“Wrong Way”: Another VPN security problem was found. A routing ‘feature’ may reveal the user’s real IP address like Port Fail. This time are not only providers with port forwarding affected but rather all providers, they havn’t fixed the problem. The underlying problem is that packets received over the real IP will be answered via the VPN interface under certain conditions.
The Perfect Privacy VPN Manager protects you from this attack.
In cooperation with the ValdikSS from the Russian provider ProstoVPN we fixed the following problem.
The following requirements must be met for this IP leak to occur:
A possible attack would then look like the following:
This issue is critical because it generally affects all operating systems and VPN protocols. In contrast to PortFail, there is no server side solution: The recommended method to prevent this leak is by deactivating UPnP functionality in the router. If that isn’t possible, the other option is to block such traffic by firewall rules on the client side (see below).
ProstoVPN has provided a video that demonstrates this leak in Windows 10.
The best solution is to deactivate UPnP functionality on your router. This will prevent any open ports on the router even if they are requested by applications.
Users who have no control over their router and cannot deactivate UPnP functionality and users who are connected to the internet directly (without a router) need to block the traffic that would reveal their ip client side.
On Linux operating systems the fix is rather simple by setting
sysctl net.ipv4.conf.*.rp_filter=1
Where * refernces the apropriate interface. If the VPN interface is tun0 and the internet interface wlp3s0 ist, the commands would be as follows:
sysctl net.ipv4.conf.default.rp_filter=1 sysctl net.ipv4.conf.tun0.rp_filter=1 sysctl net.ipv4.conf.wlp3s0.rp_filter=1
This will drop packets that could not be answered on the same interface due to the routing table. Additionally, the following firewall rule should be added for IPv6:
ip6tables -t raw -A PREROUTING -m rpfilter --invert -j DROP
On macOS this is more difficult, the simplest way is to block all incoming UDP packets except if from a non-routable addresses, the ISP subnetwork or the IP address of a VPN server itself like this:
echo 'pass in quick proto udp from 10.0.0.0/8 to any pass in quick proto udp from 192.168.0.0/16 to any pass in quick proto udp from 172.16.0.0/12 to any pass in quick proto udp from 169.254.0.0/16 to any pass in quick proto udp from 185.61.149.121/32 to any block in quick on ! utun1 proto udp to any' | sudo pfctl -Ef -
In this example 185.61.149.121 is the IP address of the VPN server and utun1 is the VPN interface.
The rp_filter functionality does not exist in Windows. However, VPN providers that have custom client software can implement specific firewall rules which will prevent this leak, as it is the case with the Perfect Privacy VPN client software.
Windows users who use the OpenVPN software to connect to the VPN server will be vulnerable to this leak. If it is not possible to deactivate UPnP on the router or if the user is connected to the internet directly, he will need to set specific firewall routes to prevent this leak. ValdikSS provides a plugin that can be used to block this attack. Note: This plugin is not supported by Perfect Privacy and we accept no responsibility for using it. We included this plugin for users who are with a different VPN provider that has no fix for this issue.