-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/05/14 22:31, Jason Haar wrote: > The way I look at it (and hopefully I'm correct - I've never used > tap so I haven't tested that), "tun" interfaces are like > traditional physical point-to-point WAN links - and one WAN link > cannot see the traffic from another WAN link. Similarly, "tap" > interfaces are equivalent to a *switch* - not an old-fashion > *bridge*: one device plugged into a switch cannot see the traffic > flows of another device (except for broadcasts - which is the only > reason you'd use tap anyway). Of course - as Gert mentioned - taps > do suffer from the same security issues as switches, you can > subvert that general rule by doing tricks with arp spoofing/etc.
tun devices transports only IP traffic (OSI layer 3), and is indeed point-to-point devices. So you'll only see traffic on a tun link which is destined to the remote site. tap devices are basically identical to hardware network interfaces, just that it's implemented in software. It goes down to layer 2. So anything you can do with a hardware NIC device, packet wise, you can do with a TAP device. But, that doesn't mean that all kind of attacks will work. Because OpenVPN does some checks on the packets it receives and forwards. So there is a chance OpenVPN won't make ARP spoofing work too easily, compared to switches and physical NICs. But a more thorough code study and testing is needed to really confirm this. Anyway, one way to block this, is to have a dynamic firewall which filters the MAC address the client presents itself with during the connection phase. This is something eurephia does, when OpenVPN is run in tap mode. David S. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlNn0R4ACgkQDC186MBRfroK2gCfcCIWgHQSzz4VnSz4WPbJWdjD WJgAoJfXHHkwSHywCPr0jsFuWCbCTJ6j =O4X2 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
