-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/05/14 21:51, Gert Doering wrote: > Hi, > > On Sun, May 04, 2014 at 08:08:54PM +0100, Jonathan Tripathy wrote: >> I still think the OP has asked a very good question. >> >> Whilst the traffic won't physically go to C (at least for TUN >> networks), an answer would be great regarding whether C could >> de-crypt the traffic using the keys he/she has. > > Of course not. The session key is negotiated between each client > and the server as part of the TLS handshake, and that is unique for > each client.
That is correct, but I wanted to clarify a few minor details. If you're using a PKI setup, which is required when you have multiplie clients connected simultaneously, each client has a separate private key and negotiates its own session key (which is also changed regularly, according to --reneg-* options). But if you are using a static key, only one client can connect to the remote side. If two clients have access to the same server using static keys (which would be a really stupid setup!), both clients can decrypt the tunnel traffic, just by sniffing the network. This is because static setups does not have any session key. >> Another thing to remember is that for TAP network, C could >> potentially get some of the traffic if ARP goes funny etc... > > ARP spoofing might indeed work. So don't use TAP. Don't use TAP > anyway, unless you have a very strong reason to do so, and this is > usually along the lines of "I need dynamic routing protocols to > work across OpenVPN". Just thinking aloud, and haven't dug into the code on this. Doesn't OpenVPN have a map of remote clients, MAC addresses and VPN IP addresses? (Thinking of the learn-address-phase which kicks off when traffic begins to pass over the TAP tunnel). Changing your MAC address to become a different client would definitely confuse OpenVPN, but would it really work? Wouldn't it just result in a DoS for the targeted client until the attack stops? - -- kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlNnz5sACgkQDC186MBRfrqsOgCeMwcdVAlxnVA5lHUO5eL96++K 0OwAmgOEEzPJ/qIIFUuxyWF6nSWPPpfz =YBW/ -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
