Is it possible to use any MITM attacks (including ssh-mitm) if I'm connected to a VPN? OpenVPN connects me via tun0 interface with some IP in 10.0.0.0/8 and gateway at some IP 10.0.0.0/8. I know that TUN is third layer, so ARP spoofing prorably won't work, but what about TAP layer?
Asked
Active
Viewed 65 times
0
-
1Sure is. VPN networks are notorious for security problems too. – Greg Askew Jul 23 '23 at 18:38
1 Answers
0
If everything is set up correctly - proper cipher strengths, sufficient key/password lengths, uncompromised keys/passwords - there's no way for an attacker to alter tunnel contents while they are encrypted. A MITM attack can only happen after decryption in the destination network, or on your own computer (or on your network with site-to-site VPN).
Whether you use a TUN (L3) or TAP (L2) adapter doesn't matter as integrity is guaranteed.
ARP spoofing could also be attempted within your own network, but that's not a problem either. If anyone would spoof your gateway's IP address and tries to manipulate outer packets then mutual authentication ceases to work.
Zac67
- 10,320
- 2
- 12
- 32
-
ARP spoofing should work with VPN that emulates L2 and, in particular, it certainly **will** work with OpenVPN tap mode (without other precautions like APR static entries and so on). – Nikita Kipriyanov Jul 23 '23 at 18:19
-
@NikitaKipriyanov ARP spoofing *within* the VPN tunnel requires that the attacker has compromised the tunnel. *if everything is set up correctly* that's not possible. – Zac67 Jul 23 '23 at 18:53
-
Then you have to define what is "correctly" quite tightly. Just simple formal logic, if the tunnel imitates Ethernet (e.g. has all the properties of Ethernet for the observing user) *and* if Ethernet permits ARP spoofing (it is, as we know), *then* there will be ARP spoofing possible in that tunnel. Therefore, true Ethernet tunnel (which OpenVPN tap mode is) must permit ARP spoofing inevitably. – Nikita Kipriyanov Jul 24 '23 at 03:24