[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Preventing IP Address Spoofing on TUN VPNs

  • Subject: Re: [Openvpn-users] Preventing IP Address Spoofing on TUN VPNs
  • From: Les Mikesell <lesmikesell@xxxxxxxxx>
  • Date: Sat, 23 Jun 2007 12:49:01 -0500

Randall Nortman wrote:
> Is there anything special I need to do to prevent IPA spoofing on a
> TUN-based (routed) OpenVPN network?  I would like to use the IP
> address within the VPN subnet as a form of authentication for
> applications running on the VPN.  I still use ssh for remote shell
> access, even over the VPN, as a "belt and suspenders" measure, but
> certain applications running on the VPN are a bit less sensitive than
> remote shell access.  For those applications, I'd like to just
> authenticate based on IP address, but I would still like to know that
> this is a reasonably reliable method of authentication.

I don't think anything will look at the source address on inbound 
packets unless you add firewalling on all possible interfaces.  Using 
openvpn doesn't change this.

> In case what I'm asking isn't clear: I have a network of machines on
> the VPN, each given a static IP address (via files in the client
> configuration directory) based on the client's common name.  Can
> client A trust that when it accepts a connection from client B's
> allocated IP address, and that is actually client B?  And can client B
> conversely trust that when it opens a connection to client A's
> allocated IP address that it is actually talking to client A?  Does
> this apply equally to UDP and TCP traffic?

It is fairly difficult to spoof addresses in tcp since you also have to 
subvert routing to get the return packets or guess sequence numbers for 
subsequent packets.  With udp, anyone can forge the source address on a 
packet, although they may not be able to get the answer.

> Put another way, will the server accept packets from a client with a
> source IPA that doesn't match that client's allocated IPA, assuming I
> haven't told the server that the client is a router for another subnet
> (e.g., with the iroute configuration option).

Network routes don't have to be symmetrical.  There's no reason to 
assume that just because the server isn't routing certain addresses to a 
certain interface that it won't receive packets from that range on the 
interface.  If you have redundant or fail-over routes you generally 
expect that scenario.   If you want to control this, set up interfaces 
per connection and apply firewalling.  Even then you have to consider 
other sources of spoofed packets, like the local network or even 
processes on the local host.

   Les Mikesell

Openvpn-users mailing list