Hi, On Mon, May 05, 2014 at 07:51:23PM +0200, David Sommerseth wrote: > > ARP spoofing might indeed work. So don't use TAP. Don't use TAP > > anyway, unless you have a very strong reason to do so, and this is > > usually along the lines of "I need dynamic routing protocols to > > work across OpenVPN". > > Just thinking aloud, and haven't dug into the code on this. Doesn't > OpenVPN have a map of remote clients, MAC addresses and VPN IP > addresses? (Thinking of the learn-address-phase which kicks off when > traffic begins to pass over the TAP tunnel). Changing your MAC > address to become a different client would definitely confuse OpenVPN, > but would it really work? Wouldn't it just result in a DoS for the > targeted client until the attack stops?
Since you can have bridged client setups, the OpenVPN server will just
learn additional MAC addresses.
I'm not sure what would happen if client A starts using the mac address
of client B. Either the server will ignore that ("I already know!") or
kick out client B from the forwarding table, and send the packets to A.
Either way "what a normal switch does". Don't use TAP.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgp77pbJ5f1qL.pgp
Description: PGP signature
------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
