Hi,
On Tue, May 06, 2014 at 02:04:05PM +, Andy Wang wrote:
> Thanks Gert for detail education. Follow Jason's advice I've done some simple
> test using ettercap in my environment which is openvpn-2.1.1 and you were
> right, the OpenVPN can't protect the client from arp spoofing which is real
Thanks Gert for detail education. Follow Jason's advice I've done some simple
test using ettercap in my environment which is openvpn-2.1.1 and you were
right, the OpenVPN can't protect the client from arp spoofing which is really
bad.
I will try the latest 2.3.4 to see if it is still broken a
There's a lot of good chatter going on about this topic, but at the end
of the day all that matters is whether any of this *conjecture* is real
or not. Someone actually using TAP mode and interested in this subject
should actually *test it* and see what happens
In the immortal words of djb: "profi
Hi,
On Mon, May 05, 2014 at 07:10:42PM +, Andy Wang wrote:
> *ARP* spoofing does not target the "switch" (OpenVPN) but the communication
> endpoints.
>
> You tell A "the mac address for B is C".
>
> You tell B "the mac address for A is C".
>
> And both will happily send all their packets f
-Original Message-
From: Gert Doering [mailto:g...@greenie.muc.de]
Sent: May-05-14 2:53 PM
To: Andy Wang
Cc: 'Gert Doering'; openvpn-users@lists.sourceforge.net
Subject: Re: [Openvpn-users] doubts about possible sniffing
Hi,
On Mon, May 05, 2014 at 06:38:35PM +, Andy
Hi,
On Mon, May 05, 2014 at 06:38:35PM +, Andy Wang wrote:
> with that in hand, I would consider mac-cert-remoteipandport have a very
> strong binding and it is not easy to break it by just ARP spoofing.
*ARP* spoofing does not target the "switch" (OpenVPN) but the communication
endpoints.
-Original Message-
Hi,
On Mon, May 05, 2014 at 07:51:23PM +0200, David Sommerseth wrote:
> > ARP spoofing might indeed work. So don't use TAP. Don't use TAP
> > anyway, unless you have a very strong reason to do so, and this is
> > usually along the lines of "I need dynamic routing pro
Hi,
On Mon, May 05, 2014 at 08:31:19PM +0200, David Sommerseth wrote:
> > Which OpenVPN does not do (and neither do most switches, even
> > fairly expensive L3 switch stuff). In TAP mode, all it cares about
> > is MAC addresses.
>
> I see ... but if a spoofed packet is sent, wouldn't return pack
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 05/05/14 20:12, Gert Doering wrote:
> Hi,
>
> On Mon, May 05, 2014 at 07:57:50PM +0200, David Sommerseth wrote:
>> But, that doesn't mean that all kind of attacks will work.
>> Because OpenVPN does some checks on the packets it receives and
>> forw
Hi,
On Mon, May 05, 2014 at 07:57:50PM +0200, David Sommerseth wrote:
> But, that doesn't mean that all kind of attacks will work. Because
> OpenVPN does some checks on the packets it receives and forwards. So
> there is a chance OpenVPN won't make ARP spoofing work too easily,
> compared to swi
Hi,
On Mon, May 05, 2014 at 07:51:23PM +0200, David Sommerseth wrote:
> > ARP spoofing might indeed work. So don't use TAP. Don't use TAP
> > anyway, unless you have a very strong reason to do so, and this is
> > usually along the lines of "I need dynamic routing protocols to
> > work across Ope
Subject: Re: [Openvpn-users] doubts about possible sniffing
>>
>> Of course not. The session key is negotiated between client and
>> the server as part of the TLS handshake, and is unique for each
>> client.
>
> Sure, but there is nothing "of course" about it.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/05/14 22:31, Jason Haar wrote:
> The way I look at it (and hopefully I'm correct - I've never used
> tap so I haven't tested that), "tun" interfaces are like
> traditional physical point-to-point WAN links - and one WAN link
> cannot see the traf
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/05/14 21:51, Gert Doering wrote:
> Hi,
>
> On Sun, May 04, 2014 at 08:08:54PM +0100, Jonathan Tripathy wrote:
>> I still think the OP has asked a very good question.
>>
>> Whilst the traffic won't physically go to C (at least for TUN
>> networ
> -Original Message-
> From: Gert Doering [mailto:g...@greenie.muc.de]
> Sent: Monday, 5 May 2014 5:51 AM
> To: Jonathan Tripathy
> Cc: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] doubts about possible sniffing
>
> Of course not. The s
The way I look at it (and hopefully I'm correct - I've never used tap so
I haven't tested that), "tun" interfaces are like traditional physical
point-to-point WAN links - and one WAN link cannot see the traffic from
another WAN link. Similarly, "tap" interfaces are equivalent to a
*switch* - not an
Hi,
On Sun, May 04, 2014 at 08:08:54PM +0100, Jonathan Tripathy wrote:
> I still think the OP has asked a very good question.
>
> Whilst the traffic won't physically go to C (at least for TUN
> networks), an answer would be great regarding whether C could de-crypt
> the traffic using the keys he
On 2014-05-04 19:52, Gert Doering wrote:
> Hi,
>
> On Sun, May 04, 2014 at 08:31:21PM +0200, Pol Hallen wrote:
>> Hi folks, I'm sorry if my question is trivial...
>>
>> My situation: 1 openvpn server, many clients over internet that uses
>> openvpn
>>
>> My doubt is: if a client (A) exchange dat
Hi,
On Sun, May 04, 2014 at 08:31:21PM +0200, Pol Hallen wrote:
> Hi folks, I'm sorry if my question is trivial...
>
> My situation: 1 openvpn server, many clients over internet that uses openvpn
>
> My doubt is: if a client (A) exchange data from/to other client (B) with
> ftp protocol, another
Hi folks, I'm sorry if my question is trivial...
My situation: 1 openvpn server, many clients over internet that uses openvpn
My doubt is: if a client (A) exchange data from/to other client (B) with
ftp protocol, another client (C) can sniff the traffic from A to B? if
yes, is it clear traffic? (
20 matches
Mail list logo
