allow spoofing when using tun
- by Johnny
I have a working openvpn setup with a server and a number of clients.
How would i go around allowing IP spoofing through the openvpn server? (to demonstrate security concepts)?
A normal ping from client to server goes through all right:
root@client: hping3 10.8.0.1
HPING 10.8.0.1 (tun0 10.8.0.1): NO FLAGS are set, 40 headers + 0 data bytes
len=40 ip=10.8.0.1 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=124.7 ms
root@server:/etc/openvpn# tcpdump -n -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
10:17:51.734167 IP 10.8.0.6.2146 > 10.8.0.1.0: Flags [], win 512, length 0
But when spoofing a packet, it does not arrive at the openvpn server:
root@client: hping3 -a 10.0.8.120 10.8.0.1
HPING 10.8.0.1 (tun0 10.8.0.1): NO FLAGS are set, 40 headers + 0 data bytes
root@server:/etc/openvpn# tcpdump -n -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
My current config files
server.conf
local X.Y.Z.P
port 80
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
comp-lzo
persist-key
persist-tun
persist-local-ip
status openvpn-status.log
verb 3
client.conf
client
dev tun
proto tcp
remote MYHOST..amazonaws.com 80
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
