5

Our business is currently running a VPN using OpenVPN on a server we host ourselves.

enter image description here

We have a need to lock down our internal network for client reasons - so the desired outcome is that only whitelisted hardware/MAC addresses can connect to our network via our Draytek 2925 router. That's easy - we can simply use the strict bind feature of the router to prevent random connections. However, I cannot figure out a way to make this work with OpenVPN. It occurred to me that we could look to assign static IP addresses to VPN clients, but from what I can find online these can only be assigned to user accounts rather than MAC addresses.

As well as this, even if I can figure out a way to assign static IPs, I'm not sure how to make these work in the whitelist - currently if I try to enter a normal OpenVPN address like 10.8.0.2 to the whitelist, the router is telling me this is outside the router LAN address range (presumably I can add this somehow but I haven't figured out how yet).

I'm new to all of this kind of stuff so apologies if my question is seen as a bit behind the eight ball.

If anyone can help with the MAC question I'd really appreciate it; alternatively if anyone has a better idea for achieving the end goal I'd also appreciate that.

Cheers.

the-wabbit
  • 40,319
  • 13
  • 105
  • 169
shaneoh
  • 404
  • 3
  • 7
  • 18
  • could you add a sketch with components, clients and networks and how they relate to each other? You definitely can't do anything with a MAC filter for hosts outside of your own internal network as the MAC address simply is not preserved during IP routing. There might be other solutions to your problem, but I am having trouble understanding what the problem actually is. – the-wabbit Sep 18 '15 at 08:54
  • As I have only signed up today, serverfault will not let me add images. Essentially, we have remote clients connecting to our internal network via a VPN. These clients can then access our internal resources. We want only whitelisted hardware to be able to access our internal resources. So we need to be able to control the hardware that is connecting to VPN. – shaneoh Sep 18 '15 at 09:47
  • 1
    Put it anywhere on the web, I will merge it into your question. – the-wabbit Sep 18 '15 at 09:48
  • Can be seen here - hopefully this is the detail you need: http://tinypic.com/r/25fit53/8 – shaneoh Sep 18 '15 at 09:58
  • That link seems to only work sporadically. IT's also here: http://postimg.org/image/4izraabvf/4bc5c947/ – shaneoh Sep 18 '15 at 10:01

1 Answers1

4

You can't really tie a connection to "hardware" unless you are storing the connection keys in a hardware-integrated key store like, for example, the TPM module which is integrated with the mainboard. The source MAC addresses are not preserved as soon as IP packets get routed, other possible machine-specifig identifiers are not exchanged during the handshake or configuration phases of the OpenVPN connection.

That being said, there have been some efforts for implementing policies in software. Network Access Protection (deprecated) was a Windows-generic approach to this, also VPN gateway specific clients (Checkpoint, Cisco) allow you to configure checks to meet before a connection can be established.

While this might be possible to implement with the OpenVPN client as well (either by trying to push the "route-up" script option or by working on the OpenVPN code to run a server-supplied script and check the result), be aware that OpenVPN has not been designed with this use case in mind, so things might break for you when trying.

the-wabbit
  • 40,319
  • 13
  • 105
  • 169
  • OK, thanks the-wabbit. That pretty well confirms what I suspected. I think my approach from here will be to set up a test environment and investigate using the "route-up" script option as you have suggested. Cheers! – shaneoh Sep 18 '15 at 14:30