Thanks for the comment. I should have mentioned that we are also using the "dhcp-option DNS" directive. So remote employees will be routed through our corporate DNS server when they are connected to the OpenVPN server.
As soon as they disconnect, they are at the mercy of the public WiFi DNS at Starbucks (or whetever network they are on). -----Original Message----- From: Davide Brini [mailto:dave...@gmx.com] Sent: Thursday, October 17, 2013 4:54 AM To: openvpn-users@lists.sourceforge.net Subject: Re: [Openvpn-users] OpenVPN Security On Wed, 16 Oct 2013 22:14:39 -0400, "Sumit Dahiya" <sumit.dah...@eistech.com> wrote: > I agree there is no such thing as 100% security. Therefore, I am > trying to make my VPN users as less vulnerable as possible. > > If I do not use the "redirect gateway" parameter then users would be > relying on target website's SSL implementation and their encryption > strategies. If there are some problems with certificates etc. (or > holes in security otherwise) then my users will potentially become > vulnerable to local eavesdroppers sniffing packets over the public WiFi. It depends. The *target* website SSL implementation, unless it's in your network, isn't going to change, whether you're redirecting over the VPN or connecting directly to it. > On the other hand, if I DO use the "redirect gateway" then my users > will be safe from public WiFi eavesdropping regardless of security > holes in websites they are visiting. Please let me know if this is not correct. Yes, since all that will be seen on the wifi network is the VPN traffic. However as mentioned above, if one of your VPN users is tricked into going to the SSL URL of a compromised website and clicks "yes, go ahead" in the browser, the fact that their traffic is being redirected over the VPN or not isn't going to make a difference (unless you have "something" in your network that would detect or prevent that, which is unlikely). Another thing to consider is which DNS server(s) your users will use while connected to the VPN. If you redirect all their traffic to the VPN server, but let them continue to use the DNS server(s) they got from DHCP in the hotspot or wherever they are, then the owners of the wifi network can obviously mount all sorts of attacks, VPN or not. So one thing you could do is instruct the clients to use a DNS server that is internal to your network (or one that you trust) while connected to the VPN. How to do this is client- and operating system- specific, but it can generally be done, see the --dhcp-option directive. (Of course, this doesn't apply if the user isn't connected to the VPN, but that is out of the scope of this discussion anyway.) ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
