Answer the question
In order to leave comments, you need to log in
How to prevent OpenVPN clients from changing settings?
Hello pro. Need help with OpenVPN.
The bottom line:
- each user connects to the OpenVPN server using their own certificate (certificates are generated with a password)
- in the server settings, each user is assigned their own IP address
- in the settings of the subnet services where clients go, each service has a pool of IP addresses that can be use this service
It is necessary to somehow exclude the possibility for clients to change their IP address, which is assigned to it by the server (or to throw it out / not to let it into the subnet in principle). Potentially, such a possibility exists, because users are given a connection settings file into which they can theoretically add their own directives, including setting their own IP address (which can be allocated to another user) and accessing inappropriate services.
Help, plz, solve the problem.
Answer the question
In order to leave comments, you need to log in
Purely in theory, you can try to resolve it through iptables.
Write a script that, when connecting / disconnecting a client (client-connect and client-disconnect parameters), will add a mark to packets from this ip (iptables -t mangle -A INPUT -s ${IP} -j MARK --set-mark 0x ???). Label depending on $common_name. Accordingly, iptables initially configure access authorization to resources through labels (iptables -t filter -A FORWARD -i tun0 -m mark --mark 0x??? -d ip_resource -j ACCEPT) and, in principle, you can remove the static binding of clients by ip. At a disconnect to delete rules.
Why are you giving network configs to clients if you can push them from the server using ccd
? If the client changes the IP address on the interface, the packets will simply not go through it.
Interest Ask. It seems to me that in this formulation in any way.
I would solve the problem by adding a second (third ... n) OpenVPN instance with similar settings and the only difference is in the subnet. Well, the port will also have to be changed for each subsequent instance. Distribute / restrict access to services from the required subnets to clients, and not IP addresses, as is currently done. Those. when the address is changed by the client, it will be limited by the subnet rules and the address change will lose its meaning.
Your problem has no solution - there will always be a cunning user with a patched client who doesn't give a damn about your prohibitions.
Differentiation of access by addresses does not make sense - there are other means for this, TLS, that's all.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question