On 15.02.23 18:06, Gert Doering wrote:
Are you referring with "invisible" to the not shown signature of the
openvpn service?
Yes.
Thanks for clarification.
I tried and was able to port scan a running openvpn instance but got no
signature. So one can tell the port is opened but the attack vector will
be big. UDP-Scanning is doable also. To be honest I surely know where
the services are located but to get them is just a loop away.
Well, the thing is: if you suspect it's openvpn, you can send an
initial UDP openvpn handshake packet to it - and the server will reply,
as configured.
Now, if you add tls-auth or tls-crypt to the server (+client) config,
even a correct "openvpn UDP initial handshake" packet will *not* make
the server reply, unless you also have the right tls-auth/tls-crypt
configured on the client side - which needs a (secret!) key to do so.
So, with this config, OpenVPN is "invisible" because it will never reply
except to those that know the magic words :-) >
(Of course a port scanner can detect that there is "something", but
there is close to zero attack surface)
gert
Thanks for those further details. Now all you said makes perfectly sense
to me.
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
