[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Possible Man-in-middle attack by trusted user (?)

  • Subject: [Openvpn-users] Possible Man-in-middle attack by trusted user (?)
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Thu, 25 Nov 2004 00:58:03 +0100 (CET)

I believe it's possible for a trusted openvpn user to intercept traffic generated by another user in a typical roadwarrior OpenVPN 2.0 setup in server mode by a "Man in the middle attack".

Take a TAP/bridged setup for instance:

1. Redirect the victems packets destinated for the openvpn server to your host though DNS poisoning, arp poisoning, route redirection or other methods.

2. Setup openvpn as a server but use your own client key/cert as server key/cert.

3. Setup another instance of openvpn as a normal client to the real server.

4. Bridge the two tap interfaces used in 2 and 3 to together.

When the victem tries to connect, he should now get a successful connection, with the only diffrence that the presented server certificate is your cert instead of the server certificate. As they are both signed by the same CA, it should be accepted by the client.

You will now be able to sniff the traffic floating between the two tap interfaces.

Use --tls-remote XXX on every client to specify the CN of the servers certificate.

This is just a theory I have, it has not been tested, so please correct me if I'm wrong.

I'm only writing this because I havn't seen the --tls-remote option mentioned in any examples, and never in the configs posted by users here on the list, so I would just like to share this info with everyone.

If the above attack is in fact possible I'd recommend everyone to put --tls-remote in your client configs. It shouldn't hurt anyway!


Openvpn-users mailing list