OpenVPN Support Forum

It seems to be a common pattern that people put something like this in a ccd file: And then use iptables to limit what access 172.141.127.1 has. But is there an server side enforcement to prevent the client matching that ccd common_name from using a different address?

brunobronosky wrote:is there an server side enforcement to prevent the client matching that ccd common_name from using a different address?

No .. the client can use --pull-filter and then assign themself any IP address they like .. but the server will not speak to them and your server log will show you what address they are trying to use

TinCanTech wrote:but the server will not speak to them

Does this mean that the client will not have access to anything on the private network? Or does it mean that the client can access any server on the private network except the VPN server (assuming the iptables accepts the hijacked IP)?

I'd really like to get an answer to this question. I think it's very important to not only me, but the community as a whole.

if the client changes his/her ip address , won't be able to access anything on the remote network
the server will not communicate with IP addresses not assigned by it.

Thank you! I also just tried adding: to the end of a client config which had tight filtering and confirmed that even though the local TUN interface appeared to have 172.30.0.253, I could not reach any remote resources.

I think TinCanTech was just being snarky. But now it's recorded for posterity.

brunobronosky wrote:I think TinCanTech was just being snarky

In what way ?

My answer is 100% accurate.