> Message: 2
> Date: Thu, 17 Oct 2013 17:45:34 -0400
> From: "Sumit Dahiya" <sumit.dah...@eistech.com>
> Subject: Re: [Openvpn-users] OpenVPN Security
> To: <openvpn-users@lists.sourceforge.net>
> Message-ID: <000901cecb82$367ecdf0$a37c69d0$@eistech.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Thanks for the comment. I should have mentioned that we are also using the
> "dhcp-option DNS" directive. So remote employees will be routed through our
> corporate DNS server when they are connected to the OpenVPN server.
>
> As soon as they disconnect, they are at the mercy of the public WiFi DNS at
> Starbucks (or whetever network they are on).
>
>
>
> -----Original Message-----
> From: Davide Brini [mailto:dave...@gmx.com]
> Sent: Thursday, October 17, 2013 4:54 AM
> To: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] OpenVPN Security
>
> On Wed, 16 Oct 2013 22:14:39 -0400, "Sumit Dahiya"
> <sumit.dah...@eistech.com> wrote:
>
>> I agree there is no such thing as 100% security. Therefore, I am
>> trying to make my VPN users as less vulnerable as possible.
>>
>> If I do not use the "redirect gateway" parameter then users would be
>> relying on target website's SSL implementation and their encryption
>> strategies. If there are some problems with certificates etc. (or
>> holes in security otherwise) then my users will potentially become
>> vulnerable to local eavesdroppers sniffing packets over the public WiFi.
>
> It depends. The *target* website SSL implementation, unless it's in your
> network, isn't going to change, whether you're redirecting over the VPN or
> connecting directly to it.
>
>> On the other hand, if I DO use the "redirect gateway" then my users
>> will be safe from public WiFi eavesdropping regardless of security
>> holes in websites they are visiting. Please let me know if this is not
> correct.
>
> Yes, since all that will be seen on the wifi network is the VPN traffic.
>
> However as mentioned above, if one of your VPN users is tricked into going
> to the SSL URL of a compromised website and clicks "yes, go ahead" in the
> browser, the fact that their traffic is being redirected over the VPN or not
> isn't going to make a difference (unless you have "something" in your
> network that would detect or prevent that, which is unlikely).
>
> Another thing to consider is which DNS server(s) your users will use while
> connected to the VPN. If you redirect all their traffic to the VPN server,
> but let them continue to use the DNS server(s) they got from DHCP in the
> hotspot or wherever they are, then the owners of the wifi network can
> obviously mount all sorts of attacks, VPN or not. So one thing you could do
> is instruct the clients to use a DNS server that is internal to your network
> (or one that you trust) while connected to the VPN. How to do this is
> client- and operating system- specific, but it can generally be done, see
> the --dhcp-option directive. (Of course, this doesn't apply if the user
> isn't connected to the VPN, but that is out of the scope of this discussion
> anyway.)
>
>
Is this the correct syntax for this option? "--dhcp-option DNS 192.168.1.1"
Can it be used without the --ip-win32 command?
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
