[OpenVPN home]	[Date Prev]	[Date Index]	[Date Next]
[OpenVPN mailing lists]	[Thread Prev]	[Thread Index]	[Thread Next]

Re: [Openvpn-users] [RFC] 2.0-beta10 enhancement: redefine the way "ifconfig-pool" works

Subject: Re: [Openvpn-users] [RFC] 2.0-beta10 enhancement: redefine the way "ifconfig-pool" works
From: "Kevin P. Fleming" <kpfleming@xxxxxxxxxxxxxxxxxxxx>
Date: Sat, 07 Aug 2004 07:44:29 -0700

James Yonan wrote:

While I understand your motivation to simplify the ifconfig-pool semantics, I
think there are problems with the approach of making ifconfig-pool assume too
many things about what you want to do.  For one, many users don't want clients
to be able to see each other; only the server.  Such users certainly will not
want to push "route 10.80.1.0 255.255.255.0" by default to clients.

Well, they will still need to push a route to the server's local tunnel endpoint, which is not covered in the documentation/examples at the moment.

However, I don't see how pushing a wider route to the client really breaks any security. If the server doesn't have client-to-client turned on, then it's up to the server administrator whether they allow traffic between clients by using whatever filtering means they have on the server. Also, the clients will not have _any_ way of knowing the IP addresses of any other client's tunnel endpoints, because they are dynamic.

Not pushing a route out sounds like "security through obscurity", which is no security at all. If the client is aware that the server is using server mode with ifconfig-pool, they can certainly just add their own route to the ifconfig-pool address range and start sending packets. If the server admin is really concerned about this, they have to limit client-to-client access in a positive fashion, not just rely on obscurity.

I do agree with you that the release notes should be more clear about the
distinctions between a client-to-client config and a clients-only-see-server
config.

I would disagree, I think the release notes are fine. OpenVPN does not provide a "clients-only-see-server" config at all; even with client-to-client off, the clients can still talk to each other by going through the IP routing stack on the server. client-to-client only provides a simpler, faster means for them to talk to each other.

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Follow-Ups:
- Re: [Openvpn-users] [RFC] 2.0-beta10 enhancement: redefine the way "ifconfig-pool" works
  - From: James Yonan

References:
- Re: [Openvpn-users] [RFC] 2.0-beta10 enhancement: redefine the way "ifconfig-pool" works
  - From: James Yonan

Prev by Date: [Openvpn-users] Re: tls-verify does not work
Next by Date: Re: [Openvpn-users] 2.0-beta10 buglet: client-config-dir requires absolute path
Previous by thread: Re: [Openvpn-users] [RFC] 2.0-beta10 enhancement: redefine the way "ifconfig-pool" works
Next by thread: Re: [Openvpn-users] [RFC] 2.0-beta10 enhancement: redefine the way "ifconfig-pool" works
Index(es):
- Date
- Thread