Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MITM attack( man in the middle ) between vpn Azure and my vpn server #1765

Closed
heygo1345678 opened this issue Feb 3, 2023 · 2 comments
Closed

MITM attack( man in the middle ) between vpn Azure and my vpn server #1765

heygo1345678 opened this issue Feb 3, 2023 · 2 comments

Comments

@heygo1345678
Copy link

i read the issue #1094.
acttually ,I do care about opening the souce code of vpn azure, i care about how it work to avoid mitm acctack.
when i use softether vpn client on windows to connect to vpn azure, then azure relay to my real vpn server, i checked the option "always verify server certificates“, then i got a warning of certificates says lets encrypt r3 is unknow,
so i visit to https://letsencrypt.org/zh-cn/certificates/
find the certificate:
Let’s Encrypt R3 (RSA 2048, O = Let's Encrypt, CN = R3)
i download the file
https://letsencrypt.org/certs/lets-encrypt-r3.pem
and add it to "manage trusted CA certificate list"
then i connect to vpn azure without warning.
I am happy to think that i avoid the MITM attack.
but how it work between azure relay to my real vpn server?
may i know if the comminication with verifying certificates to aviod mitm attack?
@heygo1345678 heygo1345678 changed the title MITM attack(mitm) between vpn Azure and my vpn server MITM attack( man in the middle ) between vpn Azure and my vpn server Feb 3, 2023
@qupfer
Copy link

qupfer commented Feb 3, 2023

Yes, as long as the verify code works correctly, this avoid MITM attacks.

Your client connect to the (unverified) server. Now it ask for "proof" that the server is the REAL server.
The real server can proof it with its private key (google keyword: RSA). Your client can verify this proof by knowing the expected server certificate (import the public server certificate it to your client) or with the help of a trusted 3rd party (like let' encrypt).
During the "proof", server and client agree also to a session key. This key is used to encrypt the traffic between them.

At the end, you have an encrypted channel to the server and the validated certificate proofs, thats the real server and not an fake one. And because the channel is encrypted, vpnazure can't manipulate them. But of course, it can stop relaying.

@domosekai
Copy link
Contributor

You seem to be mixing up a few things.

  • Securing SoftEther Server - Azure Server connection
    SoftEther server knows the Azure server's signature before attempting the connection. The signature is provided by the DDNS service.

  • Securing SoftEther Client - Azure Server connection
    You can, like what you have done, add the Azure server's CA to the trust list. But the CA is subject to change (it has changed recently).
    A more preferred approach is to enable Use System Trust Store when you enable Server Verification. The feature is only available in the Developer Edition (i.e. this repo). It's not available in version 4.x.

  • Open Source debate on VPN Azure
    VPN Azure is a MITM in its own right. It needs to handle two TLS connections back to back, with the client and the server respectively. So it has to be MITM.
    If you have concern about this, there is a PR Support adding custom VPN Azure service #1739 supports adding your own service. It's highly experimental though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@qupfer @domosekai @heygo1345678