|
|
"Andrew J. Richardson" <andrew@xxxxxxxxxxxxxxxxxxxxxxx> said: > Ok, sounds like a plausible solution to me. The only reason I asked is that some commercial VPN solutions lock out all other adapters while being connected to VPN and re-open them on closure of the VPN tunnel. > I see. As you've discovered, OpenVPN doesn't. OpenVPN is fairly flexible here in that it allows you to control what you route through the VPN. Some people will only want traffic to and from a protected network to pass through the VPN, while web traffic transits directly to and from the internet (this is the OpenVPN default). Others may want to make the VPN itself the default route so that (for example) web traffic also passes through the VPN and is actually proxied or NATed to the internet from the VPN server (in OpenVPN, this is done by --redirect-gateway). One distinction which should be made here is that --redirect-gateway only changes routing settings, not firewall settings. --redirect-gateway is really simply a helper for the OS's "route" command. It makes the VPN the default route but does not change any firewall settings. On a Windows client, the firewall can be turned on by going to the network adapter which connects to the internet and enabling the internet connection firewall (or using ZoneAlarm). The TAP-Win32 VPN adapter doesn't need to be firewalled if the VPN server is trusted, though you could conceivably firewall it as well if you are connecting to an untrusted VPN (for example you might want access to certain things on the VPN server's network but not want anyone on the VPN server side to be able to access your machine). Now as far as locking out other adapters when the VPN is connected, do you mean that the firewall policies on the client become more restrictive when the VPN is activated or that the VPN changes the routes on the machine so that all traffic (including internet traffic) flows through the VPN? I ask this because I'm sceptical that temporary changes in security policy on a client machine can improve overall security. If a client machines has dual security policies (one more restrictive and one less restrictive), based on whether or not it is connected to a VPN, the client might be compromised while in the less secure mode, then when it connects to the VPN, that compromise (be it trojan, virus, or worm) might have an easier time jumping across the VPN to other machines which implicitly trust the infected machine because it is on the VPN network. In my view, this is one of the "Achilles heels" of VPNs in that they create trust relationships between different networks, and those trust relationships can potentially be exploited if one machine in the network becomes compromised. James ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2004-05/msg00069.html on line 222 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2004-05/msg00069.html on line 222 |