I've got a question that's been bugging me for a while... Please help
How do I to disable an anonymous user from being able to locally sniff my client traffic using a tap and then sniffing my traffic using wireshark or similar?
From a remote box I can target my clients active VPN connection and listen to it's vpn traffic via wireshark by:
Code: Select all
sudo openvpn --dev tap --remote 192.168.1.86 <--- local IP of targeted device
Tue May 19 18:23:45 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Tue May 19 18:23:45 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 19 2020
Tue May 19 18:23:45 2020 library versions: OpenSSL 1.1.1g FIPS 21 Apr 2020, LZO 2.08
Tue May 19 18:23:45 2020 ******* WARNING *******: All encryption and authentication features disabled -- All data will be tunnelled as clear text and will not be protected against man-in-the-middle changes. PLEASE DO RECONSIDER THIS CONFIGURATION!
Tue May 19 18:23:45 2020 TUN/TAP device tap0 opened
Tue May 19 18:23:45 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.86:1194
Tue May 19 18:23:45 2020 UDP link local (bound): [AF_INET][undef]:1194
Tue May 19 18:23:45 2020 UDP link remote: [AF_INET]192.168.1.86:1194
Code: Select all
client
tls-client
pull
dev tun
proto tcp
remote IPADDRESS 1194
resolv-retry infinite
nobind
dhcp-option DNS IPADDRESS
user nobody
group nobody
persist-key
persist-tun
key-direction 1
tls-auth ta.key 1
compress lz4-v2
verb 3
ca ca.crt
cert client.crt
key client.key
auth SHA512
keepalive 20 125
auth-user-pass userpass.txt
Thanks for reading and cheers!