0

I have an openvpn server behind a firewall, clients are assigned static IP addresses with specific ifconfig-push directives in the client-config-dir. The problem is that clients can change their assigned IP's (e.g: ifconfig tap0 a.b.c.d up) making all my firewall rules useless... is there a way to prevent them from changing their IP?

server.conf:

mode server
tls-server

local 10.0.0.150
port 1194
proto udp

#bridging directive
dev tap0 ## If you need multiple tap devices, add them here
up "/etc/openvpn/up.sh br0 tap0 1500"
down "/etc/openvpn/down.sh br0 tap0"

persist-key
persist-tun

#certificates and encryption
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key  # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 # This file is secret

#DHCP Information
ifconfig-pool-persist ipp.txt
server-bridge 10.0.0.150 255.255.255.0 10.0.0.151 10.0.0.170
client-config-dir /etc/openvpn/client-config

#log and security
user nobody
group nogroup
keepalive 60 240
status openvpn-status.log
verb 3

client-config/some_client:

ifconfig-push 10.0.0.1 255.255.255.0
Omriko
  • 133
  • 1
  • 6

2 Answers2

1

Why server-bridge? Why would you use a bridge if you want to implement firewall rules? If you give clients a layer 2 tunnel to work with, then they are going to be able to change their layer 3 addressing.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • pardon my noobity, what other option do I have? – Omriko Aug 18 '15 at 16:46
  • OpenVPN supports two modes routed (L3) or bridged (L2). Also known as tun, or tap mode. With OpenVPN you should almost always be using tun mode. Tap mode has no security is susceptible to arp poisoning, and has more overhead from the extra ethernet headers. https://community.openvpn.net/openvpn/wiki/BridgingAndRouting – Zoredache Aug 18 '15 at 17:07
0

I'm not 100% sure but I think the issue is you are also pushing out a /24 to the clients so they are free to change it because of that. You want to push out a smaller subnet to each client. 

ifconfig-push 10.113.20.10 10.113.20.9

The next one would be 

ifconfig-push 10.113.20.14 10.113.20.13
Mike
  • 21,910
  • 7
  • 55
  • 79
  • changed it to: ifconfig-push 10.0.0.1 10.0.0.1 they can still change it, even to addresses outside of the subdomain. – Omriko Aug 18 '15 at 14:52
  • its not the same ip.. one is the client ip the other is the client ips subnet – Mike Aug 18 '15 at 15:37