Thanks - that’s good to know.
chatGPT said, “MitM Attack Protection: With proper certificate authentication, OpenVPN is resistant to man-in-the-middle attacks”.
I also found this about man-in-the-middle, which said it was difficult. Perhaps, it doesn’t consider the scenario you’re thinking of?
Please could you say more about the MitM attacks on OpenVPN. Could they be mitigated in OpenVPN? Or, what alternative would you recommend?
Thanks for helping me understand these issues.
regardless if you set up the wireless security and encryption, the transmission can be recorded and later decrypted. Then they have a copy of the VPN cert you use to authenticate. WIFI is an easy attack surface because all the hacker has to do is set a computer in range to listen with an automatic script.
WiFi has never been a total secured system nor there has been really a way to secure it 100% either and combinations of different security practices are often more effective than a one stop solution.
Is it easy to decrypt WiFi traffic? I was under the impression that WiFi and VPN encryption are strong enough to resist brute force (or other) attempts at decrypting.
I ask because VPN companies, such as NordVPN, recommend VPN to use on public networks. I assumed this was to avoid eg MitM attacks. This is partly why I set up my own VPN. But you make it sound insecure in itself! I always thought VPN was a big chuck of the layered approach to security.
A wireless connection can easily recorded. That’s true. But encryption with keys assumes an independent way of key exchange. If you choose that way right ( not on the same medium ), the connection is highly secure. To guess the keys is too complex to be efficient. IMO, VPN is nearly 100% secure if keys are not transmitted on an unsecure medium as wifi.
The insecurity of wireless connections result from the free access to the transmission medium. To interfere a wired connection, an attacker must attach to the wire. This is noticed in many cases, a wireless receiver isn’t discovered usually.
To clarify, are you referring to
If I understand you correctly, if (1) above occurs securely, then using VPN over WiFi is secure.
As @bbitsch said.
After the key has been created on the server, the configuration file must be transferred via a more secure channel.
Second option, you encrypt the configuration file again and can transfer it as you like.
That is indeed an interesting option. To break a crypt, you need some data material. If you are using a special encryption for short messages seldomly only, you deliver little material for a code breaker.
@mumpitz, @bbitsch - that was my understanding: if you transfer config files (.ovpn, ta, ca, .p12, etc) securely and password protect the .p12 file then VPN is very secure to use on WiFi.
The easiest way is with a RAMBO or some other RF data leakage detection device in conjunction with a few select Linux signal analysis and decoding software, you capture the emissions then process them. it takes about 30 seconds to get a 4096 bit cert from a vpn connection this way. The Rambo is about $200. Of course if you are a hardware/electronics guy like me I can build one up for about $60 in parts that I have commonly around.
Of course, Once I decode the transmission (about 20 seconds) I can change my mac address, then re transmit the instance the other machine’s vpn connecting and gain access. Of course there are other ways that can be done if they need to shadow the connection, but they don’t need to hack the VPN to read what is on the wifi’s device screen either.
Now you know why WiFi should not be used for sensitive security communications.
Sensible data must be secured by other means, not only by the transmission channel.
A VPN just coonects two local networks to one. A secure solution demands policies for both.
BTW: Playing MITM on wireless produces double transmissions, which can be detected.
Have you done this in practice, which sounds like a MitM attack, eg on a test WiFi network running WPA2 or WPA3, with OpenVPN config exchanged securely?
Are you talking about a TEMPEST attack, such as electromagnetic eavesdropping? Is this possible/easy on modern LCD and OLED screens? Have you done this and, if so, over what sort of distances.