Re: [Openvpn-users] doubts about possible sniffing

Mon, 05 May 2014 11:53:00 -0700 

-----Original Message-----
Hi,

On Mon, May 05, 2014 at 07:51:23PM +0200, David Sommerseth wrote:
> > ARP spoofing might indeed work.  So don't use TAP.  Don't use TAP 
> > anyway, unless you have a very strong reason to do so, and this is 
> > usually along the lines of "I need dynamic routing protocols to work 
> > across OpenVPN".
> 
> Just thinking aloud, and haven't dug into the code on this.  Doesn't 
> OpenVPN have a map of remote clients, MAC addresses and VPN IP 
> addresses?  (Thinking of the learn-address-phase which kicks off when 
> traffic begins to pass over the TAP tunnel).  Changing your MAC 
> address to become a different client would definitely confuse OpenVPN, 
> but would it really work?  Wouldn't it just result in a DoS for the 
> targeted client until the attack stops?

Since you can have bridged client setups, the OpenVPN server will just learn 
additional MAC addresses.

I'm not sure what would happen if client A starts using the mac address of 
client B.  Either the server will ignore that ("I already know!") or kick out 
client B from the forwarding table, and send the packets to A.

Either way "what a normal switch does".  Don't use TAP.

gert

==============================

TAP/Bridge is the only reason I use openVPN :-). I would even believe it is the 
one of the reason it will survive in a long run 8-)

in the openvpn-status.log, there are entries looks like this:
--------------------
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
remote MAC, client-cert-name, remote ip:port, timestamp that last seen
...
-------------------

with that in hand, I would consider mac-cert-remoteipandport have a very strong 
binding and it is not easy to break it by just ARP spoofing.

Andy



------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
• 3 signs your SCM is hindering your productivity
• Requirements for releasing software faster
• Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to