Hi, On Fri, May 13, 2016 at 05:51:20PM +0200, Chris Laif wrote: > I wonder if there is an easy way to protect the client from executing > ifconfig/route-statements sent by an (untrusted) server. I think of > some config options like > > ifconfig-limit 10.123.0.0/24 > route-limit 10.111.0.0/16 > route-limit 10.222.0.0/24 > > Any statements sent by the server not matching those networks would be > ignored. > > I know the 'ifconfig-noexec' and 'route-nopull' options which likely > could be combined with some bash scripts parsing the push-options ... > but that's not an easy way :)
--route-nopull plus adding --route as you see necessary.
Or just not using --pull at all, and statically configuring --ifconfig
and --route according to your needs.
To some extent, you have to trust the VPN server anyway - you're sending
your IP packets there, and after decryption, the server can see them in
the plain. By virtue of its certificate, the server shows itself to be
trusted (for some definition of trust).
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
