suspect connection

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
hadi5
OpenVpn Newbie
Posts: 7
Joined: Fri Apr 13, 2018 10:54 pm

suspect connection

Post by hadi5 » Fri Apr 13, 2018 11:07 pm

When I set openvpn to connect automatically when the network becomes available, there is always a second https connection established by the openvpn app (see screenshot)

http://ibb.co/fXyfBn

This does not happen if I manually activate the VPN connection after being connected to the network first

Is there some default connection being made by openvpn, maybe to check for updates or something? This is kinda unsettling.

Any ideas?

Edit: the connection also happens when the VPN is manuyally activated, but it does not seem to happen every time
Last edited by hadi5 on Sat Apr 14, 2018 10:25 am, edited 1 time in total.

hadi5
OpenVpn Newbie
Posts: 7
Joined: Fri Apr 13, 2018 10:54 pm

Re: suspect connection

Post by hadi5 » Sat Apr 14, 2018 8:22 am

Found out some more:

The IP was resolved from the DNS name "codepush.azurewebsites.net"
Codepush seems to be a service for apps provided by Microsoft.

The question remains why this connection is made and what is transmitted.
Since the connection is made through the VPN as well as outside it, this behavior breaks anonymity as well.

Edit: sha256 of my openvpn apk file
29094c1e5fd2fc1ab61d304f65ef06f4dfe9514e915146a8bd144b6fa61a5f7c

Edit2: Virus total results confirm the connection
https://www.virustotal.com/#/file/29094 ... c/behavior

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: suspect connection

Post by novaflash » Sat Apr 14, 2018 10:29 am

Hi hadi5,

Your forum post has been passed around internally a bit here and we're puzzled as well. As far as we know we aren't doing anything with codepush.azurewebsites.net. We take this case extremely seriously though so we are investigating to see if there is any possible blame on our software. You provided an sha256 hash but what version of OpenVPN Connect for Android are you running right now? And you appear to be side-loading it- any reason for that as opposed to just using the Google Play Store? See, personally I'm thinking this might have something to do with the issue, so that's why I'm asking for details.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

hadi5
OpenVpn Newbie
Posts: 7
Joined: Fri Apr 13, 2018 10:54 pm

Re: suspect connection

Post by hadi5 » Sat Apr 14, 2018 11:16 am

I am using lineages 15.1 (Oreo) and since I don't want to use google services, I am using yalp store which downloaded the apks from the play store directly without requiring a google account.

The openvpn connect version is 3.0.4 (1147)

The source of the apk is also what I suspect to be the source, that's why I provided the hash.
Can you confirm that the hash is correct?

I am going to upload the apk file shortly as well

Edit:
Here is the apk file
https://www.file-upload.net/download-13 ... pk.7z.html

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: suspect connection

Post by novaflash » Sun Apr 15, 2018 12:07 pm

I see. Well we didn't test for Lineage OS. We did have someone check the hash of the apk and it appears to be correct. We still have no clue however where this extra connection to azure is coming from though, but it is the weekend, so perhaps some of the dev guys will have some idea of what to check when they get back in the office.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

hadi5
OpenVpn Newbie
Posts: 7
Joined: Fri Apr 13, 2018 10:54 pm

Re: suspect connection

Post by hadi5 » Wed Apr 18, 2018 6:23 pm

Any news about this?

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: suspect connection

Post by novaflash » Thu Apr 19, 2018 6:36 am

Hello hadi5,

We have finally gotten to the bottom of this. I am sorry it took so long but there was the weekend inbetween and I had to chase it down quite far.

The good news is, it's not a virus. The bad news is, this was not supposed to be in a public release.

We are working on a better update system for the OpenVPN Connect app in Android using something called codepush. It was decided that a better software update mechanism was needed to speed up bug fixes and compatibility fixes. However it was also decided that there should be an opt-out function for this and that the connections would be made to an *.openvpn.net domain so that it is easy to understand what is going on.

We are doing an internal investigation as to what happened but it looks like code was prepared, was supposed to not be active, until we finished this up. Somehow this code got activated. Currently it doesn't actually work as it's still in development. We are going to change our procedures so this doesn't happen again, and we'll release an update soon that will resolve the issue, either by killing the code or by implementing it properly with opt-out and *.openvpn.net domain for the updates.

So, our apologies, but this is what happened, and it is fortunately not a malware or a virus thing. It actually currently doesn't even work. It's our fault and we'll fix it asap.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

hadi5
OpenVpn Newbie
Posts: 7
Joined: Fri Apr 13, 2018 10:54 pm

Re: suspect connection

Post by hadi5 » Thu Apr 19, 2018 9:02 am

Thanks for the information
Looking forward to the next release

hadi5
OpenVpn Newbie
Posts: 7
Joined: Fri Apr 13, 2018 10:54 pm

Re: suspect connection

Post by hadi5 » Sat May 05, 2018 8:40 am

Has this been fixed in any on the new releases?
I have not yet found any mention of this in any of the recent release notes

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: suspect connection

Post by ordex » Sun May 20, 2018 12:12 pm

I think it was not mentioned in the Changelog but the fix should be in the latest release already.

BohdanHamulets
OpenVpn Newbie
Posts: 5
Joined: Thu Mar 15, 2018 12:04 pm

Re: suspect connection

Post by BohdanHamulets » Mon May 21, 2018 10:14 am

This was deleted in the 3.0.5 app version. Feel free to update.

Post Reply