Re: [OT a bit] -- OpenVPN and mobile safety
On Tue, Nov 21, 2017 at 05:46:23PM +0000, Joe wrote:
> On Tue, 21 Nov 2017 22:35:24 +0900
> Look at the --redirect-gateway startup option or (without leading --)
> in the config file. The chances are that the default openvpn
> configuration does this anyway, as there are two main uses for a VPN,
> the remote access that you are using now, and the routing of all
> traffic to a trusted network before it gets out unencrypted onto the
> Internet. The latter use requires the gateway redirection.
> Have a look at the routing table with and without the VPN open to
> check. Also look at the server configuration, which should contain
> 'push "route..."' and 'push "redirect-gateway...."' lines.
> See the heading:
> "Routing all client traffic (including web-traffic) through the VPN"
> in page
Yep, this looks like what I was after. This actually claims to redirect
ALL traffic through the VPN, and hints that this can cause trouble with
DHCP, which sounds like a bit of a problem to be frank. Would have
thought that would break a lot of networks. But I suppose I might get
away with it if the hotel / whatever untrusted WiFi doesn't reassign IP
addresses a lot. I just might have to do something on my home network's
firewall to stop it attempting to service locally DHCP requests coming
through the TUN.
> It would also help if you have control of the tablet firewall code.
> I've no idea if this is possible on Android. I have multiple iptables
> rulesets for my netbook, two of which allow DHCP, web and either ssh
> or openvpn out of the wifi interface, and a controlled set over the tun,
> with only established and related connections allowed back in.
Yes, this part would be necessary to stop the tablet responding to
requests coming from the untrusted WiFi network, except maybe necessary
things from the access point itself, eg DHCP... Anything coming from
anyone else on the untrusted WiFI LAN I'd want to regard with extreme
I don't know if Android has iptables, but I will dig around to see what
it does have.
> But the gateway redirect must be working for the right signals to get
> to the right firewall rules. Without control of the firewall, the
> redirect will still do most of what you want, but you would be able to
> send packets to the local wifi network explicitly.
I'm less worried about the tablet being able to send to the untrusted
WiFi than I am about the untrusted WiFi being able to send to the
tablet. ie if some service I'm unaware of (it's stuffed with Samsung
bloatware after all) is listening on the device, I don't want it talking
to strangers as it were...
Thanks for your reply, sorry I took a while to respond but I was
travelling for business.