diff options
Diffstat (limited to 'netsec-assignment4-S4498062/exercise3')
5 files changed, 22 insertions, 0 deletions
diff --git a/netsec-assignment4-S4498062/exercise3/exercise3a b/netsec-assignment4-S4498062/exercise3/exercise3a new file mode 100644 index 0000000..fcc4a08 --- /dev/null +++ b/netsec-assignment4-S4498062/exercise3/exercise3a @@ -0,0 +1,4 @@ +All traffic to the VPN server goes through the normal interface. Otherwise, we +cannot reach the server anymore because we're VPNing the VPN server with itself. +All other traffic not matched by any other route goes to 10.50.9.1, because +that's where the VPN client is running. diff --git a/netsec-assignment4-S4498062/exercise3/exercise3b b/netsec-assignment4-S4498062/exercise3/exercise3b new file mode 100644 index 0000000..82f0f3c --- /dev/null +++ b/netsec-assignment4-S4498062/exercise3/exercise3b @@ -0,0 +1,7 @@ +Internal (NAT) traffic is not meant to be VPNed. IP addresses like 10.*.*.* +(route 4), 172.0x1*.*.* (route 5) and 192.168.*.* (route 6) can be find by your +machine, but (usually) not by the VPN, that's why they need to be excluded and +handled by wlp3s0. These are standard numbers, so the VPN knows about it. +The same goes for route 9. In the DHCP dump we can see that 145.116.128.0/22 all +belongs to a small network, and if we'd attempt to VPN this, we cannot reach the +gateway or any other machine in our local network any more. diff --git a/netsec-assignment4-S4498062/exercise3/exercise3c b/netsec-assignment4-S4498062/exercise3/exercise3c new file mode 100644 index 0000000..ed215e1 --- /dev/null +++ b/netsec-assignment4-S4498062/exercise3/exercise3c @@ -0,0 +1,2 @@ +10.50.9.* belongs to the virtual network of tap0. If we'd let this go through +wlp3s0, we cannot reach tap0 any more. diff --git a/netsec-assignment4-S4498062/exercise3/exercise3d b/netsec-assignment4-S4498062/exercise3/exercise3d new file mode 100644 index 0000000..b5ea318 --- /dev/null +++ b/netsec-assignment4-S4498062/exercise3/exercise3d @@ -0,0 +1,5 @@ +This is added to not VPN the DNS service on 131.174.117.20. From the DHCP lease +of tap0 we can see that this VPN service does not provide a DNS server. So, if +we don't allow the other name server (if this rule were not there), we cannot +resolve any hostnames. However, there are VPNs that do have a DNS service (see +http://security.stackexchange.com/a/13907/21287) diff --git a/netsec-assignment4-S4498062/exercise3/exercise3e b/netsec-assignment4-S4498062/exercise3/exercise3e new file mode 100644 index 0000000..b5e22fa --- /dev/null +++ b/netsec-assignment4-S4498062/exercise3/exercise3e @@ -0,0 +1,4 @@ +This is to let traffic to the VPN go through wlp3s0. Otherwise, we will VPN the +VPN with itself, and we cannot use it at all. +This also means that SSHing to the machine of the VPN server will not go through +the VPN server itself. |