Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

Two devices on the same VPN server are able to reach each other

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)

Topic Author
OkayKappa
Posts: 2
Joined: Thu Apr 02, 2015 9:05 pm

Two devices on the same VPN server are able to reach each other

Postby OkayKappa » Thu Apr 02, 2015 9:29 pm

Hey,

I started a reddit thread earlier about this because I thought about it. Basically, I am able to reach other devices on the same VPN server over their local IP address. For my tests, I've been using two different cryptostorm tokens, one on my MacBook and one on my iPhone, used my wifi connection on the MacBook and the 3G connection on the iPhone (wifi completely disabled) and connected them both to the cryptostorm Icelandic VPN server.

iPhone:
- connect to linux-iceland.cstorm.pw over 3G
- got IP 10.44.0.19

Mac:
- connect to same server
- got IP 10.44.0.11

Then I tried to reach the iPhone from the MacBook. Port 22 (actually a different one but it doesn't matter) is open for SSH (iPhone is jailbroken).

$ ping 10.44.0.19
PING 10.44.0.19 (10.44.0.19): 56 data bytes
64 bytes from 10.44.0.19: icmp_seq=0 ttl=63 time=437.577 ms
64 bytes from 10.44.0.19: icmp_seq=1 ttl=63 time=458.660 ms
64 bytes from 10.44.0.19: icmp_seq=2 ttl=63 time=374.658 ms
64 bytes from 10.44.0.19: icmp_seq=3 ttl=63 time=455.317 ms
64 bytes from 10.44.0.19: icmp_seq=4 ttl=63 time=355.765 ms
64 bytes from 10.44.0.19: icmp_seq=5 ttl=63 time=425.049 ms
^C
--- 10.44.0.19 ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 355.765/417.838/458.660/39.222 ms

$ telnet 10.44.0.19 22
Trying 10.44.0.19...
Connected to 10.44.0.19.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.7

$ traceroute 10.44.0.19
traceroute to 10.44.0.19 (10.44.0.19), 64 hops max, 52 byte packets
1 10.44.0.1 (10.44.0.1) 82.613 ms 92.740 ms 87.477 ms
2 10.44.0.19 (10.44.0.19) 1763.211 ms 540.878 ms 478.136 ms

I can also at least ping other IPs on the same subnet, though I did not try more because it might look like I have something bad in mind.

This should not be possible, right? I mean, it would be a major security risk if other people were able to access my devices like they were in the same local network. Or is my thought process flawed somewhere?

By the way, vpnDarknet answered on reddit earlier and he said he wasn't able to recreate the issue.


Edit: More information, if you need it.
Mac - using Tunnelblick 3.5beta08 (build 4236) and the official cryptostorm Mac config file for the server(s) in Iceland (OS X 10.10.2)
iPhone - using OpenVPN 1.0.5 build 177 app and the official cryptostorm iOS config file (iOS 8.1.1)

User avatar

parityboy
Site Admin
Posts: 1254
Joined: Wed Feb 05, 2014 3:47 am

Re: Two devices on the same VPN server are able to reach each other

Postby parityboy » Fri Apr 03, 2015 12:32 am

@OP

I have reproduced this on both Fenrir and Cantus (so far).

Host: Mint 17 KDE using OpenVPN 2.3.6, connected to Fenrir.
Guest: Mint 15 KDE using OpenVPN 2.3.2, connected to Fenrir.
Mobile: Nexus 4 Android 4.2.2 using OpenVPN for Android 0.6.29, connected to Fenrir.

Both the host and the guest can ping the mobile but cannot ping each other, even with their respective firewalls inactive.

Code: Select all

ping 10.44.0.16

64 bytes from 10.44.0.16: icmp_seq=8 ttl=63 time=562 ms
64 bytes from 10.44.0.16: icmp_seq=9 ttl=63 time=390 ms
64 bytes from 10.44.0.16: icmp_seq=10 ttl=63 time=288 ms
64 bytes from 10.44.0.16: icmp_seq=11 ttl=63 time=258 ms

User avatar

df
Site Admin
Posts: 375
Joined: Thu Jan 01, 1970 5:00 am

Re: Two devices on the same VPN server are able to reach each other

Postby df » Fri Apr 03, 2015 12:52 am

I just replied to the reddit post about this. Here's a copy/paste:

Turns out there's certain configurations that allow this behaviour, even though Cryptostorm doesn't use the 'client-to-client' configuration directive server-side. Possibly a bug in OpenVPN itself, we're not sure.

To solve this, we added some simple iptables rules on all the servers to prevent clients from connecting to other clients.

For the curious, the command I ran on all the servers was:

for x in grep ^server /etc/*vpn*/*.conf|awk '{print $2}';do iptables -A FORWARD -s $x/16 -d $x/16 -j DROP;done;service iptables save;exit

That grabs the 10.x ip out of the config, then adds an iptables rule to prevent anything in that 10.x b-class from connecting to anything else in the same b-class. It appears that different 10.x b-classes can't connect to each other (win instance clients on 10.45.x.x can't connect to linux clients on 10.88.x.x), so this quick fix was all that was needed.

User avatar

parityboy
Site Admin
Posts: 1254
Joined: Wed Feb 05, 2014 3:47 am

Re: Two devices on the same VPN server are able to reach each other

Postby parityboy » Fri Apr 03, 2015 1:00 am

@df

Many thanks for the reply. I was just about to add to my post that "this issue appears to be transient", but that would now be out of date. :P I'm guessing it's a bug in the mobile OpenVPN clients, having said that though, in the past I have been able to ping other IPs in the same range (and not just 10.xx.0.1).

Anyway this rule will prevent that from happening at all. :D


Topic Author
OkayKappa
Posts: 2
Joined: Thu Apr 02, 2015 9:05 pm

Re: Two devices on the same VPN server are able to reach each other

Postby OkayKappa » Fri Apr 03, 2015 10:32 am

Thanks df for the quick fix!

User avatar

DesuStrike
ForumHelper
Posts: 345
Joined: Thu Oct 24, 2013 2:37 pm

Re: Two devices on the same VPN server are able to reach each other

Postby DesuStrike » Sun Apr 05, 2015 8:49 pm

Client isolation is a very important topic also for "Guest" WIFI access points, if you run one.
But it is indeed strange that OpenVPN allowed such a thing even with the feature disabled. O.o

Thanks to OkayKappa for being such an observant member of the community and reporting his finding! :clap:
+
Thanks to df for being quick with a fix! :thumbup:
home is where the artillery hits

User avatar

jlg
Posts: 92
Joined: Mon May 05, 2014 2:44 am

Re: Two devices on the same VPN server are able to reach each other

Postby jlg » Tue Apr 21, 2015 10:59 am

Thanks df!

User avatar

df
Site Admin
Posts: 375
Joined: Thu Jan 01, 1970 5:00 am

Re: Two devices on the same VPN server are able to reach each other

Postby df » Wed May 06, 2015 5:57 am

You're welcome


Return to “member support & tech assistance”

Who is online

Users browsing this forum: No registered users and 37 guests

Login