Skip to Content [alt-c]
In reply to Hardening OpenVPN for DEF CON
Hi Andrew, great article!
For the sentence, "The attacker can only grab 25% of the IPv4 address space this way, but that's a sizable percentage of the Internet." I do want to note that Option 121 actually allows you to push as many routes as you can fit into the packet length. We've done upwards of 10 routes at a single time.
One interesting thing we're exploring is the idea of installing routes for all traffic except a single IP-address. When a VPN is using a mitigation like fire-wall based rules that create a DOS you can use this to confirm a host is speaking to a single IP address. There's a lot of other things you can do with 121!
You mention VMs as a fix but you can also use Network Namspaces (on Linux) to isolate the network stacks. This might be a bit easier if you really need to use the host OS. https://www.wireguard.com/netns/#the-new-namespace-solution
Reply
Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.
Your Name: (Optional; will be published)
Your Email Address: (Optional; will not be published)
Your Website: (Optional; will be published)
>
monospaced
Post a Reply
Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.