Hi, On Wed, Feb 15, 2023 at 06:02:26PM +0100, Stefanie Leisestreichler wrote: > On 15.02.23 16:43, Gert Doering wrote: > > I guess this was intended to read "OpenVPN" :-) - and indeed, with > > tls-auth/tls-crypt, an OpenVPN server is "invisible" unless you know > > that it's there and have the right key material. > > Are you referring with "invisible" to the not shown signature of the > openvpn service?
Yes.
> I tried and was able to port scan a running openvpn instance but got no
> signature. So one can tell the port is opened but the attack vector will
> be big. UDP-Scanning is doable also. To be honest I surely know where
> the services are located but to get them is just a loop away.
Well, the thing is: if you suspect it's openvpn, you can send an
initial UDP openvpn handshake packet to it - and the server will reply,
as configured.
Now, if you add tls-auth or tls-crypt to the server (+client) config,
even a correct "openvpn UDP initial handshake" packet will *not* make
the server reply, unless you also have the right tls-auth/tls-crypt
configured on the client side - which needs a (secret!) key to do so.
So, with this config, OpenVPN is "invisible" because it will never reply
except to those that know the magic words :-)
(Of course a port scanner can detect that there is "something", but
there is close to zero attack surface)
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
