On Wed, 16 Oct 2013 22:14:39 -0400, "Sumit Dahiya"
<sumit.dah...@eistech.com> wrote:

> I agree there is no such thing as 100% security. Therefore, I am trying to
> make my VPN users as less vulnerable as possible.
> 
> If I do not use the "redirect gateway" parameter then users would be
> relying on target website's  SSL implementation and their encryption
> strategies. If there are some problems with certificates etc. (or holes
> in security otherwise) then my users will potentially become vulnerable
> to local eavesdroppers sniffing packets over the public WiFi.

It depends. The *target* website SSL implementation, unless it's in your
network, isn't going to change, whether you're redirecting over the VPN or
connecting directly to it.

> On the other hand, if I DO use the "redirect gateway" then my users will
> be safe from public WiFi eavesdropping regardless of security holes in
> websites they are visiting. Please let me know if this is not correct.

Yes, since all that will be seen on the wifi network is the VPN traffic.

However as mentioned above, if one of your VPN users is tricked into
going to the SSL URL of a compromised website and clicks "yes, go
ahead" in the browser, the fact that their traffic is being redirected over
the VPN or not isn't going to make a difference (unless you have
"something" in your network that would detect or prevent that, which is
unlikely).

Another thing to consider is which DNS server(s) your users will use while
connected to the VPN. If you redirect all their traffic to the VPN server,
but let them continue to use the DNS server(s) they got from DHCP in the
hotspot or wherever they are, then the owners of the wifi network can
obviously mount all sorts of attacks, VPN or not. So one thing you could do
is instruct the clients to use a DNS server that is internal to your
network (or one that you trust) while connected to the VPN. How to do this
is client- and operating system- specific, but it can generally be done, see
the --dhcp-option directive. (Of course, this doesn't apply if the user
isn't connected to the VPN, but that is out of the scope of this discussion
anyway.)

-- 
D.

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to