Posted: Wed Sep 20, 2017 1:59 Post subject: Does reconnecting O-VPN to service have security advantages
I have a couple of questions
First, is there any security risk of having the connection from my router O-VPN client connected to the PIA VPN service 24/7? Would I be better off renegotiating the connection periodically? Say by a chron job run maybe every 24 hours?
Second my O-VPN log shows 4 warnings when it connects. Can someone here help me interpret what is going on with this dd-wrt Open-VPN log. Am I actually getting AES-256? And is it secure?
system: running wrt3200, build r-33215 set to AES-256; all WiFi disabled. the 3200 router WAN is connected to my front router which connects to my SB6190 & Comcast. It is my intent to run the 3200 as my front router only to provide a firewall and my VPN connection, with a split tunnel allowing top bypass the VPN for certain sites. My WiFi is provided by one of my tier2 routers.
Here is an extract of the O-VPN log warnings. I can attach the full log and a pdf of my settings, if that would help.
WARNINGS EXTRACTED FROM FULL LOG
20170914 16:51:11 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1570' remote='link-mtu 1542'
20170914 16:51:11 W WARNING: 'cipher' is used inconsistently local='cipher AES-256-CBC' remote='cipher BF-CBC'
20170914 16:51:11 W WARNING: 'auth' is used inconsistently local='auth SHA256' remote='auth SHA1'
20170914 16:51:11 W WARNING: 'keysize' is used inconsistently local='keysize 256' remote='keysize 128'
20170914 16:51:11 Control Channel: TLSv1.2 cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384 4096 bit RSA
20170914 16:51:11 I [99ac350bcae698a94968c78adbdc8a82] Peer Connection Initiated with [AF_INET]66.55.144.247:1197
It is my understanding that SHA1 has been depreciated to use with AES-256. I am surprised that PIA does not accept the connection by matching the AES-256 when requested. But WhatsmyIP shows that I am going thru the selected PIA server VPN.
Sam _________________ multi-tier router stack
wrt 3200's for speed & cpu power, NG R6300v2's for WiFi AP's,
wrt 1200v2 for one of my secure subnets.
wrt54GLs for ad'l 3rd tier machines.
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Wed Sep 20, 2017 18:51 Post subject:
You can ignore those warnings (I am using PIA and also have these warnings).
AES 128 is secure enough unless the NSA is after you. The same applies to SHA1 (although that is less secure)
If PIA is not keeping logs (which they claim they do not do) then you can keep your connection up.
You should be more concerned and checking for DNS leak or webrtc leak and fingerprinting.
Thanks for your reply and the info on the warnings, being ok to ignore.
I'd like to stick with AES-256 or even better. No point in making things easy for the TLA's or any of the 2500 to 4500 "info grabbers" (ref Krebbs & Bruce Schneier). I think this 3200 should have the horsepower to do it plus a modest firewall & split tunnel. But if not I may have to move to a dedicated PC to run PFsense. Is there a dd-wrt for PFsense?
Will look into the DNS leak & webrtc which you mention. I'm pretty careful about limiting JS. And router logs get looked at regularly. My router stack also adds some more device isolation & device protection.
I see what you've said about reconnecting not being that helpful if PIA in fact does not do logging. And since it's awkward to change PIA servers when using router based OpenVPN, there will be "personality data" associated with the PIA VPN server IP. It's just hidden in with all their other customers thru that server.
So now I can move on to get decent logging from the wrt3200. It just refuses to work well with my antique WallWatcher that has given me the simple basic activity & blocking logs for my older routers. _And then onto split tunneling. Have got to be able to feed PayPal etc easily.
Btw do you run emails thru PIA? It seems that PIA may not like to handle my email. Apparently they want to block access to smtp email servers. ??? _________________ multi-tier router stack
wrt 3200's for speed & cpu power, NG R6300v2's for WiFi AP's,
wrt 1200v2 for one of my secure subnets.
wrt54GLs for ad'l 3rd tier machines.
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Wed Sep 20, 2017 22:23 Post subject:
for DNS leaks use kill switch, i have some saved examples like those bellow, i can read what those lines are doing but sadly i do not have VPN to help you.... that's what i have
Ok. I've checked the DNS leak issue when running thru dd-wrt router based O-VPN to PIA. It passes = only shows the PIA DNS. So as long as the connection to PIA is running that's covered, right? checked with DNSLEAKTEST.com
WebRTC seems to be browser related and both of the browsers which I use have "media.peerconnection.enabled" set to false in about:config. So that's covered too? But it does look like my NoScript is still a good idea.
And that seems to take me back to making sure that O-VPN is connected to PIA. Which seems to be what a Kill switch can do? Wonder why dd-wrt does not include a Kill Switch?
As well as having the Kill Switch blocking a unintended non-VPN connection, I'd like to have some message come to the connected PCs and get recorded in a log. But guess I need a primer on Router based kill switches. And I need to figure out if a Kill Switch can be used along with a split tunnel that lets some applications and/or IPs not go thru the VPN.
Thanks for the help.
Sam _________________ multi-tier router stack
wrt 3200's for speed & cpu power, NG R6300v2's for WiFi AP's,
wrt 1200v2 for one of my secure subnets.
wrt54GLs for ad'l 3rd tier machines.