How do I to disable local network sniffing of my client using a tap connection?

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
fbackwards
OpenVpn Newbie
Posts: 2
Joined: Tue May 19, 2020 10:35 pm

How do I to disable local network sniffing of my client using a tap connection?

Post by fbackwards » Tue May 19, 2020 10:57 pm

Hello all,

I've got a question that's been bugging me for a while... Please help :)

How do I to disable an anonymous user from being able to locally sniff my client traffic using a tap and then sniffing my traffic using wireshark or similar?

From a remote box I can target my clients active VPN connection and listen to it's vpn traffic via wireshark by:

Code: Select all

sudo openvpn --dev tap --remote 192.168.1.86 <--- local IP of targeted device

Tue May 19 18:23:45 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Tue May 19 18:23:45 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 19 2020
Tue May 19 18:23:45 2020 library versions: OpenSSL 1.1.1g FIPS  21 Apr 2020, LZO 2.08
Tue May 19 18:23:45 2020 ******* WARNING *******: All encryption and authentication features disabled -- All data will be tunnelled as clear text and will not be protected against man-in-the-middle changes. PLEASE DO RECONSIDER THIS CONFIGURATION!
Tue May 19 18:23:45 2020 TUN/TAP device tap0 opened
Tue May 19 18:23:45 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.86:1194
Tue May 19 18:23:45 2020 UDP link local (bound): [AF_INET][undef]:1194
Tue May 19 18:23:45 2020 UDP link remote: [AF_INET]192.168.1.86:1194
My client config is as follows

Code: Select all

 client
 tls-client
 pull
 dev tun
 proto tcp
 remote IPADDRESS 1194
 resolv-retry infinite
 nobind
 dhcp-option DNS IPADDRESS
 user nobody
 group nobody
 persist-key
 persist-tun
 key-direction 1
 tls-auth ta.key 1
 compress lz4-v2
 verb 3
 ca ca.crt
 cert client.crt
 key client.key
 auth SHA512
 keepalive 20 125
 auth-user-pass userpass.txt
 

Thanks for reading and cheers!
Last edited by fbackwards on Tue May 19, 2020 11:22 pm, edited 2 times in total.

TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: How do I to disable local network sniffing of my client using a tap connection?

Post by TinCanTech » Tue May 19, 2020 11:10 pm

Don't use --dev tap .......................................................................................

fbackwards
OpenVpn Newbie
Posts: 2
Joined: Tue May 19, 2020 10:35 pm

Re: How do I to disable local network sniffing of my client using a tap connection?

Post by fbackwards » Tue May 19, 2020 11:24 pm

Cool so if i'm using a tun connection they can't sniff traffic?

Thanks for the quick response :)

Post Reply