0

I've set up an OpenVPN + PF setup on a FreeBSD 10.3 server.

Clients to my VPN include administrators, which should have full access to the network and untrusted users who should ONLY be able to access a couple of IP addresses.

I used client-config-dir to set specific users a unique IP address, which I later block or pass using PF.

The problem is that since the OpenVPN is set up using a tap device, any client connected is able to change their IP address manually to a trusted IP and override this limitation.

i.e: I connect a machine to the VPN which gets IP address 10.0.1.11 according to its ccd which is UNTRUSTED. But if the client changes his IP (using ifconfig) to 10.0.1.15 which is TRUSTED, his limitations are overriden.

Is there any way to force a client to only be able to use a certain IP address without using a TUN device?

If not, is there any way to filter network access without using the VPN client IP address or running a separate VPN?

Thanks for your help

Imanol Barba Sabariego
  • 3
  • 7

1 Answers1

0

OpenVPN is not capable of doing that. Just create a second OpenVPN instance on another Port, with some additional secret, and entirely different subnet to make it more secure. This can be done with the same certificates and a minimum of additional management effort.

Just an Idea: I know there is a way to run pre- and postconnection scrips. Maybe you could do something like: block all VPN traffic by default, and enable traffic after connecting (create a pf rule with the connected tunnel IP) So if the user then switches his IP, pf wont let any traffic pass. (just my 2 cents)

Daywalker
  • 495
  • 5
  • 25
  • Hmmm, I like your idea very much, however, since the interface is bridged I don't know if it'll be possible. If it's not, I'll go for the separate instance. Thanks for your answer! – Imanol Barba Sabariego Aug 22 '16 at 00:09
  • I there any reason why you created a layer2 VPN? Most people don't need a "switched" VPN connection as the VPN subnet is a complete separate, routed subnet. Maybe your setup could use some reconsideration ;) The best would be you take a look at the original documentation on that topic: https://openvpn.net/index.php/open-source/documentation/howto.html#policy – Daywalker Aug 22 '16 at 18:05
  • Totally agree with Daywalker, TAP/layer2 VPN may sound like the easiest way forward to many people, but in fact TUN/layer3/routed is the more manageable way to setup OpenVPN. If you are willing to reconsider, search for the "topology subnet" setting in OpenVPN and I think you will soon realize why. – mbello Nov 24 '16 at 02:18