|
|
Am Dienstag 01 Juni 2004 12:20 schrieb Rainer Sokoll: > On Tue, Jun 01, 2004 at 01:32:25PM +0100, Miika Keskinen wrote: > > >my very personal feature requests ;-) > > >- as stated in the past: dropping down the routes into the direct > > > connected network would make the VPN more secure. > > > > If I understood what you mean --redirect-gateway does that. > > No, in short: > Assumed you are in a cusomer's LAN and have 1.1.1.1/24 on your ethernet. > If you have openvpn up and running (included redirected gatway), you > still have a route to 1.1.1.0/24 via your local ethernet interface. So, > your client will be connected both to the (trusted) VPN and the > (untrusted) customer's LAN at the same time. But why is a vpn in a "LAN" more secure? If the openvpn server is in the lan and you route traffic to the lan over the openvpn server, then only your part of the communcation is secured. The traffic from the openvpn server to the client in the 1.1.1.0/24 lan itself is not encrypted, too. So where is the difference? The traffic to the IP of the openvpn server itself have to say unencrypted, too, otherwise your vpn connection couldn't be established. If you don't want the possibility to connect to anything in the lan (and that is what you call "more secure", then you can use "up/down" script or route-statements in the openvpn config to realize that. So I don't see any sense in this feature request. But maybe it's only me and I just don't understand what you trying to archive with that. --Ralph ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |