[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] bridging, shared certs question

  • Subject: Re: [Openvpn-users] bridging, shared certs question
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Tue, 1 Feb 2005 04:48:19 +0100 (CET)

On Mon, 31 Jan 2005, Frank Sweetser wrote:

I have a couple of questions:

1) We're considering deploying openvpn with a single client cert shared among
the users, with username and password authentication.  Given that each user has
access to the private key used by other users, does this mean that each user
would be able to decrypt the traffic from other users tunnels?

No. The only way one user could decrypt another users traffic, is if he's able to perform an MITM attack. To do that, he would need to impersonate the OpenVPN server, which you can protect againt in a number of ways.

See the howto for more info.


2) In TAP mode, the openvpn process has to effectivly act as a software bridge.
What does it do with ethernet broadcasts - discard them, or flood them to all
connected clients?

It would send them to all clients, unless you firewall that. That's one of the benefints (or drawbacks) of using TUN instead of TAP, that you get rid of the broadcasts.

Mathias Sundman                  (^)   ASCII Ribbon Campaign
OpenVPN GUI for Windows           X    NO HTML/RTF in e-mail
http://www.nilings.se/openvpn    / \   NO Word docs in e-mail

Openvpn-users mailing list