xiongqihong / droidwall

Automatically exported from code.google.com/p/droidwall
0 stars 0 forks source link

In white list mode all apps bypass blocking if openvpn is active #230

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?

1. Set white list mode
2. Allow either openvpn-settings or vpn networking ( if using cyanogen mod 
openvpn option under Settings -> Wireles and network -> VPN settings ) and root 
apps if the former is used.
3. Test any blocked apps, e.g., the Browser, before connecting your openvpn.
4. create your vpn tunnel
5. Test the previously chosen blocked apps again. Although it uses your vpn to 
connect to the internet, it is not blocked anymore.

What is the expected output? What do you see instead?

In Droidwall you can see that the usually blocked thus logged applications do 
appear there anymore, obviously because they are not blocked.

What version of the product are you using? On what operating system?

Droidwall 1.5.7 on a standard Samsung Galaxy S2 ( Tested 1.5.3 as well )
Tested with Hyperdroid v5.2.21 ( Non-AOSP ROM )
Cyanogen Mod 7.1, Cyanogen Mod 7 Nightly #116, Cyanogen Mod 7 repo version 
2012-01-08

openvpn 2.1.1 from openvpn-installer
openvpn 2.1.1 from cyanogen mod

Please provide any additional information below.

Like I said, the apps can only freely use the openvpn tunnel in the Droidwall 
white list mode.
I am not very familiar with iptables and openvpn binaries yet so I didn't 
create a custom configuration solve this issue yet.
Whether the owner matches don't work with RETURN as the target as desired of 
something else is missing, I have not found out so far.

Original issue reported on code.google.com by ueakx...@gmail.com on 13 Jan 2012 at 9:16

GoogleCodeExporter commented 9 years ago
Add this custom script to use wifi rules.

$IPTABLES -A "droidwall" -o tun+ -j "droidwall-wifi"

Original comment by chunlinyao@gmail.com on 27 Apr 2012 at 1:48

GoogleCodeExporter commented 9 years ago
All that line does is to allow rules from the droidwall to be redirected to the 
droidwall-wifi chain. That doesn't help at all since if you use openvpn the 
firewall is fully permissible, meaning it lets everything though.

Original comment by ueakx...@gmail.com on 11 May 2012 at 7:35

GoogleCodeExporter commented 9 years ago
I agree: the custom script does nothing for this important issue and everything 
goes through the tun unblocked. That means that all apps are blocked outside 
open-vpn but everything is free to go through the vpn; i.e.: all ads from apps 
are back once open-vpn is started. It is a serious securiy flaw and I really 
can't use Openvpn as I would otherwise.

Please -pretty please- find a working solution ;-)

/ a guy in China that need a secured vpn

Original comment by alainlao...@gmail.com on 23 May 2012 at 1:21

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
@ueakx... @alainlao...
This custom script works like a charm.
What this rule does is redirecting the outbound traffic passing through 
"droidwall" (any outbound traffic) on interface tun+ to the droidwall-wifi 
chain, to be affected by wifi rules.

thanks to chunlinyao

Original comment by sebast...@strzelec.de on 9 Jul 2012 at 10:01

GoogleCodeExporter commented 9 years ago
@chunlinyao:

Thanks for your reply on this [and sorry for my late reply..] BUT this script 
is not working for me. I even tried it like this:

$iptables -A "droidwall" -o tun+ -j "droidwall-wifi"

[since I read somewhere that Droidwall can have problems with uppercase letters]

I do not use openvpn or CM7's VPN setting but a free app called DroidVPN which 
can be found here on the Play Store: 
https://play.google.com/store/apps/details?id=com.aed.droidvpn

Then I pretty much follow the OP above and do the following:

1- In Droidwall's white list mode, I uncheck my browser and verify that 
Droidwall is now blocking it;
2- Go in Droidwall's custom rules and enter the script and press OK [I can then 
see custom rules applied toast popup];
3- In Droidwall I then check "DroidVPN" and "Applications running as root" 
[both required for DroidVPN use], press apply rules and then start my VPN;
4- Finally I open my browser [which should still be blocked] and BAM! it goes 
through Droidwall's rule - same as without using any custom script.

So the issue remains: using a VPN means Droidwall's rules are all bypassed 
which is a serious security flaw/risk.

So there is nothing charming in the script for me... ;-p

Thanks again and please keep the suggestions coming...

Original comment by alainlao...@gmail.com on 18 Aug 2012 at 6:30

GoogleCodeExporter commented 9 years ago
I just tested what you described and it worked for me. Keep in mind the custom 
rule needs makes VPN traffic follow the Wifi rules, not the 3G rules (because 
there's no "nice" way for the system to tell the difference between VPN via 
Wifi and VPN via 3G).

The only thing I can suggest is not messing with the capitalization of the 
suggested rule and possibly rebooting.

Original comment by d...@uglyproductions.com on 28 Aug 2012 at 4:58

GoogleCodeExporter commented 9 years ago
Well, I must have screwed up somewhere before [because I did try the sugested 
script as is w/o modification  and rebooted] because it now works properly. So 
thanks a bunch guys for this; I'm now a happy camper ...
Now if the vpn connection could give me the decent dl/ul speeds it used to I'd 
be happier.. But that has nothing to do with this topic..
Thanks again and cheers!

Original comment by alainlao...@gmail.com on 11 Sep 2012 at 9:26

GoogleCodeExporter commented 9 years ago
Here is solution:

http://blog.vpetkov.net/2013/02/22/firewall-the-inside-of-your-openvpn-or-l2tpip
sec-tunnel-on-android/

The developer of Android Firewall has included this solution into his firewall, 
and this should be released today/in the next couple of days.

Original comment by ve...@vpetkov.net on 22 Feb 2013 at 9:25