[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Issues regarding tun interface & ARP protocol

  • Subject: [Openvpn-users] Issues regarding tun interface & ARP protocol
  • From: stefano@xxxxxxxxxxx
  • Date: Thu, 9 Dec 2004 18:44:05 +0100

Hi list, during some experiments I discovered a strange behaviour regarding tun
virtual adapter, with linux.

Suppose the following setup: local network with some computers and an openvpn
In simple terms, the problem is this: if from any computer I issue an ARP
request for the address owned by the tun interface, which by default it is (multi-client server mode), I got an ARP reply (linux as both client
and server used in my test). Is this very strange or there is a reason for that
to occur? To me seems strange, since the tun adapter has NOARP flag (see for
example 'ifconfig tun0' or 'ip link').

IMHO this behaviour can have dire consequences. Imagine that the server has the
management interface enabled, password-protected or not. This is very useful
obviously since it allows you to control OpenVPN from an administrator computer
connected to the VPN server. With the behaviour explained above one problem
arise: every other computer on lan can talk  directly to tun inteface (i.e.
OpenVPN process) even if it is not an authenticated client! One might say that
the management functionality is password-protected, but this behaviour is
definitely not correct and expose OpenVPN to brutal force or DoS attaks.

It is simple to reproduce the problem: suppose A is a computer on the lan, which
is not an intended VPN user. In A, add an entry to the routing table that points
to on OpenVPN machine. With linux:

A # ip route add dev eth0
A # ip route add via

assuming that is OpenVPN computer lan address. Now, assuming that
the interface is bound to port 5000, try:

A # telnet 5000

In my setup, this gives OpenVPN management interface (no password set in my
case, otherwise obviously user-pass must be given).

I would be glad to know if this is a common problem... Assuming that it is
common, it seems to me a problem that not relates to OpenVPN, since the tun
interface has correctly the NOARP flag set.


This mail sent through IMP: http://horde.org/imp/

Openvpn-users mailing list