About VPN Generator
VPN Generator is software that lets anyone provide a Virtual Private Network to a small group of friends or family. VPNs mask users’ location and identity as they access the internet, protecting people from surveillance and allowing them to view websites that may be blocked by government censorship.
In restrictive and authoritarian contexts, a VPN can help preserve access to information and allow individuals to connect or organize over a secure channel. VPN Generator is designed to lower the threshold for less expert users to create a VPN, offering an easy-to-use solution for people in countries where internet censorship is widespread. It also creates a distributed system with no centralized “server,” which makes any instance harder to take down and safer for each member.
Audit Description
Through OTF’s Security Lab, Include Security performed a security audit for VPN Generator during July 2023 using a standard “gray box” assessment. In this form of testing, auditors have limited knowledge about the component being tested, allowing them to simulate the perspective of an attacker with limited insider knowledge. The goal was to identify and confirm any potential security vulnerabilities in the application and cryptography architecture.
Scope
The assessment consisted of a review of all relevant source code, with a focus on network architecture, and dynamic testing of the staging environment. At the time of the review, code for creating VPNs with the IPsec protocol was being developed, along with a Partner API; these planned functions were not included in the review.
Findings
Include Security identified four issues, all in the “Low-Risk” category. Zero issues were found in the higher categories of Critical, High, or Medium Risk. The security issues detected by the audit included:
- an SSH private key embedded within the codebase, a practice that can expose administrative credentials to anyone with access to current or older code versions. This means that any employee with access to the repository (currently, in the past, or in the future) could obtain control over various and perhaps critical parts of VPN Generator infrastructure, compromising the company and bringing risk to customer data.
- a disabled setting for strict reverification when known servers make new SSH connections, creating vulnerability if, for instance, a known server was compromised by attackers between connections
- the storage of some Telegram Chat IDs in the database based on communications with the Telegram bot; the Chat IDs were identical to the Telegram User IDs of VPN Generator users in this context.
- the lack of an automated installation setting that would keep security patches for the core VPN infrastructure as up-to-date as possible.
Remediation
For the four low-risk issues identified in the audit, Include Security performed follow-up testing in March 2024 and found that three of the issues had been resolved. The remaining issue (a disabled setting for strict re-verification when known servers make new SSH connections) was flagged as an “accepted” risk by the VPN Generator team, who noted that a new solution under a more robust security framework was already planned for an upcoming version of the system.
Full Report
Remediation Report
Code: