Re: Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice

[Steve Kemp <steve@steve.org.uk>]

>   Version         : 0.0~git20170129.72dd7f6-1
>   Upstream Author : Adhityaa C <c.adhityaa@gmail.com>
> * URL             : https://github.com/adtac/autovpn
..
> autovpn is a tool to automatically connect you to a random VPN
> in a country of your choice. It uses openvpn to connect you to a server
> obtained from VPN Gate (http://www.vpngate.net/en/).

  I'd strongly urge you to reconsider packaging this project, for
 three main reasons:

  * It relies upon the external VPNGate.net site/service.  If this
    goes away in the lifetime of a stable Debian release users will
    be screwed.

  * It allows security attacks against the local system, which other
    users on the host could exploit via symlink attacks on /tmp/openvpnconf

  * It allows security attacks on against the local system which the
    remote service could exploit:

    1.  The tool downloads a remote URL to /tmp/openvpnconf

    2.  The file is then given as an argument to the command:
            sudo openvpn /tmp/openvpnconf

    3.  That generated/downloaded openvpn configuration file could
       be written to do anything, up to and including `rm -rf /`.

> A small tool that comes handy in particular for people who travel a lot. Will
> be maintained in the go-team.

  Finally the project itself notes:

    "This is completely insecure. Please do not use this for anything
    important. Get a real and secure VPN. This is mostly a fun tool to
    get a VPN for a few minutes."

Steve
--