2

I have been tasked to block our openvpn access to specific devices using MAC address, It seems possible to do this with the openvpn access server but i'm using the community edition, would there be a way to perform this task?

or would there be any suggestions on how to do it using a different method?

Joao-ui
  • 21
  • 2
  • 3
  • This is your guide: https://openvpn.net/vpn-server-resources/post-auth-programming-notes-and-examples/ – ofirule Apr 08 '20 at 10:04
  • how can i make this work with the community version? – Joao-ui Apr 08 '20 at 15:19
  • if the `post-auth` flag is not working in the community version then my second go will be to block access to your VPN subnet from this MAC address with `iptables` – ofirule Apr 08 '20 at 15:49
  • just a bit confused on how i would make this work with the community edition, i'm not sure how to point the server to check for the script. – Joao-ui Apr 09 '20 at 13:25
  • Seems like you need the `openvpn access server` in order to run the `post-auth` flag. See: https://openvpn.net/faq/what-is-openvpn-access-server/ – ofirule Apr 09 '20 at 15:12
  • i'm pretty sure that the community edition is not capable of loading scripts to the server, instead it can only call scripts, i was hoping maybe someone had a way to do this, thank you ofirule for the pointer – Joao-ui Apr 10 '20 at 11:36

1 Answers1

1

This can be done on the community addition with the client-connect cmd, but it is necessary for the client to have push-peer-info in the local vpn config. That will force the client to report the MAC address of its default gateway to the environment variable IV_HWADDR on the OpenVPN server. The script can then retrieve that value and compare it to a list of authorized MAC addresses in whatever language and manner you see fit. To allow the connection your script needs to exit with a value of 0, conversely to drop the connection it needs to exit with any non-zero number.

Scott
  • 11
  • 1