Ed Wallig wrote:
Maybe a better question: If an OpenVPN configuration includes client and
server certificates, tls-auth, and uses w AES encryption, can a session
hijack readily take place and if so, how would OpenVPN react?
A session hijack is not possible under these circumstances. A system
taking over the stream would be unaware of the session key currently in
use and thus unable to encrypt or decrypt any data.
The only exception is where one endpoint is *severely* compromised --
ie. where an attacker can halt the OpenVPN process on one endpoint and
read the relevant bits of its state out of memory. If you have an
endpoint that severely compromised, you have much worse problems than
session hijack attacks.
Openvpn-users mailing list