Re: [OT a bit] -- OpenVPN and mobile safety
On Tue, 21 Nov 2017 22:35:24 +0900
Mark Fletcher <email@example.com> wrote:
> What I'd like to do now is have the option to set things up so that
> the tablet has NO CHOICE but to do all its interaction with the
> internet over the VPN.
> In other words, it should conect to local untrusted WiFi as normal,
> get an IP address from that network, and then when I fire up OpenVPN
> I want to arrange things such that all user / app attempts to access
> the internet are routed through the VPN, so they emerge onto the
> internet at large from my home network not from my tablet directly.
> And, crucially, any attempt to talk to the tablet that doesn't come
> through the VPN goes ignored.
> Thus untrusted networks don't see my traffic, and my tablet is safe
> from attack from the local untrusted WiFi LAN.
> I imagine I need to let some traffic go through the untrusted
> connection, eg DHCP etc to keep the local connection to the untrusted
> WiFi alive, but I want that to be the absolute minimum necessary.
> Is this a matter of configuring OpenVPN right, and if so can anyone
> point me at a good tutorial? or do I need other software, in which
> case can anyone give me any pointers?
Look at the --redirect-gateway startup option or (without leading --)
in the config file. The chances are that the default openvpn
configuration does this anyway, as there are two main uses for a VPN,
the remote access that you are using now, and the routing of all
traffic to a trusted network before it gets out unencrypted onto the
Internet. The latter use requires the gateway redirection.
Have a look at the routing table with and without the VPN open to
check. Also look at the server configuration, which should contain
'push "route..."' and 'push "redirect-gateway...."' lines.
See the heading:
"Routing all client traffic (including web-traffic) through the VPN"
It would also help if you have control of the tablet firewall code.
I've no idea if this is possible on Android. I have multiple iptables
rulesets for my netbook, two of which allow DHCP, web and either ssh
or openvpn out of the wifi interface, and a controlled set over the tun,
with only established and related connections allowed back in.
But the gateway redirect must be working for the right signals to get
to the right firewall rules. Without control of the firewall, the
redirect will still do most of what you want, but you would be able to
send packets to the local wifi network explicitly. The right firewall
rules would prevent this. If your existing firewall rules allow in only
related and established connections, that should prevent attack
attempts from the wifi network.