[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Road warrior insecure? Or am I missing a crucial point?

  • Subject: Re: [Openvpn-users] Road warrior insecure? Or am I missing a crucial point?
  • From: "James Yonan" <jim@xxxxxxxxx>
  • Date: Fri, 7 May 2004 17:49:07 -0000

"Andrew J. Richardson" <andrew@xxxxxxxxxxxxxxxxxxxxxxx> said:

>   Ok, sounds like a plausible solution to me. The only reason I asked is
that some commercial VPN solutions lock out all other adapters while being
connected to VPN and re-open them on closure of the VPN tunnel.
> I see.  As you've discovered, OpenVPN doesn't.

OpenVPN is fairly flexible here in that it allows you to control what you
route through the VPN.  Some people will only want traffic to and from a
protected network to pass through the VPN, while web traffic transits directly
to and from the internet (this is the OpenVPN default).  Others may want to
make the VPN itself the default route so that (for example) web traffic also
passes through the VPN and is actually proxied or NATed to the internet from
the VPN server (in OpenVPN, this is done by --redirect-gateway).

One distinction which should be made here is that --redirect-gateway only
changes routing settings, not firewall settings.  --redirect-gateway is really
simply a helper for the OS's "route" command.  It makes the VPN the default
route but does not change any firewall settings.  On a Windows client, the
firewall can be turned on by going to the network adapter which connects to
the internet and enabling the internet connection firewall (or using
ZoneAlarm).  The TAP-Win32 VPN adapter doesn't need to be firewalled if the
VPN server is trusted, though you could conceivably firewall it as well if you
are connecting to an untrusted VPN (for example you might want access to
certain things on the VPN server's network but not want anyone on the VPN
server side to be able to access your machine).

Now as far as locking out other adapters when the VPN is connected, do you
mean that the firewall policies on the client become more restrictive when the
VPN is activated or that the VPN changes the routes on the machine so that all
traffic (including internet traffic) flows through the VPN?

I ask this because I'm sceptical that temporary changes in security policy on
a client machine can improve overall security.  If a client machines has dual
security policies (one more restrictive and one less restrictive), based on
whether or not it is connected to a VPN, the client might be compromised while
in the less secure mode, then when it connects to the VPN, that compromise (be
it trojan, virus, or worm) might have an easier time jumping across the VPN to
other machines which implicitly trust the infected machine because it is on
the VPN network.

In my view, this is one of the "Achilles heels" of VPNs in that they create
trust relationships between different networks, and those trust relationships
can potentially be exploited if one machine in the network becomes compromised.


Openvpn-users mailing list