0

Can anyone show me how to filter (change bandwidth, delay, etc) of one or more users connecting to OpenVPN based on their MAC address?

Why I would like to use the MAC address is I could have 100's of users connecting to OpenVPN and I would like to individually limit the bandwidth of each client

Many thanks

Server Programmer
  • 237
  • 2
  • 4
  • 11

1 Answers1

4

This is not possible, as the MAC of a specific user is only visible on that user's network. Once that user's traffic transits a layer 3 boundary, the MAC is no longer present, nor is it useful information in the first place, as it is trivial for any user to change their MAC address.

I would recommend looking into username-based limiting options.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • To clarify, are you saying that if the user connected to a local network their MAC address would be visible, but if they connect to an VPN you can no longer track their MAC? If this is the case, what unique environment variables can we use then to distinguish one user from another on OpenVPN? – Server Programmer May 31 '16 at 01:18
  • That is correct. As mentioned in the answer, use their username. – EEAA May 31 '16 at 01:19
  • I am going to mark this questioned answered, if you would like to answer the above new question I just asked, I posted a new question here: http://serverfault.com/questions/779913/add-filter-based-on-client-certificate-name-openvpn – Server Programmer May 31 '16 at 01:23
  • one last question, could we use something like the following to individually identify an user: client_ip="$trusted_ip" or client_ip_vpn="$ifconfig_pool_remote_ip" – Server Programmer May 31 '16 at 01:26
  • Can you help me to understand the following: learn-address cmd - Run script or shell command cmd to validate client virtual addresses or routes. cmd will be executed with 3 parameters: [1] operation -- "add", "update", or "delete" based on whether or not the address is being added to, modified, or deleted from OpenVPN's internal routing table. [2] address -- The address being learned or unlearned. This can be an IPv4 address such as "198.162.10.14", an IPv4 subnet such as "198.162.10.0/24", or an ethernet MAC address (when --dev tap is being used) such as "00:FF:01:02:03:04". – Server Programmer May 31 '16 at 02:59
  • Point #2 lists that we can capture the MAC address using learn-address and OpenVPN. Here is the link (see half ways down): https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html – Server Programmer May 31 '16 at 03:00
  • I am running OpenVPN in dev tun and would like to connect Android and iOS devices to OpenVPN to learn their MAC address – Server Programmer May 31 '16 at 03:24
  • TAP drawbacks causes much more broadcast overhead on the VPN tunnel adds the overhead of Ethernet headers on all packets transported over the VPN tunnel scales poorly can not be used with Android or iOS devices TUN benefits: A lower traffic overhead, transports only traffic which is destined for the VPN client Transports only layer 3 IP packets – Server Programmer May 31 '16 at 03:24