OpenVPN unsafe on QNAP 219P+ ?

[jpeeters19]

I read at this forum that Qnap uses an decade old library version of SSL and the Open VPN option is therefore not secure?
Does anyone know if there is an update for this problem

I use the latest firmware on my Qnap TS-219P+

[pwilson]

I read at this forum that Qnap uses an decade old library version of SSL and the Open VPN option is therefore not secure?
Does anyone know if there is an update for this problem

I use the latest firmware on my Qnap TS-219P+

Still broken. Still insecure, and still 10 years old.

[jpeeters19]

Hi Patrick,
Thanks, but how unsafe is this? Is it very easy for hackers to abuse this leak?

[pwilson]

Hi Patrick,
Thanks, but how unsafe is this? Is it very easy for hackers to abuse this leak?

I use OpenVPN on my Router instead, as my Router permits Site-to-Site VPN's so I can access every device in my network, rather than just my NAS.

QNAP's OpenVPN implementation is only a point-to-point VPN, so it is hardly worth the effort anyway. Safety and ease of Hack are issues for others to determine. Implementing it on the Router instead avoids these questions, so I honestly have no answer for you. Once your privacy has been compromised, only you can determine how much damage was done.

A VPN should be implemented at the Router anyway IMHO, so I have never bothered to pursue this further. I continue to challenge QNAP to fix this issue, as the SSL libraries are also used for other purposes, especially HTTPS Web Services, and these are far more of a concern for me.

[schumaku]

Not easy at all...

I'd be more concerned about the replacement of the QNAP default certificate (and private key) used for the OpenVPN encryption by default.

[jpeeters19]

hmmm ok,
my current router doesn't support vpn client access, so i think i have to wait for the qnap update

[danimal1228]

I was unaware that the qnap implementation of VPN was point to point only. I have been using a raspberry pi as VPN server for several months and it works great. Once you VPN into the RPI, you have access to the whole network. You can even allocate a subset of private IPs to be handed out to the incoming VPN connection. This way you specifically allow or deny access to different devices on your LAN by blocking or allowing those IPs on each device. For only $40 you get a lot of bang for your buck.

[schumaku]

I was unaware that the qnap implementation of VPN was point to point only.

It's not - you can add a route to the complete LAN for example, too.

I have been using a raspberry pi as VPN server for several months and it works great. Once you VPN into the RPI, you have access to the whole network.

this is not a feature of the RPI - this is simply a different configuration, using a different design.

You can even allocate a subset of private IPs to be handed out to the incoming VPN connection.

Of course. QNAP votes against this, and towards a much easier implementation. And I'm kind of happy about it. Why?
-> It's not fun to deal with inexperienced NAS users out there and explain they have to free up an IP range for the OpenVPN. Oh, and another one for the PPTP VPN.
-> Unless you do a lot of filtering, you get a lot of TCP/IP traffic to the VPN, you don't need and want there.

[pwilson]

I was unaware that the qnap implementation of VPN was point to point only. I have been using a raspberry pi as VPN server for several months and it works great. Once you VPN into the RPI, you have access to the whole network. You can even allocate a subset of private IPs to be handed out to the incoming VPN connection. This way you specifically allow or deny access to different devices on your LAN by blocking or allowing those IPs on each device. For only $40 you get a lot of bang for your buck.

While it is amusing that the Raspberry Pi can be so configured, I would never use one in this way, as the Raspberry Pi only supports 100 Mbps connections, which would be further degraded if both the incoming VPN connection, and the network connection use the same single 100Mbps Ethernet port provided on the Raspberry Pi. Perhaps I'm a performance freak, but all of my network infastructure is Gigabit (1000Mbps). Only my Printers, SIP adapters, Android Mini-PC's and Raspberry Pi are still using 100 Mbps connections.

[pwilson]

I was unaware that the qnap implementation of VPN was point to point only.

It's not - you can add a route to the complete LAN for example, too.

Forgive me Kurt, but I can't let this one stand. The design of both of QNAP's VPN solutions is definitely "Point-to-Point" only. Yes, it is possible to "workaround" this restriction (in the same way that Raspberry Pi solution does it), but as you frequently remind us, QNAP NAS appliances are not Routers, and they lack the necessary "hardening" to make using them as such practical or secure without some pretty thorough understanding of TCP/IP and Security issues.

I have been using a raspberry pi as VPN server for several months and it works great. Once you VPN into the RPI, you have access to the whole network.

this is not a feature of the RPI - this is simply a different configuration, using a different design.

You have him on this poiint, except that it would require the same "different configuration" on the QNAP NAS to accomplish the same functionality, so such an observation is hardly fair.

You can even allocate a subset of private IPs to be handed out to the incoming VPN connection.

Of course. QNAP votes against this, and towards a much easier implementation. And I'm kind of happy about it. Why?
-> It's not fun to deal with inexperienced NAS users out there and explain they have to free up an IP range for the OpenVPN. Oh, and another one for the PPTP VPN.
-> Unless you do a lot of filtering, you get a lot of TCP/IP traffic to the VPN, you don't need and want there.

I'm with you 100% on these two observations. While I do regularly point out that both of VPN solutions are only "Point-to-Point", I have no issue with this for very much these reasons. Supporting a "Site-to-Site" VPN would be a Support nightmare.

I criticize QNAP regularly for their decade old OpenSSL implementation, and I will continue to do so going forward until they finally fix it, but I, like you, hope that QNAP does not cave into pressure from the QNAP NAS Community to implement proper "Site-to-Site" VPN solutions. Geeks, (such as both you and I) will always be able to do "Site-to-Site" VPN's at the network perimeter, (ie in the Router) where it belongs, so there is no need to make it too complicated at the NAS.

I would stop criticizing QNAP about their OpenVPN implementation iff they would simply fix the OpenSSL issue.

If I had my way. QNAP would continue to offer only a "Point-to-Point" OpenVPN implementation, and would "strip" the PPTP VPN solution completely out of the Firmware. Microsoft is doing nothing to fix their end, so supporting it, is simply giving consumers a false sense of security. If QNAP finds enthusiasm for updating their VPN solutions I hope they will drop PPTP completely, and implement L2TP/IPsec instead. (PPTP/MS-CHAP v2 security is trivial to break, and requires no programming skills whatsoever - see: https://www.cloudcracker.com/).

Note: To those individuals who feel it is irresponsible of me to provide this last URL, I would point out that Hackers are already more than aware of this site, so my publishing it here, is simply to help make potential victims aware of it. Please don't abuse me for publishing it.

[schumaku]

The truth is somewhere in the middle ... but I know we both agree. Primary aim was obviously simplicity, and point-to-point. If it's really pure point-to-point ... why bother about the selection of a LAN network interface there

Now looking into the NAS (so-called advanced) VPN configuration unveils a (in my opinion) careless and poor done job.

On one hand, both VPN sub-networks (OpenVPN and PPTP) are really many-to-one NATed to the selected network interface. Beyond, we have the option to specify a DNS server: This DNS must be obviously in the reach of the route deployed to the VPN client ... and in general all they see is the Internet and the point-to-point VPN sub-net

On the other hand, we have the M-1 NAT in place, and know the LAN sub-network. Combining all this, I can't understand, why QNAP has not added a tick option to add a route for the LAN into the VPN optionally. (Yes, recent Android PPTP VPN clients [leaving pros and cons of PPTP now] have a client-side add-route option) This would allow now to use a DNS on the LAN, making these manual DNS for the VPN setting somewhat more useful. At least as long as we don't have DNS on the NAS by default.

Neither fish nor bird