[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Preventing IP Address Spoofing on TUN VPNs

  • Subject: Re: [Openvpn-users] Preventing IP Address Spoofing on TUN VPNs
  • From: Randall Nortman <openvpn-list@xxxxxxxxxxxxxxx>
  • Date: Sat, 23 Jun 2007 14:12:56 -0400

On Sat, Jun 23, 2007 at 12:49:01PM -0500, Les Mikesell wrote:
> Randall Nortman wrote:
> >Put another way, will the server accept packets from a client with a
> >source IPA that doesn't match that client's allocated IPA, assuming I
> >haven't told the server that the client is a router for another subnet
> >(e.g., with the iroute configuration option).
> Network routes don't have to be symmetrical.  There's no reason to 
> assume that just because the server isn't routing certain addresses to a 
> certain interface that it won't receive packets from that range on the 
> interface.  If you have redundant or fail-over routes you generally 
> expect that scenario.   If you want to control this, set up interfaces 
> per connection and apply firewalling.

I expect hundreds of clients, possibly up to a thousand someday.
Having a virtual interface per client with associated firewall rules
doesn't seem practical.  This would be best handled within OpenVPN
itself, I think -- disabled by default, of course, but an option to
only accept packets from a client with a source address that matches
that client's IPA, or possibly matches a subnet that has been
explicitly allowed for that client to route.

> Even then you have to consider other sources of spoofed packets,
> like the local network or even processes on the local host.
OpenVPN mailing lists