Hi, On Sun, May 04, 2014 at 08:08:54PM +0100, Jonathan Tripathy wrote: > I still think the OP has asked a very good question. > > Whilst the traffic won't physically go to C (at least for TUN > networks), an answer would be great regarding whether C could de-crypt > the traffic using the keys he/she has.
Of course not. The session key is negotiated between each client and
the server as part of the TLS handshake, and that is unique for each
client.
> Another thing to remember is that for TAP network, C could potentially
> get some of the traffic if ARP goes funny etc...
ARP spoofing might indeed work. So don't use TAP. Don't use TAP anyway,
unless you have a very strong reason to do so, and this is usually along
the lines of "I need dynamic routing protocols to work across OpenVPN".
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgpAMkzWT8kng.pgp
Description: PGP signature
------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
