[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] ip routing profile

  • Subject: Re: [Openvpn-users] ip routing profile
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Mon, 16 Jul 2007 01:28:27 -0500
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID395LgPgCM0337X39

Thor Selnes wrote:
> Hi. I have Openvpn + openvpngui, operating to route all internet traffic
> trough the tunnel.
> The internetline I'm using to start the tunnel on is an unsecure
> wireless connection, and that makes it very important that no traffic
> goes over unless it's using the tunnel!
> My setup is working OK, but in some Scenarios it can be unsecure:
> 1. windows is starting up, the tunnel is not up, and an application is
> autoconnecting with username and password 
>    (this happened once now when i updated an application, that wheren't
> suppose to autostart)
> 2. the internett connection har reconnected, and that causes the user to
> have to reconnect the tunnel,
>    While the recconection of the tunnel is happening, the redirect
> routes are taken down for one secound or so, making it
>    possible for programs with preentered authentication to start sending
> unencrypted stuff on the unsecure line
> what would be ideal for me, is if one could have a routing profile, that
> could be maunally switched with a menu/button...
> Do anyone have a smart tip to make my setup more secure?

I have a similar setup at one location where I use unencrypted 802.11
wireless but don't encrypt it due to performance problems with WiFi
encryption.  My solution is to hand out DHCP parameters on the WiFi
interface that do not include a default route.  Then, when an OpenVPN
connection is initiated from they wireless client, the address they get
does provide a default gateway via the --redirect-gateway option; this
ends up as the client's only gateway and also has the nice side-effect
that no Internet-bound traffic can be sent if the VPN tunnel goes down
because there's no route to send it through.

For completeness I will point out that, if not properly firewalled, the
WiFi clients and the unencrypted WiFi infrastructure can be attacked.  I
have a reasonably hardened setup, but that's always a danger when
exposing some hosts publically.  I use 2 separate subnets for my
Wireless network and the rest of my private network, with OpenVPN as the
only way between the 2 (and out to the Internet.)

I hope this setup can assist or give you some ideas.


Attachment: signature.asc
Description: OpenPGP digital signature