MITM attacks inside VPN network?

undefined undefined

7/23/24, 4:56 PM

Is it possible to use any MITM attacks (including ssh-mitm) if I'm connected to a VPN? OpenVPN connects me via tun0 interface with some IP in 10.0.0.0/8 and gateway at some IP 10.0.0.0/8. I know that TUN is third layer, so ARP spoofing prorably won't work, but what about TAP layer?

1 + 1

networking

linux

vpn

openvpn

arp

Greg Askew

7/23/24, 6:38 PM

Sure is. VPN networks are notorious for security problems too.

Score:0

Server

Zac67

7/23/24, 5:53 PM

If everything is set up correctly - proper cipher strengths, sufficient key/password lengths, uncompromised keys/passwords - there's no way for an attacker to alter tunnel contents while they are encrypted. A MITM attack can only happen after decryption in the destination network, or on your own computer (or on your network with site-to-site VPN).

Whether you use a TUN (L3) or TAP (L2) adapter doesn't matter as integrity is guaranteed.

ARP spoofing could also be attempted within your own network, but that's not a problem either. If anyone would spoof your gateway's IP address and tries to manipulate outer packets then mutual authentication ceases to work.

+ 3

Nikita Kipriyanov

7/23/24, 6:19 PM

ARP spoofing should work with VPN that emulates L2 and, in particular, it certainly **will** work with OpenVPN tap mode (without other precautions like APR static entries and so on).

Zac67

7/23/24, 6:53 PM

@NikitaKipriyanov ARP spoofing *within* the VPN tunnel requires that the attacker has compromised the tunnel. *if everything is set up correctly* that's not possible.

Nikita Kipriyanov

7/24/24, 3:24 AM

Then you have to define what is "correctly" quite tightly. Just simple formal logic, if the tunnel imitates Ethernet (e.g. has all the properties of Ethernet for the observing user) *and* if Ethernet permits ARP spoofing (it is, as we know), *then* there will be ARP spoofing possible in that tunnel. Therefore, true Ethernet tunnel (which OpenVPN tap mode is) must permit ARP spoofing inevitably.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: MITM attacks inside VPN network?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.