[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Ethernet bridging security hole question

  • Subject: [Openvpn-users] Ethernet bridging security hole question
  • From: Michael Durket <durket@xxxxxxxxxxxxxxxxxxxxxx>
  • Date: Thu, 12 Jul 2007 09:25:30 -0700

In the Ethernet Bridging HOWTO (http://openvpn.net/bridge.html) it

   "Make sure to only bridge TAP interfaces with private ethernet
interfaces which are protected behind a firewall. Never bridge a TAP
interface with the same ethernet interface you use to connect to the
internet, as that would create a potential security hole."

   and also

   "The addresses used for local and remote should not be part of the
bridged subnet -- otherwise you will end up with a routing loop."

   These 2 statements seem unclear: the "security hole" is not further
defined, and where the "local" and "remote" addresses are defined 
(in an OpenVPN configuration file? or somewhere in the bridge-start
scripts?) isn't made clear.
   These warnings, taken together, seem to imply that you cannot safely
create an OpenVPN Ethernet bridge server that serves a single
"Road Warrior" client if your server only has 1 Ethernet interface 
(to which are connected both other clients and an internet connection
from a cable modem or DSL line) where the remote client's address 
is to appear to be on the local subnet of the server machine without
a) creating a routing loop and b) opening up an (undescribed) security

   Is this correct? If so, how does one construct a "Road Warrior"
client to OpenVPN bridge server setup if you want the "Road Warrior"
to be able to connect to all machines on the server's subnet? Buy
another Ethernet device and connect all the other machines to the 
second device (and then have all the other machines connect to 
the Internet through the server machine instead of directly as they
used to do)? Or does the first warning just mean:

   1) If you use your primary internet connection, "private" 
      means it should be using IANA private addresses (i.e. NATed)
      as should all machines on that subnet

  Any clarifications would be appreciated.

  Michael Durket

Openvpn-users mailing list