I did not say "nobind protects from everything", but I did mean that clients with "nobind" are more protected in case of non patched openssl library shipped with (old) openvpn windows installer.
if server is patched (what is rather easy thing comparing to hundreds windows users), nobody can steal server ssl cert, sniffering traffic is useless in that case. mitm type attack is also useless when you have no server cert. the only thing you can attack is client, and if he uses "nobind", it looks rather good. 2014-04-09 14:44 GMT+06:00 Arne Schwabe <a...@rfc2549.org>: > Am 09.04.14 10:32, schrieb Илья Шипицин: >> I used to think that client without "nobind" option binds to 1194/udp >> (we encountered that issue with multiple openvpn connection on the >> same machine), so, "nobind" tells openvpn instance not to bind to >> udp/1194, and so, only openvpn server can exploit heartbleed >> vulnerability, but not any attacker. >> > Yes the server can attack you. Or any man in the middle attack including > ARP spoofing/DNS spoofing etc. > > If you see nobind that as protection basically you don't need a VPN. > > Arne >
