Hi, On Tue, May 06, 2014 at 02:04:05PM +0000, Andy Wang wrote: > Thanks Gert for detail education. Follow Jason's advice I've done some simple > test using ettercap in my environment which is openvpn-2.1.1 and you were > right, the OpenVPN can't protect the client from arp spoofing which is really > bad. > > I will try the latest 2.3.4 to see if it is still broken and try to fix it.
Save yourself the effort. As I told you, there is no code in OpenVPN
that would validate IP/MAC relationships for the inside IP address - and
that is *hard*. If it were easy, normal switch vendors would all do this.
Basically you need a way to assign "this is the right mapping", which you
do not have authority over - the client could have a statically configured
IP address, and a random MAC on his TAP adapter that changes on every
VPN connection. So you need to sniff "initial ARP packets" and glean
from there the IP/ARP binding if and only if the address is not already
locked elsewhere.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgpTuA4x9Fij1.pgp
Description: PGP signature
------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
