allow spoofing when using tun

Posted by Johnny on Server Fault See other posts from Server Fault or by Johnny
Published on 2012-10-25T10:23:07Z Indexed on 2012/10/25 11:03 UTC
Read the original article Hit count: 229

Filed under:

I have a working openvpn setup with a server and a number of clients. How would i go around allowing IP spoofing through the openvpn server? (to demonstrate security concepts)?

A normal ping from client to server goes through all right:

root@client: hping3 10.8.0.1
HPING 10.8.0.1 (tun0 10.8.0.1): NO FLAGS are set, 40 headers + 0 data bytes
len=40 ip=10.8.0.1 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=124.7 ms

root@server:/etc/openvpn# tcpdump -n -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
10:17:51.734167 IP 10.8.0.6.2146 > 10.8.0.1.0: Flags [], win 512, length 0

But when spoofing a packet, it does not arrive at the openvpn server:

root@client: hping3 -a 10.0.8.120 10.8.0.1
HPING 10.8.0.1 (tun0 10.8.0.1): NO FLAGS are set, 40 headers + 0 data bytes

root@server:/etc/openvpn# tcpdump -n -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes

My current config files

server.conf

local X.Y.Z.P
port 80
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
comp-lzo
persist-key
persist-tun
persist-local-ip
status openvpn-status.log
verb 3

client.conf

client
dev tun
proto tcp
remote MYHOST..amazonaws.com 80
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3

© Server Fault or respective owner

Related posts about openvpn