NOTE! This site uses cookies and similar technologies.

If you not change browser settings, you agree to it.

I understand

Welcome, Guest
Username: Password: Remember me

TOPIC: Massive security issue:certain VPN providers on OE

Massive security issue:certain VPN providers on OE 1 year 1 month ago #1

  • c3po
  • c3po's Avatar
  • Offline
  • Junior Boarder
  • Posts: 26
  • Thank you received: 2
  • Karma: 0
Hi there,
like many others I am using a VPN connection for streaming content, which is blocked in my country. My provider is PureVPN and I'm using OpenVPN on OpenELEC and LibreELEC to get a swiss IP for my Raspberry Pi2 / Odroid C2.


Before I start the long text: I'd like to see some user posts here, where VPN users test their configuration and post it here for collecting whether the VPN provider is secure or not:

  • Name your VPN Provider: Name
  • ping external VPN IP: sucessful/unsucessful
  • Access to kodi Webserver in browser: IP:8080: sucessful/unsucessful
  • Putty/SSH to IP:22: sucessful!/unsucessful
  • Result: Absolutely dangerous/secure



I discovered some some days ago that (PureVPN and probably many other VPN services) assigns an external IP to my device whenever I connect to one of their servers. The shocking point here is:
Knowing this IP everybody is able to access your OpenELEC/LibreELEC system and bypassing the routers firewall as well as all the closed ports. This is an unbelievably massive security issue!

Obviously a VPN tunnels working principle is that you connect two devices through a tunnel. If doing so privately for connecting the home network to the working place network, then you know the other side and have probably control of the server at the other end, also there might be a software firewall which does its part to security. But in case of OpenELEC/LibreELEC there are no firewall rules defined in iptables for sercurity. OE/LE is meant to be used in LAN, so there is actually no need for such a firewall. BUT as soon as you set up an openVPN connection (also with the great VPN Manager for OpenVPN Addon) your OE/LE system is exposed completely to the internet. So when you surf around with this VPN connection or when you begin watching a stream, then your IP will be logged on all those websites or on the servers of the content(stream provider and they can easily access your OE/LE machine completely.
Some VPN providers block connections in your direction (but allow requested transfers of course) or they share the IP between many users, so there might be no concern on your system. But my provider PureVPN grants full access to all ports in my (your) direction whenever the connection is established.

I opened a discussion in german kodinerds.net forum about this issue and there are some others who confirmed this behaviour even on windows machines, as there the tunnel even bypasses the software firewall completely. This is terrible...

I'd like the users here to test their config for the following things that I discovered:
  1. After connecting to your VPN, please find out your assigned IP: e.g.
    curl ifconfig.co
    Lets say you get this IP: 136.0.5.197
  2. Assuming you have the Kodi Webserver activated and running on port 8080 for yatse: If I simply type 136.0.5.197:8080 into my webbrowser from an arbitrary computer, I see directly the Kodi Webserver... Okay... at first I'd set a password for it, so one couldn't directly access into it, but the password is not set as default unfortuntely. And I doubt that this user/pass prompt would withstand an attack.
  3. But the worst is: the ssh port is also accessable via 136.0.5.197:22 and as the LibreELEC/OpenELEC user: root; password: openelec is hardcoded, this is the worst security thing ever. Thank god SSH is usually deactivated, but I kept it activated before I knew that this VPN tunnel opened a direct way to it. Now I will make a key file without password
  4. This way everybody could also access your Samba shares and simply everything that is connected to your local network. Even if the routers firewall secures everything, the VPN tunnels from some of those VPN services, are really dangerous. Anybody on the other side simply needs so guess or to read the IP and then they can get directly into your network no matter what router security configuration you have.
  5. As this is a VPN tunnel IP, it passes through my WAN router and bypasses also all the closed ports of it

Obviously experienced users might have already known this and didn't even consider to use VPN because of this risk, but I see for two years now that almost everybody who I know started using VPNs to come around geoblocking and nobody knew about checking this. Even now I cannot find anything about this issue if I google around.
So the situation is that even if you are concerned about security and did inform yourself about VPN security issues, you would likely not stumble about this and now I think the right keywords for finding information about this might be the keywords "NAT Firewall VPN". But I'm not sure about it.

Fortunately the user zomboided, the developer of the awesome addon VPN Manager for OpenVPN, is not affected. So his VPN provider seems to have a secure configuration. So we can be sure that not everybody is affected by this. But I assume that there might still be hundrets or thousands, who are affected.

Just bear in mind. If you are affected, then your entire network can be accessed... it is not just your OpenELEC machine... this breach opens the door to your entire network. In my case this might be the explanation why two weeks ago thousands of files were suddenly infected by a 10 year old trojan on my external hard drive that it solely connected to my OE machine. This is serious... :/


My first solution after quickly using google is to set up those iptables rules in autostart.sh (and chmod +x autostart.sh):
  • (Attention: 192.168.178.0/24 is for my network, you'll have to adjust these lines, otherwise you'll lock out yourself)
  • (these restrict the OE machine to LAN, but IPTV streaming will still work):

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
iptables -A OUTPUT -j ACCEPT

# Allows LOCAL SSH connections
# The --dport number is the same as in /etc/ssh/sshd_config
iptables -A INPUT -p tcp --dport 22 -s 192.168.178.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 127.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

# Allow Kodi Webserver access through port 8080 from local network for Yatse Remote App
iptables -A INPUT -p tcp --dport 8080 -s 192.168.178.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -s 127.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

# Allow ping
#  note that blocking other types of icmp packets is considered a bad idea by some
#  remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:
#  https://security.stackexchange.com/questions/22711
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Yatse EventServer (Cursor controls): https://yatse.tv/redmine/projects/yatse/knowledgebase/articles/26
#UDP 9777
iptables -A INPUT -s 192.168.178.0/24 -m state --state NEW -p udp --dport 9777 -j ACCEPT

# Allow Samba shares
iptables -A INPUT -s 192.168.178.0/24 -m state --state NEW -p udp --dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.178.0/24 -m state --state NEW -p udp --dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.178.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.178.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT


After reboot I cannot connect to SSH and to the Webserver through external IP anymore (but local computers can):
ping 136.0.5.197 --> time out
136.0.5.197:22 --> time out
136.0.5.197:8080 --> time out

But in LAN SMB, Yatse and VPN as well as IPTV are working flawlessly. I think one could realize it with less rules and probably a bit more efficient. I'm also not sure whether NFS shares are affected now, as I don't have any. But for the first this helps.



My report:
  • Name your VPN Provider: PureVPN
  • ping external VPN IP: sucessful
  • Access to kodi Webserver in browser: IP:8080: sucessful
  • Putty/SSH to IP:22: Sucessful!
  • Result: Absolutely dangerous
Last Edit: 1 year 1 month ago by c3po.
The administrator has disabled public write access.

Massive security issue:certain VPN providers on OE 1 year 1 month ago #2

  • seo
  • seo's Avatar
  • Offline
  • Gold Boarder
  • Posts: 609
  • Thank you received: 168
  • Karma: 39
"shocking" :)
The administrator has disabled public write access.
The following user(s) said Thank You: c3po

Massive security issue:certain VPN providers on OE 1 year 1 month ago #3

  • c3po
  • c3po's Avatar
  • Offline
  • Junior Boarder
  • Posts: 26
  • Thank you received: 2
  • Karma: 0
seo wrote:
"shocking" :)
For me it was shocking indeed. But since I contacted PureVPN support yesterday and complained about this ruthless configuration on their servers side, they changed it now.

My updated report would be:

My updated report:
I think they secretely added a paid firewall addon for some time to my account for free to calm me down, that is why it might be safe now:

Name your VPN Provider: PureVPN
ping external VPN IP: sucessful
Access to kodi Webserver in browser: IP:8080: unsuccessful
Putty/SSH to IP:22: unsuccessful
Result: apparently okay (but for how long, looking at the firewall addon appeared in my PureVPN account invoice listing

I hope everybody who uses VPN for geo unblocking and IPTV streaming etc. checks his VPN connection for these holes.
Last Edit: 1 year 1 month ago by c3po.
The administrator has disabled public write access.

Massive security issue:certain VPN providers on OE 1 year 1 month ago #4

  • seo
  • seo's Avatar
  • Offline
  • Gold Boarder
  • Posts: 609
  • Thank you received: 168
  • Karma: 39
if you access public resources via (yea, virtual, private, network...) vpn that assigns you a public, globally accessible ip address, that's to be expected.
The administrator has disabled public write access.

Massive security issue:certain VPN providers on OE 1 year 1 month ago #5

  • c3po
  • c3po's Avatar
  • Offline
  • Junior Boarder
  • Posts: 26
  • Thank you received: 2
  • Karma: 0
Actually I didn't know they assigned me a public accessable IP. I assumed all those providers assign shared IP's that would not point to specific machines.

But speaking for genereal VPN purposes you are right. But here it is about VPN services, which purpose is to unblock geo restrictions and so on, services which advertise themselves with privacy and security:



Also there is nowhere mentioned that inbound connections are to be expected. Of course that is the way a VPN works, I understand this. But as these VPN services are becoming mainstream and targeting thousands of netflix, IPTV users etc. a lot of non computer administrator pros are signing up for this and (at least speaking for me) don't expect to expose their entire network, if the main purpose is to simply unblock geo restrictions. I opened this post because I'm sure not everybody is aware of this risk coming from big players on the VPN service providers.

Of course I know to use VPNs for connecting to my home network from my Laptop if I'm on vacation or so. But there I open a tunnel from my laptop to my router at home. Here it is a totally different use case and that for I cannot understand how some of those providers open everything in the users direction.
Last Edit: 1 year 1 month ago by c3po.
The administrator has disabled public write access.

Massive security issue:certain VPN providers on OE 1 year 1 month ago #6

  • seo
  • seo's Avatar
  • Offline
  • Gold Boarder
  • Posts: 609
  • Thank you received: 168
  • Karma: 39
the coin has (at least) two sides. if a vpn provider is doing stateful firewall for "my own security" without asking me or making it optional, I'd soon tell em "fsck off"
The administrator has disabled public write access.

Massive security issue:certain VPN providers on OE 1 year 1 month ago #7

  • c3po
  • c3po's Avatar
  • Offline
  • Junior Boarder
  • Posts: 26
  • Thank you received: 2
  • Karma: 0
seo wrote:
the coin has (at least) two sides. if a vpn provider is doing stateful firewall for "my own security" without asking me or making it optional, I'd soon tell em "fsck off"
don't you think it would be suitable that they activate a rudimentary blocking in my direction if they advertise their service with privacy and security? They could simply make an off switch into their account website for this. Requested data will come into my direction anyway, that is nothing a firewall would block (and should not)

Otherwise I'd like to know which privacy and security you see if there is no firewall? I mean... I don't know how you would use a vpn provider without firewall, but you aren't at the other end anyway, so why would you complain about a firewall that secures your computer? It is not you sitting at the both end, you are sitting only at one end. Do you understand what I mean? I do net see any use case where a securing your computer via firewall would be inappropriate if connecting to foreign VPN servers for streaming purposes or geo unblocking. But perhaps I simply don't know what you have in mind.
Last Edit: 1 year 1 month ago by c3po.
The administrator has disabled public write access.

Massive security issue:certain VPN providers on OE 1 year 1 month ago #8

  • seo
  • seo's Avatar
  • Offline
  • Gold Boarder
  • Posts: 609
  • Thank you received: 168
  • Karma: 39
my computer's security is my job. not my provider's job. as a user, I dont want my service provider(s) do any filtering without letting me know they are doing so. as an internet service provider (my day job for living, I work for more than one, actualy) it is absolutely not acceptable to filter client's traffic in any way, and I dont do it.

idk what those vpn providers offer, I am not in the vpn business. from what I see, purevpn offers "just a regular vpn service". I dont see anything mentioning "geo unblock" on their front page. privacy and security means they support mppe or whatever to encrypt the traffic so nobody at the middle can sniff/decrypt it.

they offer privacy as your own ip address is hidden. they offer security as communication is encrypted. protecting your own computer to be accessed from outside is a completely different story

however, by using such vpn provider to unblock geo blocked content you are most likely violating your content provicer's ToS

if you ask me, geo blocking should die rather sooner than later. of course that wont happen if you, the users, are happy paying to 3rdparties to "unblock" the content, instead of just cancelling your subscribtion.
The administrator has disabled public write access.

Massive security issue:certain VPN providers on OE 1 year 1 month ago #9

  • c3po
  • c3po's Avatar
  • Offline
  • Junior Boarder
  • Posts: 26
  • Thank you received: 2
  • Karma: 0
are you seriously saying that geo blocking is there because there are users willing to pay for vpn and smartdns servers? Nothing heard about netflix vs content industry licensing or amazon prime instant video licensing for specific countries?

this is rather off topic I'd say. This thread is targeting the bunch of users who use VPN's on OpenELEC/LibreELEC for the mentioned reasons. It is not for discussions about VPN good/bad/not suited/I would not do it.

EDIT
to make the sense of this thread clearer for you: openelec.tv/forum/unofficial-openelec-addons/79666-vpn-manager-for-openvpn?limitstart=0 (soon 700 posts in just a few months)
There are a lot of users, who use this kind of VPN connections. And some of those providers do have this non existent protection issue. I simply want to point everybody to it, so they can set up OpenELECs iptables.
Last Edit: 1 year 1 month ago by c3po.
The administrator has disabled public write access.

Massive security issue:certain VPN providers on OE 1 year 1 month ago #10

  • c3po
  • c3po's Avatar
  • Offline
  • Junior Boarder
  • Posts: 26
  • Thank you received: 2
  • Karma: 0
c3po wrote:

My updated report:
I think they secretely added a paid firewall addon for some time to my account for free to calm me down, that is why it might be safe now:

Name your VPN Provider: PureVPN
ping external VPN IP: sucessful
Access to kodi Webserver in browser: IP:8080: unsuccessful
Putty/SSH to IP:22: unsuccessful
Result: apparently okay (but for how long, looking at the firewall addon appeared in my PureVPN account invoice listing

And my fear was correct.They simply tricked me with some setting. Tested it now again and saw that everything is open again. Without manually set iptables rules my local network would've been completely exposed again.
My report:
  • Name your VPN Provider: PureVPN
  • ping external VPN IP: sucessful
  • Access to kodi Webserver in browser: IP:8080: sucessful
  • Putty/SSH to IP:22: Sucessful!
  • Result: Absolutely dangerous
Last Edit: 1 year 1 month ago by c3po.
The administrator has disabled public write access.