[Openvpn-users] doubts about possible sniffing
Hi folks, I'm sorry if my question is trivial... My situation: 1 openvpn server, many clients over internet that uses openvpn My doubt is: if a client (A) exchange data from/to other client (B) with ftp protocol, another client (C) can sniff the traffic from A to B? if yes, is it clear traffic? (not crypted). I've transfer some data every days and I need a protocol like ftp (sftp does not have all options like ftp) and I can't use rsync :-( So, what's the better way about to choosing protocol? Thanks for help Pol -- "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] doubts about possible sniffing
Hi, On Sun, May 04, 2014 at 08:31:21PM +0200, Pol Hallen wrote: > Hi folks, I'm sorry if my question is trivial... > > My situation: 1 openvpn server, many clients over internet that uses openvpn > > My doubt is: if a client (A) exchange data from/to other client (B) with > ftp protocol, another client (C) can sniff the traffic from A to B? if > yes, is it clear traffic? (not crypted). Why should the server send data between A<->B to C? This would never make sense, just for bandwidth reasons alone. (And since it does not make sense, it is not being done) The *server* can see your data, of course, as it is decrypting data from A, looking at the headers to decide who it is for, and then re-encrypting it when sending to B. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpBT1QI3yuwm.pgp Description: PGP signature -- "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] doubts about possible sniffing
On 2014-05-04 19:52, Gert Doering wrote: > Hi, > > On Sun, May 04, 2014 at 08:31:21PM +0200, Pol Hallen wrote: >> Hi folks, I'm sorry if my question is trivial... >> >> My situation: 1 openvpn server, many clients over internet that uses >> openvpn >> >> My doubt is: if a client (A) exchange data from/to other client (B) >> with >> ftp protocol, another client (C) can sniff the traffic from A to B? >> if >> yes, is it clear traffic? (not crypted). > > Why should the server send data between A<->B to C? This would never > make sense, just for bandwidth reasons alone. > > (And since it does not make sense, it is not being done) > > The *server* can see your data, of course, as it is decrypting data > from > A, looking at the headers to decide who it is for, and then > re-encrypting > it when sending to B. > I still think the OP has asked a very good question. Whilst the traffic won't physically go to C (at least for TUN networks), an answer would be great regarding whether C could de-crypt the traffic using the keys he/she has. Another thing to remember is that for TAP network, C could potentially get some of the traffic if ARP goes funny etc... Thanks -- "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] doubts about possible sniffing
Hi, On Sun, May 04, 2014 at 08:08:54PM +0100, Jonathan Tripathy wrote: > I still think the OP has asked a very good question. > > Whilst the traffic won't physically go to C (at least for TUN > networks), an answer would be great regarding whether C could de-crypt > the traffic using the keys he/she has. Of course not. The session key is negotiated between each client and the server as part of the TLS handshake, and that is unique for each client. > Another thing to remember is that for TAP network, C could potentially > get some of the traffic if ARP goes funny etc... ARP spoofing might indeed work. So don't use TAP. Don't use TAP anyway, unless you have a very strong reason to do so, and this is usually along the lines of "I need dynamic routing protocols to work across OpenVPN". gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpAMkzWT8kng.pgp Description: PGP signature -- "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] doubts about possible sniffing
The way I look at it (and hopefully I'm correct - I've never used tap so I haven't tested that), "tun" interfaces are like traditional physical point-to-point WAN links - and one WAN link cannot see the traffic from another WAN link. Similarly, "tap" interfaces are equivalent to a *switch* - not an old-fashion *bridge*: one device plugged into a switch cannot see the traffic flows of another device (except for broadcasts - which is the only reason you'd use tap anyway). Of course - as Gert mentioned - taps do suffer from the same security issues as switches, you can subvert that general rule by doing tricks with arp spoofing/etc. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] doubts about possible sniffing
> -Original Message- > From: Gert Doering [mailto:g...@greenie.muc.de] > Sent: Monday, 5 May 2014 5:51 AM > To: Jonathan Tripathy > Cc: openvpn-users@lists.sourceforge.net > Subject: Re: [Openvpn-users] doubts about possible sniffing > > Of course not. The session key is negotiated between client and the > server as part of the TLS handshake, and is unique for each client. Sure, but there is nothing "of course" about it. The server key might be pinned, and the client might be using a static key for its "unique" value. It needs to be asked, and when it's asked it's good that there is a good answer. (david) -- Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
