Some MAJOR problems with VPN setup (Using TL-R605)

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Some MAJOR problems with VPN setup (Using TL-R605)

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Some MAJOR problems with VPN setup (Using TL-R605)
Some MAJOR problems with VPN setup (Using TL-R605)
2021-02-13 15:49:02
Hardware Version: V1
Firmware Version: 4.2.8

Hi,

 

there are few very important problems with VPN setup I'd like to emphasize for upcoming builds:

1. VPN password is shown as clear text in the VPN user list

2. Possibility to limit VPN access via IP group is crucial for security, I'm receiving several malicious attempts per day.

3. Already mentioned, but also very important - VPN users shall be seen in the clients list with the possibility to filter them somehow

4. It is unclear why I can't set VPN subnet within the main class C subnet I use? 

 

Thanks a lot in advance. You've made a nice and affordable product. Let's together shape in for being secure too :)

  0      
  0      
#1
Options
5 Reply
Re:Some MAJOR problems with VPN setup (Using TL-R605)
2021-02-19 07:45:56

Dear @Varaba,

 

there are few very important problems with VPN setup I'd like to emphasize for upcoming builds:

1. VPN password is shown as clear text in the VPN user list

2. Possibility to limit VPN access via IP group is crucial for security, I'm receiving several malicious attempts per day.

3. Already mentioned, but also very important - VPN users shall be seen in the clients list with the possibility to filter them somehow

4. It is unclear why I can't set VPN subnet within the main class C subnet I use? 

 

1. The VPN password can be seen after we Edit the specific VPN policy, it's not directly showing on the VPN page. Is it really necessary to hide the VPN password in the VPN user list?

 

2. Sorry that I'm not sure if I understand you correctly. Do you mean that there are unknown clients attempt to connect to the VPN you setup on the TL-R605, and you want to block the unknown clients to connect the VPN? How do you find that you are receiving malicious attempts?

 

3. For the VPN client list, I've forwarded this as a feature request to the developer team who will add it in the subsequent update.

 

4. For the Omada gateway, the VPN subnet cannot be in the same network segment with the LAN IP, I'm afraid that you may need to set the VPN subnet with a different network segment.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#2
Options
Re:Some MAJOR problems with VPN setup (Using TL-R605)
2021-02-22 14:00:44

@Fae 

 

Thank you for your reply, it is highly appreciated.

Regarding your points:

 

1. The VPN password can be seen after we Edit the specific VPN policy, it's not directly showing on the VPN page. Is it really necessary to hide the VPN password in the VPN user list?

The fact, that you are able to show password, proves you are storing them either clear text, or reversible algorithm. This is a password, which allows passing my firewall and accessing my intranet. Frankly, with my understanding of security principles, it makes me unhappy. If may assume, you solely rely on Mongo security, but not sure it is sufficient for specific case. Anyways, I'd be glad to know I've missed something and there is a reason to have a peace of mind.

2. Sorry that I'm not sure if I understand you correctly. Do you mean that there are unknown clients attempt to connect to the VPN you setup on the TL-R605, and you want to block the unknown clients to connect the VPN? How do you find that you are receiving malicious attempts? 

There are enormous pptp access attempts reaching average ip, including mine. Omada reports on unsuccessful PPTP login attempts and source IP's too. Those usually come from address pool, rather than single on, to avoid typical blacklisting. Unfortunately I had no chance to find possibility to limit VPN to trusted IP pools only, which is a usual practice in high security environments. Hope this would become available soon.

3. For the VPN client list, I've forwarded this as a feature request to the developer team who will add it in the subsequent update.

Great to know, thank you

4. For the Omada gateway, the VPN subnet cannot be in the same network segment with the LAN IP, I'm afraid that you may need to set the VPN subnet with a different network segment.

This is not something unusual and unbelievable, Windows Server has an ability to add VPN client to the current subnet. But if you prefer not to do so, it is up to you.

 

 

And one more security concern in addition:

5. I was unable to find notifications setting, which allows event and alert triggering when NAT port forwarding feature is accessed. Which is also an important security measure. 

 

Kind regards

  0  
  0  
#3
Options
Re:Some MAJOR problems with VPN setup (Using TL-R605)
2021-02-23 07:47:25

Dear @Varaba 

 

And one more security concern in addition:

5. I was unable to find notifications setting, which allows event and alert triggering when NAT port forwarding feature is accessed. Which is also an important security measure. 

 

Do you wish to add notifications setting to allow event and alert triggering 1) when there is a device accessing the network through NAT port forwarding, or 2) when the settings of NAT port forwarding are viewed or changed?

 

From my understanding, it's more likely to be the former, but I'd like to confirm with you.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#4
Options
Re:Some MAJOR problems with VPN setup (Using TL-R605)
2021-02-23 08:38:33

@Fae 

Fae wrote

Dear @Varaba 

 

And one more security concern in addition:

5. I was unable to find notifications setting, which allows event and alert triggering when NAT port forwarding feature is accessed. Which is also an important security measure. 

 

Do you wish to add notifications setting to allow event and alert triggering 1) when there is a device accessing the network through NAT port forwarding, or 2) when the settings of NAT port forwarding are viewed or changed?

 

From my understanding, it's more likely to be the former, but I'd like to confirm with you.

Sure, the first one.

Thanks a lot for prompt responses.

  1  
  1  
#5
Options
Re:Some MAJOR problems with VPN setup (Using TL-R605)
2021-09-27 18:54:22

I will second the need to smarten up the VPN in the Omada products, it lacks in fine control in many areas. Great system but needs finishing in this whole area.

 

 

  0  
  0  
#6
Options