Is ifconfig-push in a ccd reliable/secure?

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See https://forums.openvpn.net/viewtopic.php?f=30&t=21589 for an example.
brunobronosky
OpenVpn Newbie
Posts: 8
Joined: Thu Feb 09, 2017 7:26 pm

Is ifconfig-push in a ccd reliable/secure?

Postby brunobronosky » Tue Jun 06, 2017 7:55 pm

It seems to be a common pattern that people put something like this in a ccd file:

Code: Select all

ifconfig-push 172.141.127.1 172.141.127.2


And then use iptables to limit what access 172.141.127.1 has. But is there an server side enforcement to prevent the client matching that ccd common_name from using a different address?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2721
Joined: Fri Jun 03, 2016 1:17 pm

Re: Is ifconfig-push in a ccd reliable/secure?

Postby TinCanTech » Wed Jun 07, 2017 11:01 am

brunobronosky wrote:is there an server side enforcement to prevent the client matching that ccd common_name from using a different address?
No .. the client can use --pull-filter and then assign themself any IP address they like .. but the server will not speak to them and your server log will show you what address they are trying to use :ugeek:

brunobronosky
OpenVpn Newbie
Posts: 8
Joined: Thu Feb 09, 2017 7:26 pm

Re: Is ifconfig-push in a ccd reliable/secure?

Postby brunobronosky » Fri Jun 09, 2017 3:41 pm

TinCanTech wrote:but the server will not speak to them


Does this mean that the client will not have access to anything on the private network? Or does it mean that the client can access any server on the private network except the VPN server (assuming the iptables accepts the hijacked IP)?

brunobronosky
OpenVpn Newbie
Posts: 8
Joined: Thu Feb 09, 2017 7:26 pm

Re: Is ifconfig-push in a ccd reliable/secure?

Postby brunobronosky » Tue Jun 13, 2017 1:43 pm

I'd really like to get an answer to this question. I think it's very important to not only me, but the community as a whole.

TiTex
OpenVPN Expert
Posts: 209
Joined: Tue Apr 12, 2011 6:22 am

Re: Is ifconfig-push in a ccd reliable/secure?

Postby TiTex » Tue Jun 13, 2017 1:59 pm

if the client changes his/her ip address , won't be able to access anything on the remote network
the server will not communicate with IP addresses not assigned by it.

brunobronosky
OpenVpn Newbie
Posts: 8
Joined: Thu Feb 09, 2017 7:26 pm

Re: Is ifconfig-push in a ccd reliable/secure?

Postby brunobronosky » Tue Jun 13, 2017 2:07 pm

Thank you! I also just tried adding:

Code: Select all

pull-filter ignore ifconfig
ifconfig 172.30.0.253 172.30.0.254

to the end of a client config which had tight filtering and confirmed that even though the local TUN interface appeared to have 172.30.0.253, I could not reach any remote resources.

I think TinCanTech was just being snarky. But now it's recorded for posterity.
Image

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2721
Joined: Fri Jun 03, 2016 1:17 pm

Re: Is ifconfig-push in a ccd reliable/secure?

Postby TinCanTech » Tue Jun 13, 2017 2:37 pm

brunobronosky wrote:I think TinCanTech was just being snarky
In what way ? :evil:

My answer is 100% accurate. :geek:


Return to “Server Administration”

Who is online

Users browsing this forum: No registered users and 5 guests