OpenVPN unsafe on QNAP 219P+ ?

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
Post Reply
jpeeters19
New here
Posts: 5
Joined: Thu Jul 14, 2011 4:01 pm
Location: The Netherlands !

OpenVPN unsafe on QNAP 219P+ ?

Post by jpeeters19 » Tue May 21, 2013 6:47 pm

I read at this forum that Qnap uses an decade old library version of SSL and the Open VPN option is therefore not secure?
Does anyone know if there is an update for this problem :S

I use the latest firmware on my Qnap TS-219P+

User avatar
pwilson
Guru
Posts: 22568
Joined: Fri Mar 06, 2009 11:20 am
Location: Victoria, BC, Canada (UTC-08:00)

Re: OpenVPN unsafe on QNAP 219P+ ?

Post by pwilson » Tue May 21, 2013 6:52 pm

jpeeters19 wrote:I read at this forum that Qnap uses an decade old library version of SSL and the Open VPN option is therefore not secure?
Does anyone know if there is an update for this problem :S

I use the latest firmware on my Qnap TS-219P+


Still broken. Still insecure, and still 10 years old.

Patrick M. Wilson
Victoria, BC Canada
QNAP TS-470 Pro w/ 4 * Western Digital WD30EFRX WD Reds (RAID5) - - Single 8.1TB Storage Pool FW: QTS 4.2.0 Build 20151023 - Kali Linux v1.06 (64bit)
Forums: View My Profile - Search My Posts - View My Photo - View My Location - Top Community Posters
QNAP: Turbo NAS User Manual - QNAP Wiki - QNAP Tutorials - QNAP FAQs

Please review: When you're asking a question, please include the following.

jpeeters19
New here
Posts: 5
Joined: Thu Jul 14, 2011 4:01 pm
Location: The Netherlands !

Re: OpenVPN unsafe on QNAP 219P+ ?

Post by jpeeters19 » Tue May 21, 2013 7:05 pm

Hi Patrick,
Thanks, but how unsafe is this? Is it very easy for hackers to abuse this leak?

User avatar
pwilson
Guru
Posts: 22568
Joined: Fri Mar 06, 2009 11:20 am
Location: Victoria, BC, Canada (UTC-08:00)

Re: OpenVPN unsafe on QNAP 219P+ ?

Post by pwilson » Tue May 21, 2013 7:20 pm

jpeeters19 wrote:Hi Patrick,
Thanks, but how unsafe is this? Is it very easy for hackers to abuse this leak?


I use OpenVPN on my Router instead, as my Router permits Site-to-Site VPN's so I can access every device in my network, rather than just my NAS.

QNAP's OpenVPN implementation is only a point-to-point VPN, so it is hardly worth the effort anyway. Safety and ease of Hack are issues for others to determine. Implementing it on the Router instead avoids these questions, so I honestly have no answer for you. Once your privacy has been compromised, only you can determine how much damage was done.

A VPN should be implemented at the Router anyway IMHO, so I have never bothered to pursue this further. I continue to challenge QNAP to fix this issue, as the SSL libraries are also used for other purposes, especially HTTPS Web Services, and these are far more of a concern for me.

Patrick M. Wilson
Victoria, BC Canada
QNAP TS-470 Pro w/ 4 * Western Digital WD30EFRX WD Reds (RAID5) - - Single 8.1TB Storage Pool FW: QTS 4.2.0 Build 20151023 - Kali Linux v1.06 (64bit)
Forums: View My Profile - Search My Posts - View My Photo - View My Location - Top Community Posters
QNAP: Turbo NAS User Manual - QNAP Wiki - QNAP Tutorials - QNAP FAQs

Please review: When you're asking a question, please include the following.

User avatar
schumaku
Guru
Posts: 43664
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: OpenVPN unsafe on QNAP 219P+ ?

Post by schumaku » Tue May 21, 2013 7:46 pm

Not easy at all...

I'd be more concerned about the replacement of the QNAP default certificate (and private key) used for the OpenVPN encryption by default.

jpeeters19
New here
Posts: 5
Joined: Thu Jul 14, 2011 4:01 pm
Location: The Netherlands !

Re: OpenVPN unsafe on QNAP 219P+ ?

Post by jpeeters19 » Tue May 21, 2013 11:12 pm

hmmm ok,
my current router doesn't support vpn client access, so i think i have to wait for the qnap update :|

danimal1228
New here
Posts: 5
Joined: Fri May 10, 2013 5:04 am
Location: Kentucky

Re: OpenVPN unsafe on QNAP 219P+ ?

Post by danimal1228 » Wed May 22, 2013 3:42 am

I was unaware that the qnap implementation of VPN was point to point only. I have been using a raspberry pi as VPN server for several months and it works great. Once you VPN into the RPI, you have access to the whole network. You can even allocate a subset of private IPs to be handed out to the incoming VPN connection. This way you specifically allow or deny access to different devices on your LAN by blocking or allowing those IPs on each device. For only $40 you get a lot of bang for your buck.

User avatar
schumaku
Guru
Posts: 43664
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: OpenVPN unsafe on QNAP 219P+ ?

Post by schumaku » Wed May 22, 2013 3:49 am

danimal1228 wrote:I was unaware that the qnap implementation of VPN was point to point only.
It's not - you can add a route to the complete LAN for example, too.
danimal1228 wrote:I have been using a raspberry pi as VPN server for several months and it works great. Once you VPN into the RPI, you have access to the whole network.
this is not a feature of the RPI - this is simply a different configuration, using a different design.
danimal1228 wrote:You can even allocate a subset of private IPs to be handed out to the incoming VPN connection.
Of course. QNAP votes against this, and towards a much easier implementation. And I'm kind of happy about it. Why?
-> It's not fun to deal with inexperienced NAS users out there and explain they have to free up an IP range for the OpenVPN. Oh, and another one for the PPTP VPN.
-> Unless you do a lot of filtering, you get a lot of TCP/IP traffic to the VPN, you don't need and want there.

User avatar
pwilson
Guru
Posts: 22568
Joined: Fri Mar 06, 2009 11:20 am
Location: Victoria, BC, Canada (UTC-08:00)

Re: OpenVPN unsafe on QNAP 219P+ ?

Post by pwilson » Wed May 22, 2013 3:54 am

danimal1228 wrote:I was unaware that the qnap implementation of VPN was point to point only. I have been using a raspberry pi as VPN server for several months and it works great. Once you VPN into the RPI, you have access to the whole network. You can even allocate a subset of private IPs to be handed out to the incoming VPN connection. This way you specifically allow or deny access to different devices on your LAN by blocking or allowing those IPs on each device. For only $40 you get a lot of bang for your buck.


While it is amusing that the Raspberry Pi can be so configured, I would never use one in this way, as the Raspberry Pi only supports 100 Mbps connections, which would be further degraded if both the incoming VPN connection, and the network connection use the same single 100Mbps Ethernet port provided on the Raspberry Pi. Perhaps I'm a performance freak, but all of my network infastructure is Gigabit (1000Mbps). Only my Printers, SIP adapters, Android Mini-PC's and Raspberry Pi are still using 100 Mbps connections.

Patrick M. Wilson
Victoria, BC Canada
QNAP TS-470 Pro w/ 4 * Western Digital WD30EFRX WD Reds (RAID5) - - Single 8.1TB Storage Pool FW: QTS 4.2.0 Build 20151023 - Kali Linux v1.06 (64bit)
Forums: View My Profile - Search My Posts - View My Photo - View My Location - Top Community Posters
QNAP: Turbo NAS User Manual - QNAP Wiki - QNAP Tutorials - QNAP FAQs

Please review: When you're asking a question, please include the following.

User avatar
pwilson
Guru
Posts: 22568
Joined: Fri Mar 06, 2009 11:20 am
Location: Victoria, BC, Canada (UTC-08:00)

Re: OpenVPN unsafe on QNAP 219P+ ?

Post by pwilson » Wed May 22, 2013 4:35 am

danimal1228 wrote:I was unaware that the qnap implementation of VPN was point to point only.


schumaku wrote:It's not - you can add a route to the complete LAN for example, too.


Forgive me Kurt, but I can't let this one stand. The design of both of QNAP's VPN solutions is definitely "Point-to-Point" only. Yes, it is possible to "workaround" this restriction (in the same way that Raspberry Pi solution does it), but as you frequently remind us, QNAP NAS appliances are not Routers, and they lack the necessary "hardening" to make using them as such practical or secure without some pretty thorough understanding of TCP/IP and Security issues.

danimal1228 wrote:I have been using a raspberry pi as VPN server for several months and it works great. Once you VPN into the RPI, you have access to the whole network.


schumaku wrote: this is not a feature of the RPI - this is simply a different configuration, using a different design.


You have him on this poiint, except that it would require the same "different configuration" on the QNAP NAS to accomplish the same functionality, so such an observation is hardly fair.

danimal1228 wrote:You can even allocate a subset of private IPs to be handed out to the incoming VPN connection.


schumaku wrote:Of course. QNAP votes against this, and towards a much easier implementation. And I'm kind of happy about it. Why?
-> It's not fun to deal with inexperienced NAS users out there and explain they have to free up an IP range for the OpenVPN. Oh, and another one for the PPTP VPN.
-> Unless you do a lot of filtering, you get a lot of TCP/IP traffic to the VPN, you don't need and want there.


I'm with you 100% on these two observations. While I do regularly point out that both of VPN solutions are only "Point-to-Point", I have no issue with this for very much these reasons. Supporting a "Site-to-Site" VPN would be a Support nightmare.

I criticize QNAP regularly for their decade old OpenSSL implementation, and I will continue to do so going forward until they finally fix it, but I, like you, hope that QNAP does not cave into pressure from the QNAP NAS Community to implement proper "Site-to-Site" VPN solutions. Geeks, (such as both you and I) will always be able to do "Site-to-Site" VPN's at the network perimeter, (ie in the Router) where it belongs, so there is no need to make it too complicated at the NAS.

I would stop criticizing QNAP about their OpenVPN implementation iff they would simply fix the OpenSSL issue.

If I had my way. QNAP would continue to offer only a "Point-to-Point" OpenVPN implementation, and would "strip" the PPTP VPN solution completely out of the Firmware. Microsoft is doing nothing to fix their end, so supporting it, is simply giving consumers a false sense of security. If QNAP finds enthusiasm for updating their VPN solutions I hope they will drop PPTP completely, and implement L2TP/IPsec instead. (PPTP/MS-CHAP v2 security is trivial to break, and requires no programming skills whatsoever - see: https://www.cloudcracker.com/).

Note: To those individuals who feel it is irresponsible of me to provide this last URL, I would point out that Hackers are already more than aware of this site, so my publishing it here, is simply to help make potential victims aware of it. Please don't abuse me for publishing it.

Patrick M. Wilson
Victoria, BC Canada
QNAP TS-470 Pro w/ 4 * Western Digital WD30EFRX WD Reds (RAID5) - - Single 8.1TB Storage Pool FW: QTS 4.2.0 Build 20151023 - Kali Linux v1.06 (64bit)
Forums: View My Profile - Search My Posts - View My Photo - View My Location - Top Community Posters
QNAP: Turbo NAS User Manual - QNAP Wiki - QNAP Tutorials - QNAP FAQs

Please review: When you're asking a question, please include the following.

User avatar
schumaku
Guru
Posts: 43664
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: OpenVPN unsafe on QNAP 219P+ ?

Post by schumaku » Wed May 22, 2013 5:49 pm

The truth is somewhere in the middle ... but I know we both agree. Primary aim was obviously simplicity, and point-to-point. If it's really pure point-to-point ... why bother about the selection of a LAN network interface there :?:

Now looking into the NAS (so-called advanced) VPN configuration unveils a (in my opinion) careless and poor done job.

On one hand, both VPN sub-networks (OpenVPN and PPTP) are really many-to-one NATed to the selected network interface. Beyond, we have the option to specify a DNS server: This DNS must be obviously in the reach of the route deployed to the VPN client ... and in general all they see is the Internet and the point-to-point VPN sub-net :shock:

On the other hand, we have the M-1 NAT in place, and know the LAN sub-network. Combining all this, I can't understand, why QNAP has not added a tick option to add a route for the LAN into the VPN optionally. (Yes, recent Android PPTP VPN clients [leaving pros and cons of PPTP now] have a client-side add-route option) This would allow now to use a DNS on the LAN, making these manual DNS for the VPN setting somewhat more useful. At least as long as we don't have DNS on the NAS by default.

Neither fish nor bird :ashamed:

Post Reply

Return to “Miscellaneous”