[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Bridge LAN Setup?

  • Subject: Re: [Openvpn-users] Bridge LAN Setup?
  • From: "bronson mathews" <gibbz1@xxxxxxxxxxx>
  • Date: Sun, 05 Dec 2004 08:21:56 +1030

ok what is HMAC? how do i set that up?


From: James Yonan <jim@xxxxxxxxx>
To: bronson mathews <gibbz1@xxxxxxxxxxx>
CC: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [Openvpn-users] Bridge LAN Setup?
Date: Sat, 4 Dec 2004 12:54:48 -0700 (MST)

On Sat, 4 Dec 2004, bronson mathews wrote:

> ok im not really understanding the config files that much i could use some
> help.
> I have both ends bridged, so we want to be able to ping each others local
> ip's(for games)
> Note : for some reason the mailing list isnt emailing me the emails so if
> you could also forward the emails to gibbz1@xxxxxxxxxxx for me thanks.
> Ive got 2 lans, at
> -my end(server) local ip of the bridge is
> -vpn ip (should the vpn even have an ip when bridged?)
> -client end local ip of bridge is
> -vpn ip
> Now ive followed the guide here...
> http://www.pavelec.net/adam/openvpn/bridge/
> ive modified the scripts but hving no luck with them....
> Also we have no need for this encryption as its for gamming, is it possible
> to get just a key and none of the other stuff, but still have master with
> multiple clients?

You can use:

  cipher none
  auth none

in the config file to disable tunnel security.  This works even in
client/server mode -- make sure to add this to both the server config and
all client configs.

If I were you, I think a better choice for gaming if you think the
standard OpenVPN security is more than you need, would be to keep HMAC
authentication turned on and just dispose of the encryption.  That's a
good choice when you don't care about eavesdropping, but you want to
secure against active attacks, i.e. someone maliciously creating packets
which masquerade as OpenVPN packets in order to slip past your firewall.
For that, you just need to add "cipher none".

That will cause all packets to be cryptographically signed, so they can be
verified as legitimate, but the tunnel data will still be sent as
cleartext, i.e. not encrypted.