“Wrong Way”: Another VPN security problem was found. A routing ‘feature’ may reveal the user’s real IP address like “Port Fail“. This time are not only providers with port forwarding affected but rather all providers, they havn’t fixed the problem. The underlying problem is that packets received over the real IP will be answered via the VPN interface under certain conditions.
The Perfect Privacy VPN Manager protects you from this attack.
In cooperation with the ValdikSS from the Russian provider ProstoVPN we fixed the following problem.
Details about the leak
The following requirements must be met for this IP leak to occur:
- The VPN user either has a direct connection (without NAT) to the internet or is using a router that supports UPnP port forwarding (many routers do that by default)
- The user runs any software that listens and communicates via a Port (such as any torrent clients, EMule or for example VoIP software like Skype)
A possible attack would then look like the following:
- An attacker (for example a copyright law agency) starts a torrent client and collects all IP addresses and ports used for the torrent (already this is a normal procedure to identify people not using VPN for torrenting)
- The attacker scans the entire routable IPv4 range by sending packets to the collected ports (this can be done in less than 10 minutes with a 10Gbit link and considerably less if reduced to only the US/EU IP ranges).
- Any torrent clients peering this torrent will receive the incoming packet from the attacker by the ISP network interface but reply using the VPN interface. This means that the attacker will see both the real ip and the vpn ip and can correlate them.
This issue is critical because it generally affects all operating systems and VPN protocols. In contrast to PortFail, there is no server side solution: The recommended method to prevent this leak is by deactivating UPnP functionality in the router. If that isn’t possible, the other option is to block such traffic by firewall rules on the client side (see below).
ProstoVPN has provided a video that demonstrates this leak in Windows 10.
The best solution is to deactivate UPnP functionality on your router. This will prevent any open ports on the router even if they are requested by applications.
Users who have no control over their router and cannot deactivate UPnP functionality and users who are connected to the internet directly (without a router) need to block the traffic that would reveal their ip client side.
On Linux operating systems the fix is rather simple by setting
Where * refernces the apropriate interface. If the VPN interface is tun0 and the internet interface wlp3s0 ist, the commands would be as follows:
sysctl net.ipv4.conf.default.rp_filter=1 sysctl net.ipv4.conf.tun0.rp_filter=1 sysctl net.ipv4.conf.wlp3s0.rp_filter=1
This will drop packets that could not be answered on the same interface due to the routing table. Additionally, the following firewall rule should be added for IPv6:
ip6tables -t raw -A PREROUTING -m rpfilter --invert -j DROP
On MacOS this is more difficult, the simplest way is to block all incoming UDP packets except if from a non-routable addresses, the ISP subnetwork or the IP address of a VPN server itself like this:
echo 'pass in quick proto udp from 10.0.0.0/8 to any pass in quick proto udp from 192.168.0.0/16 to any pass in quick proto udp from 172.16.0.0/12 to any pass in quick proto udp from 169.254.0.0/16 to any pass in quick proto udp from 220.127.116.11/32 to any block in quick on ! utun1 proto udp to any' | sudo pfctl -Ef -
In this example 18.104.22.168 is the IP address of the VPN server and utun1 is the VPN interface.
The rp_filter functionality does not exist in Windows. However, VPN providers that have custom client software can implement specific firewall rules which will prevent this leak, as it is the case with the Perfect Privacy VPN client software.
Windows users who use the OpenVPN software to connect to the VPN server will be vulnerable to this leak. If it is not possible to deactivate UPnP on the router or if the user is connected to the internet directly, he will need to set specific firewall routes to prevent this leak. ValdikSS provides a plugin that can be used to block this attack. Note: This plugin is not supported by Perfect Privacy and we accept no responsibility for using it. We included this plugin for users who are with a different VPN provider that has no fix for this issue.