ids – SNORT rule for detecting/preventing unauthorized VPN or encrypted traffic

Here’s my not so theoretical scenario: A day-one Trojan horse attack where the attacker sets up a secure connection back to himself using a well known trusted port, such as 80 21 443. Or for instance, if a malicious user takes advantage of an open source tool such as openvpn to secure and route a connection out through a trusted port from within the company, effectively making all security mitigations useless.

Is there any way that snort could detect an initializing secure connection whether it be SSL/TLS or IPSEC? I realize that once the connection is established it becomes very difficult to find, that’s my problem.

My main question: Is there any way to detect the exchange of public keys and log who’s doing it?

Thanks in advanced!

vpn – Is it safe to set up your firewall to allow localhost to accept incoming connections?

I have set up a VPN client and I’m using iptables to block all connections not tunneled through the VPN. An example of the iptables rules I am using can be found here.

Unfortunately with this configuration RStudio does not start up.

In fact the RStudio guide says:

Check firewall, proxy settings, and antimalware

Although RStudio does not require internet access, it does use a
localhost connection to link your R session with the RStudio IDE. As a
result, it is possible a (software-based) firewall, network setting,
or antimalware program is blocking access to RStudio. If you have a
firewall, HTTP or HTTPS proxy configured, add localhost and 127.0.0.1
to the list of approved Hosts and Domains. After this, try restarting
RStudio. If you have antimalware software configured that may be
blocking RStudio, please check its settings and whitelist RStudio if
necessary.

I had already allowed outgoing connections on the loopback interface:

-A OUTPUT -o lo -j ACCEPT

By experimentation I have discovered that adding this line to the rules would make RStudio work again:

# Accept localhost
-A INPUT -d 127.0.0.1/24 -j ACCEPT

From a security perspective, is such a rule safe?

Can such a rule be exploited by malware/spyware?

Will such a rule leak my private IP address despite the VPN connection?

EDIT: Is the rule:

-A INPUT -s 127.0.0.1/24 -d 127.0.0.1/24 -j ACCEPT

safer? Also this rule would make RStudio work

VPN protected resource and accessible via authenicated API – design

let’s imagine a simple system deployed on GCP. There is public, authenticated (token, IP whitelisting) API exposed by our system. There is a protected resource R (SQL database) that is accessible by API.
We would like to add to our system additional possibility accessing via VPN for some our clients, it means that part of R should be accessible only via VPN and, other part of R should accessible still via public API.
Can you hint me how to correctly design it?

Encryption inside vpn – Server Fault

I am new to these and I am not sure I am posting to the right forum.

I have a newbie question:

Lets say inside a vpn I am connecting my web server to the database server and both of these two are inside the vpn each one on its own machine.

Is this communication between these two servers encrypted or because they are both inside the vpn is not encrypted ?

Thanks.

Setting up VPN tunnel: what are the possible ways by which my true IP address could leak?

I bought a subscription to a VPN service and I set up the VPN tunnel using openvpn.

In order to avoid DNS leaks, I am using the DNS servers provided by my VPN provider by manually enforcing /etc/resolv.conf.

By navigating on the internet, what are all the possible ways by which my real IP address could leak?
(I mean involuntary ways that don’t involve downloading and running an executable with root privileges, but Javascript is in scope for this question).

For instance, the ExpressVPN client has a protection against WebRTC IP leaks, and you can check whether you are exposed here.

What are all the other possible ways through which the real IP address could leak? Javascript? Java? Flash? Other web technologies?

vpn – Using iptables to set up a killswitch for openvpn: DNS requests are blocked but they shouldn’t

I bought a subscription to a VPN service and I am using the openvpn 2.5.1 client to connect to it. I am using Ubuntu 20.10.

I now want to emulate the “kill switch” feature of most proprietary VPN client.

That is, I want to block any connection that is not tunneled through the VPN. Said otherwise, if the VPN connection drops for some reason (eg. server unreachable), I want all internet connection to be blocked.

To achieve this result, I am following this tutorial.

I have come up with the following iptables rules:

*filter

# Drop all packets
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP

# Allow incoming packets only for related and established connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow loopback and tunnel interface
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o tun0 -p icmp -j ACCEPT

# Allow local LAN
-A OUTPUT -d 192.168.1.0/24 -j ACCEPT

# Allow VPN's DNS servers
# Gli indirizzi del server DNS di NordVPN sono 103.86.96.100 e 103.86.99.100
-A OUTPUT -d <DNS_SERVER_1> -j ACCEPT
-A OUTPUT -d <DNS_SERVER_2> -j ACCEPT

# Allow the VPN itself (both protocol/port and interface)
# We use TCP/443
#-A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT
#-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp --dport 443 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT

COMMIT

and I am importing it with sudo iptables-restore < ./vpn_iptables_killswitch_rules.ipv4.

After the import I am able to connect to the VPN successfully. That is, the openvpn client establishes the connection successfully.

However, I am unable to resolve domain name in IP addresses. In fact, ping google.com returns a temporary failure in name resolution, while traceroute 8.8.8.8 works without problems.

This should not happen since I have whitelisted the DNS servers on my rules.

A nmcli connection show <SSID> shows that the connection is using the DNS servers provided by my VPN provided and is ignoring the DNS servers provided by DHCP.

What I am doing wrong here?

Why Get Ivacy VPN For Windows?

Ivacy VPN has been a part of the industry for years now, making it one of the best VPN out there for Windows-based devices. It has everything you will ever need to have a safe and seamless online experience. With a dedicated app for Windows 10, you will be able to accomplish much more, instead of having to tweak every feature and setting manually. Once the app is up and running, connecting to a VPN server will be as easy as 1-2-3.

networking – My Android Client can’t connect to OpenBSD VPN Server

I am configuring a point-to-site VPN (IKEv2)by using an OpenBSD IKEv2 server and an Android client.
I have tried to follow the instructions given in the following link : http://www.openbsd.org/faq/faq17.html
I am configuring my Android client via StrongSwan application.
After following the instructions, my client can’t connect to my vpn server which I think is normal because I configure only the public IP address of my server to the client VPN Profile.

My question is: How can my client connect to the VPN server only by knowing the public IP address when in fact there are many devices that have the same public IP address under the same LAN? (The VPN Client is also under the same LAN and has the same public IP address)

anyconnect – IPv6 support makes openconnect server vpn connection too slow

I have set up an OpenConnect server (ocserv) on CentOS 8 that is quite fast. However, when I enable IPv6 on it by uncommenting the following line, it becomes painfully slow and upload becomes almost zero.

#ipv6-network = fda9:4efe:7e3b:03ea::/48

I tried enabling ipv6 forwarding and ipv6 masquerading, but it did not help.

It’s worth mentioning that clients realize that IPv6 is supported by the server as they show the IPv6 address given to them by the server. For example, when connected to the server using openconnect the log says:

Connected as 10.10.10.15 + fda9:4efe:7e3b:6b40:f973:5a56:56a0:b1a8/64, using SSL + LZ4, with DTLS + LZ4 in progress

Tried disabling dtls with –no-dtls flag, but it didn’t help.

I need the IPv6 support because some websites require IPv6 and if your ISP has IPv6 support, but your VPN server does not support it, then you are exposing your real IP address to the server, rendering VPN connection useless.

Does anyone know how should I enable Ipv6 support for the VPN server without affecting connection speed?