[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Preventing IP Address Spoofing on TUN VPNs

  • Subject: [Openvpn-users] Preventing IP Address Spoofing on TUN VPNs
  • From: Randall Nortman <openvpn-list@xxxxxxxxxxxxxxx>
  • Date: Tue, 19 Jun 2007 16:36:36 -0400

Is there anything special I need to do to prevent IPA spoofing on a
TUN-based (routed) OpenVPN network?  I would like to use the IP
address within the VPN subnet as a form of authentication for
applications running on the VPN.  I still use ssh for remote shell
access, even over the VPN, as a "belt and suspenders" measure, but
certain applications running on the VPN are a bit less sensitive than
remote shell access.  For those applications, I'd like to just
authenticate based on IP address, but I would still like to know that
this is a reasonably reliable method of authentication.

In case what I'm asking isn't clear: I have a network of machines on
the VPN, each given a static IP address (via files in the client
configuration directory) based on the client's common name.  Can
client A trust that when it accepts a connection from client B's
allocated IP address, and that is actually client B?  And can client B
conversely trust that when it opens a connection to client A's
allocated IP address that it is actually talking to client A?  Does
this apply equally to UDP and TCP traffic?

Put another way, will the server accept packets from a client with a
source IPA that doesn't match that client's allocated IPA, assuming I
haven't told the server that the client is a router for another subnet
(e.g., with the iroute configuration option).

OpenVPN mailing lists