Thanks for the comment. I should have mentioned that we are also using the
"dhcp-option DNS" directive. So remote employees will be routed through our
corporate DNS server when they are connected to the OpenVPN server.

As soon as they disconnect, they are at the mercy of the public WiFi DNS at
Starbucks (or whetever network they are on).



-----Original Message-----
From: Davide Brini [mailto:dave...@gmx.com] 
Sent: Thursday, October 17, 2013 4:54 AM
To: openvpn-users@lists.sourceforge.net
Subject: Re: [Openvpn-users] OpenVPN Security

On Wed, 16 Oct 2013 22:14:39 -0400, "Sumit Dahiya"
<sumit.dah...@eistech.com> wrote:

> I agree there is no such thing as 100% security. Therefore, I am 
> trying to make my VPN users as less vulnerable as possible.
> 
> If I do not use the "redirect gateway" parameter then users would be 
> relying on target website's  SSL implementation and their encryption 
> strategies. If there are some problems with certificates etc. (or 
> holes in security otherwise) then my users will potentially become 
> vulnerable to local eavesdroppers sniffing packets over the public WiFi.

It depends. The *target* website SSL implementation, unless it's in your
network, isn't going to change, whether you're redirecting over the VPN or
connecting directly to it.

> On the other hand, if I DO use the "redirect gateway" then my users 
> will be safe from public WiFi eavesdropping regardless of security 
> holes in websites they are visiting. Please let me know if this is not
correct.

Yes, since all that will be seen on the wifi network is the VPN traffic.

However as mentioned above, if one of your VPN users is tricked into going
to the SSL URL of a compromised website and clicks "yes, go ahead" in the
browser, the fact that their traffic is being redirected over the VPN or not
isn't going to make a difference (unless you have "something" in your
network that would detect or prevent that, which is unlikely).

Another thing to consider is which DNS server(s) your users will use while
connected to the VPN. If you redirect all their traffic to the VPN server,
but let them continue to use the DNS server(s) they got from DHCP in the
hotspot or wherever they are, then the owners of the wifi network can
obviously mount all sorts of attacks, VPN or not. So one thing you could do
is instruct the clients to use a DNS server that is internal to your network
(or one that you trust) while connected to the VPN. How to do this is
client- and operating system- specific, but it can generally be done, see
the --dhcp-option directive. (Of course, this doesn't apply if the user
isn't connected to the VPN, but that is out of the scope of this discussion
anyway.)




------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to