Skip to content

OpenVPN (and Cisco VPN) leave ports 88 and 445 open to "the internet".

General discussions and other topics.
10 posts Page 1 of 1
Post a reply

OpenVPN (and Cisco VPN) leave ports 88 and 445 open to "the internet".

by rbp » Tue Nov 28, 2017 2:34 pm
Hey.

I've noticed when I'm connected to Sonic via VPN that my local (on my computer) firewall catches evil outsiders trying to connect to my machine on ports 88 (kerberos - which is odd) and 445 (Microsoft Directory Services).

If I run "shields up" from grc.com it shows all the other ports to be in "stealth" mode, but 88 and 445 to be open.

Anyone else notice this? Is this a configuration bug with the Sonic firewall, or perhaps something intentional?
by sysops » Tue Nov 28, 2017 2:59 pm
I wouldn't quite call it intentional, but it is a side effect of many VPN services.

When you connect to the VPN, your computer bypasses any firewall in your router and the tunnel for the connection that is established is direct from your computer to the VPN. Any services on your computer that are bound to all interfaces (e.g Windows File Sharing, Apache Web Server) will then be exposed through the public VPN IP address to the internet.

Sonic calls this out here on their VPN Wiki page, though perhaps it could use a bit more emphasis.

If you're connecting using Windows, make sure to set the VPN network to "Public" and enable the firewall on the Public networks and VPN interfaces. On Linux, install a firewall (e.g. ufw) and activate it for the VPN connection.

On a side note, some VPN providers firewall their connections from the VPN side. The upside to this is not having to think about it on your end and increased security since some malicious traffic won't even reach your computer's firewall. The downside is if you want to actually legitimately have a port open on the VPN interface, you often have to contact their support department.
Proud Sonic customer since 1999. Ask me about internet privacy, VPN, anonymity and security.
by rbp » Tue Nov 28, 2017 3:12 pm
"Working as intended", then.

I do find it odd that all *except* ports 88 and 445 are blocked. I'd have expected that if OpenVPN were going to expose my computer it would expose it all.

I don't have a problem having a local firewall on my machines - that's how I discovered that ports 88 and 445 are open. Although I'd personally prefer if all the internet-facing ports from the VPN server were closed.

Thanks.
by sysops » Tue Nov 28, 2017 3:24 pm
Yea :)

If you run "netstat -ano" from a command prompt, look for all ports in the LISTENING state.

Anything bound to 0.0.0.0 will be exposed to the VPN. Anything else like 127.0.0.1 or 192.168.42.x are going to be local only. For the most part, there probably aren't many services that listen on all interfaces.

Windows being Windows, you'll definitely want to make sure things like NetBIOS/SMB (port 139) and file sharing services are not listening publicly.
Proud Sonic customer since 1999. Ask me about internet privacy, VPN, anonymity and security.
by rbp » Tue Nov 28, 2017 3:30 pm
Right. I run Linux oar OS X when I’m using the vpn connection. They too need to be kept safe, of course, but at least they are not broken by default...:)
by sysops » Tue Nov 28, 2017 3:57 pm
Ahh nice I guess I assumed Windows when I read 445 Microsoft Directory services. But that makes sense on Linux too as it's smb service will also listen on that port, on 0.0.0.0.

In that case, try

Code: Select all

sudo netstat -anop|grep 'LISTEN '
to get a view of what's listening publicly. The -p flag will show you the PID and process name which is a big help (requires root to see processes owned by other users).
Proud Sonic customer since 1999. Ask me about internet privacy, VPN, anonymity and security.
by rbp » Tue Nov 28, 2017 4:02 pm
I'm good - between the OS X firewall and "little snitch" my OS X system is covered. My firewalls are what informed me that the OpenVPN server had holes.
by virtualmike » Tue Nov 28, 2017 11:15 pm
sysops wrote:If you're connecting using Windows, make sure to set the VPN network to "Public"...
How does one do that?
by mike.ely » Wed Nov 29, 2017 1:36 pm
virtualmike wrote:
sysops wrote:If you're connecting using Windows, make sure to set the VPN network to "Public"...
How does one do that?
I'm rarely on WIndows so YMMV, but this is the first result from Google:
https://tinkertry.com/how-to-change-win ... to-private
Sonic Operations
by virtualmike » Wed Nov 29, 2017 10:18 pm
Thanks! I'd Googled and found similar links, but when I followed the steps, I couldn't find a network connection for the VPN.

After seeing your message, I had the inspiration that perhaps I needed to be connected to the VPN to be able to make the change.

Sure enough, if I'm on VPN, I see "Unidentified Network" along with my FTTN connection. The FTTN is private, and the Unidentified Network, called "Ethernet 3," is marked as public.

Testing Shields Up! shows my computer passes the regular tests. In particular, ports 88 and 445 are not open.

I'll note that I'm using the OpenVPN GUI, not the OpenVPN Client.
10 posts Page 1 of 1

Return to “General”

Who is online

In total there are 18 users online :: 1 registered, 0 hidden and 17 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am
Users browsing this forum: Ahrefs [Bot] and 17 guests