On Fri, May 13, 2016 at 7:44 PM, Gert Doering <g...@greenie.muc.de> wrote: > On Fri, May 13, 2016 at 05:51:20PM +0200, Chris Laif wrote: >> I wonder if there is an easy way to protect the client from executing >> ifconfig/route-statements sent by an (untrusted) server. I think of >> some config options like >> >> ifconfig-limit 10.123.0.0/24 >> route-limit 10.111.0.0/16 >> route-limit 10.222.0.0/24 >> >> Any statements sent by the server not matching those networks would be >> ignored. >> >> I know the 'ifconfig-noexec' and 'route-nopull' options which likely >> could be combined with some bash scripts parsing the push-options ... >> but that's not an easy way :) > > --route-nopull plus adding --route as you see necessary. >
That's what I'm doing right now. In case of the 'route' statements it's kind of working, because in most of the cases I know the destination networks in advance. In case of 'ifconfig' it's not working, because in many cases the other VPN endpoint dynamically allocates my endpoint IP address from a class C pool. And I can not pick a fixed IP address, which might be allocated by some other user of the VPN now or later. > Or just not using --pull at all, and statically configuring --ifconfig > and --route according to your needs. > > To some extent, you have to trust the VPN server anyway - you're sending > your IP packets there, and after decryption, the server can see them in > the plain. By virtue of its certificate, the server shows itself to be > trusted (for some definition of trust). > I agree with you that we have to trust the VPN with the data/pakets we send to the other endpoint. My problem is, that the remote administrator might 'inject' arbitrary IP addresses/networks conflicting with my existing (local) network. He might do this by malicious intent or even by accident (renumbering his network, overlapping with other networks on our side). In our current setup, we have a 'VPN hub' connecting to 10+ partner networks. If any of the partners changes his network topology, this might clash with other partner networks. And no, unfortunately we can not negotiate fixed IP addresses with all of the partners. This is why I vote for implementing 'ifconfig-limit' and 'route-limit' statements or some other mechanism to protect our setup. Chris ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
