can edit the file /etc/firewall.user with following content:
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
iptables -I forwarding_rule -j REJECT
fi
:::::::::::::::::::::
2). You should also create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with following content:
#!/bin/sh
if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then
iptables -D forwarding_rule -j REJECT
fi
if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
iptables -I forwarding_rule -j REJECT
fi
::::::::::::::
I'd be interested to read your comments, particularly from Alzhao!
Regards,
Glitch