[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Routing mostly works, but ...


  • Subject: Re: [Openvpn-users] Routing mostly works, but ...
  • From: Rob McGee <rob0@xxxxxxxxxxxxxxxxxxxxx>
  • Date: Sun, 25 Jan 2004 14:46:07 -0600

On Sun, Jan 25, 2004 at 06:49:33PM +0100, Lehmann Guillaume wrote:
> What are advantages to use an net1's IP address on a net2's
> computer (the gateway), and a net2's IP address on a net1's
> computer (the other gateway) ? Why not use 2 distincts networks,
> with an other network between them :

In fact I used to do this. The only advantage I see in the new way is
that I don't need a reverse DNS zone for the VPN network. It's silly,
but I like to use "/sbin/route" and see all the IP addresses resolve to
names. :) There's no functional advantage, nor any significant
disadvantage, that I can see. (Neither net1 nor net2 is likely to ever
fill their allotted /24 netblocks.)

> It's better to write:
> route add -net 192.1.8.0 netmask 255.255.255.0 gw 192.168.4.6
> 
> In your case, 192.168.4.0 is included in 192.168.0.0/16.

It is included, and it is working. Packets from vpn1 to net2 never go to
gw1, where that /16 route is in place and working. vpn1 has its own /24
route through vpn2 to net2 (192.168.8.0).

So I don't get your point. In what way is it better? I can tell you how
it's worse: for every new VPN I'd have to add a new static route on the
default gateway, as well as on the VPN gateway. That will not scale
well, quickly becoming unmanageable.

> Why do you need UML ? If it's about OpenVPN security's problems,

I didn't know about OpenVPN's security problems. How is it vulnerable?
My concern had nothing to do with OpenVPN; rather, with openssh,
sendmail, et c.

The theory is that if the gw2 should be compromised, the VPN traffic
could remain inviolate. gw2 runs several external services, which are
generally secure, but one never knows when one might fall to a 0-day
(or earlier!) exploit.

With the UML as is I don't really gain anything, you are correct; but I
am planning to convert it to use filesystem encryption. Then control of
the host machine would not provide control of the UML (other than the
ability to terminate the process, and IMO it's much preferable to lose
the connection than to lose sensitive data.)

> OpenVPN offers options to downgrade the daemon privileges. In my

I do this already, even on the UML. :)

> opinion, you can use OpenVPN without UML, and the diagram will be 
>  more simple (and the problem easier to solve).

Would it? The problem seems to be on vpn1, a real physical machine.

> I don't understand why you use a so complex architecture !

The VPN data is *that* important. I'm going to try to pitch this to a
customer who deals in medical data, which is subject to strict
confidentiality guidelines. We need to be able to prove that the data is
absolutely secure.

Thank you for the reply.

    Rob - /dev/rob0


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users