CLIENT-TO-CLIENT security

This forum is for general conversation and user-user networking.
Post Reply
bruto
OpenVpn Newbie
Posts: 15
Joined: Sat Jan 06, 2018 12:16 pm

CLIENT-TO-CLIENT security

Post by bruto » Tue Jan 14, 2020 11:20 am

Fellow admins and users,
I'm willing to "sell" a secure phone solution based on OpenVPN. Clients talk one another by direct communication since Voip signalling and media is routed with a "client-to-client" setup. If I sniff tun0 on SERVER I can only see encrypted traffic (no SIP, no RTP).
So far so good.
Here's my question:
Could users be assured that - even modifying OpenVPN server-side source - traffic would be still impossible to decrypt?
This would be a real zero-trust scenario.
Thank you very much,
Bruto

User avatar
Pippin
OpenVPN Expert
Posts: 541
Joined: Wed Jul 01, 2015 8:03 am

Re: CLIENT-TO-CLIENT security

Post by Pippin » Tue Jan 14, 2020 1:35 pm

Hi,

Using --client-to-client, you would not see packets encrypted by OpenVPN on the tun interface.
You already found that here:
viewtopic.php?f=4&t=26615&p=79654

Take a look here:
https://community.openvpn.net/openvpn/w ... acketsFlow

bruto
OpenVpn Newbie
Posts: 15
Joined: Sat Jan 06, 2018 12:16 pm

Re: CLIENT-TO-CLIENT security

Post by bruto » Tue Jan 14, 2020 3:55 pm

Thank you sir.
But this time (sorry for the duplicate by the way) the question is more specific!
If I somehow modify server source code would this still be true?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6456
Joined: Fri Jun 03, 2016 1:17 pm

Re: CLIENT-TO-CLIENT security

Post by TinCanTech » Tue Jan 14, 2020 4:01 pm

If you modify the source code then it is your own product.

bruto
OpenVpn Newbie
Posts: 15
Joined: Sat Jan 06, 2018 12:16 pm

Re: CLIENT-TO-CLIENT security

Post by bruto » Tue Jan 14, 2020 7:24 pm

Thank you TCT.
Of course but:
am I locked out if the client is genuine - not modified - OpenVPN software talking to its peer in a --client-to-client fashion?
Cheers,
B.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6456
Joined: Fri Jun 03, 2016 1:17 pm

Re: CLIENT-TO-CLIENT security

Post by TinCanTech » Tue Jan 14, 2020 8:19 pm

bruto wrote:
Tue Jan 14, 2020 11:20 am
Could users be assured that - even modifying OpenVPN server-side source - traffic would be still impossible to decrypt?
Even without modifying OpenVPN source code, there are no such guarantees..

bruto
OpenVpn Newbie
Posts: 15
Joined: Sat Jan 06, 2018 12:16 pm

Re: CLIENT-TO-CLIENT security

Post by bruto » Tue Jan 14, 2020 11:21 pm

Ok thank you
Cheers
B.

Post Reply