Does reconnecting O-VPN to service have security advantages

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
Sam1789
DD-WRT User


Joined: 14 Oct 2016
Posts: 324

PostPosted: Wed Sep 20, 2017 1:59    Post subject: Does reconnecting O-VPN to service have security advantages Reply with quote
I have a couple of questions

First, is there any security risk of having the connection from my router O-VPN client connected to the PIA VPN service 24/7? Would I be better off renegotiating the connection periodically? Say by a chron job run maybe every 24 hours?

Second my O-VPN log shows 4 warnings when it connects. Can someone here help me interpret what is going on with this dd-wrt Open-VPN log. Am I actually getting AES-256? And is it secure?

system: running wrt3200, build r-33215 set to AES-256; all WiFi disabled. the 3200 router WAN is connected to my front router which connects to my SB6190 & Comcast. It is my intent to run the 3200 as my front router only to provide a firewall and my VPN connection, with a split tunnel allowing top bypass the VPN for certain sites. My WiFi is provided by one of my tier2 routers.

Here is an extract of the O-VPN log warnings. I can attach the full log and a pdf of my settings, if that would help.
WARNINGS EXTRACTED FROM FULL LOG

20170914 16:51:11 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1570' remote='link-mtu 1542'
20170914 16:51:11 W WARNING: 'cipher' is used inconsistently local='cipher AES-256-CBC' remote='cipher BF-CBC'
20170914 16:51:11 W WARNING: 'auth' is used inconsistently local='auth SHA256' remote='auth SHA1'
20170914 16:51:11 W WARNING: 'keysize' is used inconsistently local='keysize 256' remote='keysize 128'
20170914 16:51:11 Control Channel: TLSv1.2 cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384 4096 bit RSA
20170914 16:51:11 I [99ac350bcae698a94968c78adbdc8a82] Peer Connection Initiated with [AF_INET]66.55.144.247:1197

To get AES-256 working, I have used settings primarily from
https://flashrouters.zendesk.com/hc/en-us/articles/115000717413-Private-Internet-Access-PIA-OpenVPN-Strong-Encryption-DD-WRT-Router-Setup-Guide
as well as referencing posts in dd-wrt and these PIA links
https://www.privateinternetaccess.com/pages/client-support/dd-wrt-openvpn-older-build
https://www.privateinternetaccess.com/pages/client-support/dd-wrt-openvpn
https://www.privateinternetaccess.com/forum/discussion/20093/using-stock-openvpn-with-strong-encryption-settings

It is my understanding that SHA1 has been depreciated to use with AES-256. I am surprised that PIA does not accept the connection by matching the AES-256 when requested. But WhatsmyIP shows that I am going thru the selected PIA server VPN.

Sam

_________________
multi-tier router stack
wrt 3200's for speed & cpu power, NG R6300v2's for WiFi AP's,
wrt 1200v2 for one of my secure subnets.
wrt54GLs for ad'l 3rd tier machines.
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Sep 20, 2017 18:51    Post subject: Reply with quote
You can ignore those warnings (I am using PIA and also have these warnings).
AES 128 is secure enough unless the NSA is after you. The same applies to SHA1 (although that is less secure)

If PIA is not keeping logs (which they claim they do not do) then you can keep your connection up.

You should be more concerned and checking for DNS leak or webrtc leak and fingerprinting.

But I am no security expert.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Sam1789
DD-WRT User


Joined: 14 Oct 2016
Posts: 324

PostPosted: Wed Sep 20, 2017 21:53    Post subject: Reply with quote
egc,

Thanks for your reply and the info on the warnings, being ok to ignore.

I'd like to stick with AES-256 or even better. No point in making things easy for the TLA's or any of the 2500 to 4500 "info grabbers" (ref Krebbs & Bruce Schneier). I think this 3200 should have the horsepower to do it plus a modest firewall & split tunnel. But if not I may have to move to a dedicated PC to run PFsense. Is there a dd-wrt for PFsense?

Will look into the DNS leak & webrtc which you mention. I'm pretty careful about limiting JS. And router logs get looked at regularly. My router stack also adds some more device isolation & device protection.

I see what you've said about reconnecting not being that helpful if PIA in fact does not do logging. And since it's awkward to change PIA servers when using router based OpenVPN, there will be "personality data" associated with the PIA VPN server IP. It's just hidden in with all their other customers thru that server.

So now I can move on to get decent logging from the wrt3200. It just refuses to work well with my antique WallWatcher that has given me the simple basic activity & blocking logs for my older routers. _And then onto split tunneling. Have got to be able to feed PayPal etc easily.

Btw do you run emails thru PIA? It seems that PIA may not like to handle my email. Apparently they want to block access to smtp email servers. ???

_________________
multi-tier router stack
wrt 3200's for speed & cpu power, NG R6300v2's for WiFi AP's,
wrt 1200v2 for one of my secure subnets.
wrt54GLs for ad'l 3rd tier machines.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Wed Sep 20, 2017 22:23    Post subject: Reply with quote
for DNS leaks use kill switch, i have some saved examples like those bellow, i can read what those lines are doing but sadly i do not have VPN to help you.... that's what i have


WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT

or

WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br0 -o $WAN_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -m state --state NEW -j REJECT --reject-with tcp-reset

or

iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE

https://www.privateinternetaccess.com/forum/discussion/22605/vpn-killswitch

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Sam1789
DD-WRT User


Joined: 14 Oct 2016
Posts: 324

PostPosted: Thu Sep 21, 2017 5:20    Post subject: Reply with quote
egc & Alozaros.

Ok. I've checked the DNS leak issue when running thru dd-wrt router based O-VPN to PIA. It passes = only shows the PIA DNS. So as long as the connection to PIA is running that's covered, right? checked with DNSLEAKTEST.com

WebRTC seems to be browser related and both of the browsers which I use have "media.peerconnection.enabled" set to false in about:config. So that's covered too? But it does look like my NoScript is still a good idea.

And that seems to take me back to making sure that O-VPN is connected to PIA. Which seems to be what a Kill switch can do? Wonder why dd-wrt does not include a Kill Switch?

As well as having the Kill Switch blocking a unintended non-VPN connection, I'd like to have some message come to the connected PCs and get recorded in a log. But guess I need a primer on Router based kill switches. And I need to figure out if a Kill Switch can be used along with a split tunnel that lets some applications and/or IPs not go thru the VPN.

Thanks for the help.
Sam

_________________
multi-tier router stack
wrt 3200's for speed & cpu power, NG R6300v2's for WiFi AP's,
wrt 1200v2 for one of my secure subnets.
wrt54GLs for ad'l 3rd tier machines.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum