I've got a question that's been bugging me for a while... Please help
How do I to disable an anonymous user from being able to locally sniff my client traffic using a tap and then sniffing my traffic using wireshark or similar?
From a remote box I can target my clients active VPN connection and listen to it's vpn traffic via wireshark by:
Code: Select all
sudo openvpn --dev tap --remote 192.168.1.86 <--- local IP of targeted device Tue May 19 18:23:45 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode Tue May 19 18:23:45 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 19 2020 Tue May 19 18:23:45 2020 library versions: OpenSSL 1.1.1g FIPS 21 Apr 2020, LZO 2.08 Tue May 19 18:23:45 2020 ******* WARNING *******: All encryption and authentication features disabled -- All data will be tunnelled as clear text and will not be protected against man-in-the-middle changes. PLEASE DO RECONSIDER THIS CONFIGURATION! Tue May 19 18:23:45 2020 TUN/TAP device tap0 opened Tue May 19 18:23:45 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.86:1194 Tue May 19 18:23:45 2020 UDP link local (bound): [AF_INET][undef]:1194 Tue May 19 18:23:45 2020 UDP link remote: [AF_INET]192.168.1.86:1194
Code: Select all
client tls-client pull dev tun proto tcp remote IPADDRESS 1194 resolv-retry infinite nobind dhcp-option DNS IPADDRESS user nobody group nobody persist-key persist-tun key-direction 1 tls-auth ta.key 1 compress lz4-v2 verb 3 ca ca.crt cert client.crt key client.key auth SHA512 keepalive 20 125 auth-user-pass userpass.txt
Thanks for reading and cheers!