AS server & confidentiality question

[vnpenguin]

Hi everybody,
I tested AS server already, it works well

Before buying AS server for more users, I have a confidentiality question:
How can I be sure that the information on my AS server (users, password, certificates, activities,...) is not sent out to somewhere?

Thank you,

[openvpn_inc]

Hi vnp,

OpenVPN Access Server is provided as software that you host yourself, whether on premises or in "cloud" providers. In either case it's your responsibility to secure it. That said, we do try to make it reasonably secure by default.

The truly paranoid user would hesitate to trust a cloud provider. If you can't control physical access to the media with your data on it, you can't be sure of its security. But even with root privileges on an AS host, it would not be easy to gain exploitable information from the VPN itself.

Your Internet provider where you host your AS is able to monitor traffic in or out of it. But traffic between AS and connected clients is securely encrypted. Your ISP cannot see inside the tunnel.

If you are using a full tunnel, redirecting clients' gateway through the VPN, your AS will be sending packets out through the Internet on behalf of clients. The ISP at the AS and along the way to the destination could monitor those packets. Many gov't agencies are known to do this, in many countries.

If those packets are not encrypted for some reason, their contents could possibly be snooped. Note however that doing this in real time and finding any usable information therein is a non-trivial challenge, even for the best equipped state-level attackers. And these days most web and other Internet traffic is encrypted, and most unencrypted traffic is uninteresting.

Users obtaining their profiles from the AS Client Web Service (CWS) submit their credentials via HTTPS. Those are safe from snooping. Then users establish their encrypted VPN connection, also secured, as mentioned before.

That's your answer in a nutshell, but do take the time to look over the documentation and other content on our https://openvpn.net/ web site. Enjoy your Access Server.

regards, rob0

[vnpenguin]

Dear openvpn_inc,
Thank you for your reply.
Yes, I know about ISP, about encrypted VPN tunnel, about HTTPS,...but that is not really my question.

As Access Server is NOT Opensource, how can I be sure the AS server does not send out server's information (users, certificate, log) to somewhere on the World?

[chilinux]

OpenVPN Access Server is mixed licensed. The product is the most transparent of any commercial enterprise grade VPN solution on the market.

The python part of the OpenVPN Access Server is closed source but does not handle the VPN data itself.

The OpenVPN process that does handle all VPN connections is covered by the General Public License. The only data to/from the OpenVPN process to the python script only occurs over an unix socket using a limited set of management interface commands which are explained here:
https://openvpn.net/community-resources ... interface/

The python script itself only will ever make a network connection back to the vendor for licensing purposes, if even then (more on that later).

You have four options for licensing which impact that degree to contacting the vendor.

(1) AWS tiered instance - I have no experience with this licensing mode so I'm going to skip discussing it

(2) Subscription key / Flex licensing - I believe this is usually the prefer licensing method at this point. It will make short network connections over HTTPS to licensing.openvpn.net By nature of how this license mode works, the vendor keeps track of the total number of active VPN connections each server using the subscription key is using to make sure you aren't exceeding what you are paying for. The amount of data sent can be tracked by using "tcpdump" and this is the licensing method I am currently using. If you are paranoid about confidentiality, then this probably is not the licensing mode for you.

(3) Fixed License (Online activation) - This contacts licensing.openvpn.net over HTTPS once a year during activation of the license. Again, you can track the amount of data sent via tcpdump. This is the one I would recommend using for your situation.

(4) Fixed License (Offline activation) - This is an option available that involves working with vendor support to perform activation of the license offline. I have never gone through the process but it seems like it would be more involved and less convenient than just doing the online activation.

More details on the license modes are here:
https://openvpn.net/faq/which-licensing ... ss-server/

More details on fixed license activation is here:
https://openvpn.net/vpn-server-resource ... ense-keys/

You should be able to use an external firewall to block outgoing network connections (it will still need to allow established UDP connections) to make sure it doesn't ever send information somewhere in the world. For fixed license online activation, you will have to allow the connection specifically to the license server but whenever you aren't activating/renewing your license you can block all outgoing connections.

Lastly, they have a GDPR compliance FAQ available here:
https://openvpn.net/openvpn-compliance/

If this doesn't answer your question enough to raise your level of comfort, then your next best step is to use the community edition of OpenVPN which comes with no web interface for management and comes with no support.

[openvpn_inc]

Thank you chilinux for that very excellent post. I think a few minor details are off, such as hostnames contacted, and I think the online activation of a fixed license only happens once, not yearly.

A free 2-connection AS subscription might try to contact the licensing server, but it won't matter if that fails. You can put an unlicensed AS in a sandbox without Internet access at all, and track what it does. You can open it to the Internet later and see how much data goes to the licensing server. It's not much. And you can see then that it's not making any other connections except as your VPN configuration and usage tells it to make.

I will tell you, but, we can't prove to you, that your information is not being stolen. The python code does have access to certificates and (in local authentication mode) hashed passwords. If that bothers you, indeed, use community openvpn, where you are in full control of everything. But you might want to audit the source code first.

regards, rob0

[vnpenguin]

Thank you @chilinux for your detailed explanation.

For confidential requirement of project, I think the Opensource (community) release of OpenVPN is better for me.

Thank you everyone,

[openvpn_inc]

Hello vpnenguin,

I just wanted to add a little more strongly phrased language here.

We definitely do not collect information from our customer Access Servers. We do not receive private keys, usernames, password hashes, data sent through the VPN tunnel, or anything of that kind from our customers' Access Servers. We believe in providing a safe and secure product, and those things are at the heart of the security of the product. We simply do not collect that private information. Every Access Server installation generates its own unique sets of keys and certificates to ensure confidentiality.

I can explain in detail what information we do gather, and with valid reasons for it.

The only information we do receive is related to software licensing. On AWS tiered for example we get the EC2 AMI ID and the ProductCode information, which allows us to verify that your instance is licensed for a specific number of connections. This is the absolute minimum required for AWS tiered licensing to work. After all with AWS tiered you pay through AWS, and we need a way to verify this with AWS, which is done through EC2 AMI ID and ProductCode. For fixed license keys we get (hashes of) certain hardware specifics during the activation procedure so that the license key is valid for your device and can't be used on other unlicensed machines. For subscriptions we get regular reports of how many connections are used up. We don't know who is connected, we don't know how much bandwidth is transferred, and we don't care to know. All we care about is that for software licensing you are able to establish the amount of connections you paid for, and no more. The whole principle here is to get as little information as is needed to reach that goal. And this requires no private information like certificates, keys, usernames, passwords, etc.

However, as my colleague rob0 rightly pointed out, we cannot prove it. We can't point you to the code and say; this is proof. Because Access Server itself is closed source. However the VPN engine in it is open source, and that code you can see - it's simply the OpenVPN project. But you can verify things for yourself by running Access Server in a sandbox and monitoring incoming and outgoing communications. You will then see that nothing untoward is happening. That is all the proof I can give you.

And as rob0 said, if that's not good enough, then the open source project is the only alternative, as that can be completely audited.

Kind regards,
Johan

[vnpenguin]

However, as my colleague rob0 rightly pointed out, we cannot prove it. We can't point you to the code and say; this is proof. Because Access Server itself is closed source.

Dear Johan,
Thank you for your reply. Yes, I understand the status "closed" source of AS server and I understand that it's not possible, technically, for you to prove it.

However, do you have any NDA about this subject when you sell the licenses for AS server?

Thank you,
Regards,

[openvpn_inc]

Hi vnp,

I am not sure; I don't see it here:
https://openvpn.net/license/
But that would be a question for Johan. I'll make sure he sees it. Thanks.

regards, rob0

[openvpn_inc]

Hello vnpenguin,

Please see:
https://openvpn.net/openvpn-compliance/

Section titled: What data will you be storing about us?

If you want more than that feel free to contact our support department and ask about setting up an NDA agreement.

Kind regards,
Johan