[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Preventing IP Address Spoofing on TUN VPNs

  • Subject: Re: [Openvpn-users] Preventing IP Address Spoofing on TUN VPNs
  • From: Les Mikesell <lesmikesell@xxxxxxxxx>
  • Date: Sat, 23 Jun 2007 16:38:07 -0500

Randall Nortman wrote:

>> Network routes don't have to be symmetrical.  There's no reason to 
>> assume that just because the server isn't routing certain addresses to a 
>> certain interface that it won't receive packets from that range on the 
>> interface.  If you have redundant or fail-over routes you generally 
>> expect that scenario.   If you want to control this, set up interfaces 
>> per connection and apply firewalling.
> I expect hundreds of clients, possibly up to a thousand someday.
> Having a virtual interface per client with associated firewall rules
> doesn't seem practical.  This would be best handled within OpenVPN
> itself, I think -- disabled by default, of course, but an option to
> only accept packets from a client with a source address that matches
> that client's IPA, or possibly matches a subnet that has been
> explicitly allowed for that client to route.

I can't see that it would hurt anything for openvpn to have the ability 
to firewall based on source address of the packets coming through the 
tunnel, but personally I like all network handling to be done 
generically so you don't have surprises when a connection moves from a 
VPN to a dedicated line or a different VPN protocol - or you have 
multiple routes to the same locations over different types of connections.

   Les Mikesell

Openvpn-users mailing list