On Mon, 31 Jan 2005, Frank Sweetser wrote:
I have a couple of questions:
1) We're considering deploying openvpn with a single client cert shared among
the users, with username and password authentication. Given that each user has
access to the private key used by other users, does this mean that each user
would be able to decrypt the traffic from other users tunnels?
No. The only way one user could decrypt another users traffic, is if he's
able to perform an MITM attack. To do that, he would need to impersonate
the OpenVPN server, which you can protect againt in a number of ways.
See the howto for more info.
2) In TAP mode, the openvpn process has to effectivly act as a software bridge.
What does it do with ethernet broadcasts - discard them, or flood them to all
It would send them to all clients, unless you firewall that. That's one of
the benefints (or drawbacks) of using TUN instead of TAP, that you get rid
of the broadcasts.
Mathias Sundman (^) ASCII Ribbon Campaign
OpenVPN GUI for Windows X NO HTML/RTF in e-mail
http://www.nilings.se/openvpn / \ NO Word docs in e-mail
Openvpn-users mailing list