[opensuse-security] enforcing a route over VPN
Hello, I have a VPN connection to my mail server, and would like to enforce that mails can be fetched only over the VPN connection. As a first step, I've changed my mailclient to use the server's VPN IP 10.7.0.1. For additional security, I'd like to enforce that connections to this IP _must_ be routed through the tun0 device, or if this device isn't available, be blocked. (See [1] for usecase.) Is there a way (ideally using SuSEfirewall or another way that is available "out of the box") to enforce that traffic to 10.7.0.1 must go to the tun0 device - or be blocked if there's no tun0 device? Regards, Christian Boltz [1] In theory I could be in a conference network with broken internet access (so no VPN connection), but a machine there could have 10.7.0.1 - I'd like to avoid that this machine can "earn" my password ;-) --
And don't be afraid of Henne, he's a nice guy :-) Pffft Lies, all lies! I'm the meanest son of a gun you know. Admit it! 8-) [> Vincent Untz and Henne Vogelsang in opensuse-project]
-- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Am 2014-01-05 21:03, schrieb Christian Boltz:
I have a VPN connection to my mail server, and would like to enforce that mails can be fetched only over the VPN connection.
What kind of VPN? IPSEC? PPTP (ouch)? OpenVPN? For the latter, see redirect_gateway. Rainer -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Hello, Am Sonntag, 5. Januar 2014 schrieb Rainer Sokoll:
Am 2014-01-05 21:03, schrieb Christian Boltz:
I have a VPN connection to my mail server, and would like to enforce that mails can be fetched only over the VPN connection.
What kind of VPN? IPSEC? PPTP (ouch)? OpenVPN? For the latter, see redirect_gateway.
openVPN. redirect_gateway is useful to let the client set the default route if needed (easier to handle than doing it on the server if you want it only for some clients). However redirect_gateway only helps when the VPN connection is up. I'd like to have something that blocks the traffic to 10.7.0.1 when the VPN connection is _down_. Call it a static route for 10.7.0.1 to /dev/null ;-) Regards, Christian Boltz -- Die Software soll die Menschen im Netz formen? Da kommen dann Netz- junkies raus, die am Fruehstueckstisch "ftp brotkorb" rufen, und erst nach einem "server ready" eines verstaendnisvollen Tischnachbarn sich zu einem lauten und vernehmlichen "get broetchen" hinreissen lassen. :-) [aus dcoulm] -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Am 05.01.2014 um 21:55 schrieb Christian Boltz <suse-security@cboltz.de>:
I'd like to have something that blocks the traffic to 10.7.0.1 when the VPN connection is _down_. Call it a static route for 10.7.0.1 to /dev/null ;-)
Ahh, I see. You can do that: Somewhere in /etc/init.d/boot.local or wherever you want you could put „add route -host 10.7.0.1 dev lo“ - and put in your openvpn server’s config something like route 10.7.0.1 255.255.255.255 client-config-dir /usr/local/openvpn/conf/mailserver and in /usr/local/openvpn/conf/mailserver/mailserver iroute 10.7.0.1 255.255.255.255 This should do the trick. Do not forget to re-route 10.7.0.1 to loopback once the VPN has bee shut down. BUT: I always would use TLS secured connections to my mailserver. If there would be a certificate mismatch, your MUA would complain and never submit username/password - whatever IP it is connecting to. Or use client certificates. Rainer. PS: Please do not take this literally. I had some drams of Lagavulin ;-)
Am 05.01.2014 21:55, schrieb Christian Boltz:
Hello,
Am Sonntag, 5. Januar 2014 schrieb Rainer Sokoll:
Am 2014-01-05 21:03, schrieb Christian Boltz:
I have a VPN connection to my mail server, and would like to enforce that mails can be fetched only over the VPN connection.
What kind of VPN? IPSEC? PPTP (ouch)? OpenVPN? For the latter, see redirect_gateway.
openVPN.
redirect_gateway is useful to let the client set the default route if needed (easier to handle than doing it on the server if you want it only for some clients).
However redirect_gateway only helps when the VPN connection is up.
I'd like to have something that blocks the traffic to 10.7.0.1 when the VPN connection is _down_. Call it a static route for 10.7.0.1 to /dev/null ;-)
You can do exactly that: susi:~ # ip r default via 192.168.200.254 dev air proto static 127.0.0.0/8 dev lo scope link 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 192.168.200.0/24 dev air proto kernel scope link src 192.168.200.11 metric 9 (that's my default, 200.0 my home lan, 122.0 my virtual machines NATed to the outside) susi:~ # ip r add blackhole 10.7.0.1 susi:~ # ping 10.7.0.1 connect: Network is unreachable susi:~ # ip r del 10.7.0.1 susi:~ # ping -c 3 10.7.0.1 PING 10.7.0.1 (10.7.0.1) 56(84) bytes of data. --- 10.7.0.1 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2000ms susi:~ # (of course, I don't get any answers from 10.7.0.1 :-)) Getting this into your VPN connect / disconnect script, I guess you are able to do that :-) -- Stefan Seyfried "If your lighter runs out of fluid or flint and stops making fire, and you can't be bothered to figure out about lighter fluid or flint, that is not Zippo's fault." -- bkw -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Hello, Am Sonntag, 5. Januar 2014 schrieb Stefan Seyfried:
Am 05.01.2014 21:55, schrieb Christian Boltz:
I'd like to have something that blocks the traffic to 10.7.0.1 when the VPN connection is _down_. Call it a static route for 10.7.0.1 to /dev/null ;-)
You can do exactly that:
susi:~ # ip r add blackhole 10.7.0.1 susi:~ # ping 10.7.0.1 connect: Network is unreachable
I didn't know about blackhole routes before - thanks for the hint!
Getting this into your VPN connect / disconnect script, I guess you are able to do that :-)
I decided to use the easy way - let the subnet size do the work ;-) The openVPN server pushes a route to the exact IP (/32) when I connect, so I just added a blackhole route with /24. The IP-specific route I get from the VPN overrides the /24 route, and I get the /24 blackhole back "working" automatically when the VPN connection goes down and deletes the IP-specific route. (/31 instead of /24 would be enough, but why be over-specific? ;-) The last interesting part was making this permanent and making sure the blackhole route is active at bootup already. I wasn't able to figure out a working syntax to get blackhole into /etc/sysconfig/network/routes, so I finally just added a line to /etc/sysconfig/SuSEfirewall2: ip route add blackhole 10.7.0.0/24 That's not the 100% correct[tm] way, but it works :-) Regards, Christian Boltz PS @Rainer: Am I too paranoid if I use TLS over VPN? ;-) PPS: Mail is not the only thing I do over this VPN connection. --
Wo finde ich das log von Cyrus bei Opensuse 10.3. Hinter der Festplatte links? Ich habe nachgesehen, dort ist das Log nicht, was nun? [>> "Info Beilfuss", > Patrick Ben Koetter und Sandy Drobic in postfixbuch-users]
-- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (3)
-
Christian Boltz -
Rainer Sokoll -
Stefan Seyfried