OPENVPN SECURITY FLAW??

[Scorpion_69]

So I figured I would leave OPENVPN up and running to test my connection....
After 4 hours I checked the INPUT/OUTPUT rates and found that 850mb of data was somehow transferred from my network.
I did a PORT security scan and was disturbed at what I found, the following PORTS are wide open......
22 ssh
23 telnet
119 nntp
135 rpc
139 net-bios
445 msft ds

So how do I close the ports that are open?
I disconnect the OPENVPN...run the PORT scan and everything is closed...

thnks

[janjust]

can you pleeease be a bit more specific... on which machine are these ports open? on the client? on the VPN server?
on a windows client there are several protocols bound to the tap-win32 adapter - these protocols are then accessible via the VPN tunnel. Which version of OpenVPN are you using? Which client and server OS? what config files?

[dropje]

Are you doing a port scan on your public or private ip?

[Scorpion_69]

I am running windows 7
OPENVPN client latest version

no OPENVPN......I scan with https://www.grc.com/x/ne.dll?bh0bkyd2 my network it totally secure NO OPEN PORTS

I connect with OPENVPN and scan again at https://www.grc.com/x/ne.dll?bh0bkyd2 I show that all of the ports I listed are open.

Somehow with OPENVPN some &@#$% got 850mb of data off my network.

Please test exactly as I did and you will see the results.

Please let me know......

[janjust]

post your setup first - I'm still pretty sure this is a PEBKAC case

[Scorpion_69]

what setup are you referring to??

[Scorpion_69]

I am using OPENVPN and connecting to us2.giganews.com

[Scorpion_69]

sorry its us2.vpn.giganews.com

[janjust]

I'm referring to the openvpn client config file on your windows machine; and , check the bindings of the tap-win32 adapter

[Scorpion_69]

client
dev tun
proto udp
remote us2.vpn.giganews.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
ca ca.vyprvpn.com.crt
tls-remote us2.vpn.giganews.com
auth-user-pass
comp-lzo
verb 3
auth SHA256
cipher AES-256-CBC
keysize 256
tls-cipher DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA


Tap binding is ok

[janjust]

and how does this provider route your traffic to the internet? what does http://www.whatismyip.com show? the IP address of the provider? in that case the open ports on the port scan can be open ports on the VPN provider server itself, NOT on your VPN client.
If you want to be sure, run wireshark on your VPN client , have it listen for tcp traffic port 445 and then rerun the port scan.

Also, how do you know 850 MB of data was transferred via your VPN?

[Scorpion_69]

I know the 850mb was transferred because I checked the udp in/out status and that what it showed....and OPENVPN was running at the time

I will check out the other stuff shortly

[Scorpion_69]

ok...without OPENVPN I get the IP address from my provider just fine........in the 99.xx.xxx.xxx range

When I run OPENVPN......I get a different address...in the 69.xx.xxx.xxx range

[janjust]

so the port scan is now done against the IP of the VPN provider ; it might very well be that the VPN provider's server/router/nat box has the ports you mentioned open.

which udp in/out status did you check? 'netstat -s' ?
openvpn sends periodic keepalive messages, which over a couple hours might generate some traffic but it shouldn't be 850 MB.

[Scorpion_69]

I agree with you......and sorry for only looking at OPENVPN as the issue...

I am thinking IT IS the VPN SERVER that has all the open ports.

I am sending the infor mation to the VPN service provider