Is ifconfig-push in a ccd reliable/secure?

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
brunobronosky
OpenVpn Newbie
Posts: 8
Joined: Thu Feb 09, 2017 7:26 pm

Is ifconfig-push in a ccd reliable/secure?

Post by brunobronosky » Tue Jun 06, 2017 7:55 pm

It seems to be a common pattern that people put something like this in a ccd file:

Code: Select all

ifconfig-push 172.141.127.1 172.141.127.2
And then use iptables to limit what access 172.141.127.1 has. But is there an server side enforcement to prevent the client matching that ccd common_name from using a different address?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2987
Joined: Fri Jun 03, 2016 1:17 pm

Re: Is ifconfig-push in a ccd reliable/secure?

Post by TinCanTech » Wed Jun 07, 2017 11:01 am

brunobronosky wrote:is there an server side enforcement to prevent the client matching that ccd common_name from using a different address?
No .. the client can use --pull-filter and then assign themself any IP address they like .. but the server will not speak to them and your server log will show you what address they are trying to use :ugeek:

brunobronosky
OpenVpn Newbie
Posts: 8
Joined: Thu Feb 09, 2017 7:26 pm

Re: Is ifconfig-push in a ccd reliable/secure?

Post by brunobronosky » Fri Jun 09, 2017 3:41 pm

TinCanTech wrote:but the server will not speak to them
Does this mean that the client will not have access to anything on the private network? Or does it mean that the client can access any server on the private network except the VPN server (assuming the iptables accepts the hijacked IP)?

brunobronosky
OpenVpn Newbie
Posts: 8
Joined: Thu Feb 09, 2017 7:26 pm

Re: Is ifconfig-push in a ccd reliable/secure?

Post by brunobronosky » Tue Jun 13, 2017 1:43 pm

I'd really like to get an answer to this question. I think it's very important to not only me, but the community as a whole.

TiTex
OpenVPN Expert
Posts: 231
Joined: Tue Apr 12, 2011 6:22 am

Re: Is ifconfig-push in a ccd reliable/secure?

Post by TiTex » Tue Jun 13, 2017 1:59 pm

if the client changes his/her ip address , won't be able to access anything on the remote network
the server will not communicate with IP addresses not assigned by it.

brunobronosky
OpenVpn Newbie
Posts: 8
Joined: Thu Feb 09, 2017 7:26 pm

Re: Is ifconfig-push in a ccd reliable/secure?

Post by brunobronosky » Tue Jun 13, 2017 2:07 pm

Thank you! I also just tried adding:

Code: Select all

pull-filter ignore ifconfig
ifconfig 172.30.0.253 172.30.0.254
to the end of a client config which had tight filtering and confirmed that even though the local TUN interface appeared to have 172.30.0.253, I could not reach any remote resources.

I think TinCanTech was just being snarky. But now it's recorded for posterity.
Image

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2987
Joined: Fri Jun 03, 2016 1:17 pm

Re: Is ifconfig-push in a ccd reliable/secure?

Post by TinCanTech » Tue Jun 13, 2017 2:37 pm

brunobronosky wrote:I think TinCanTech was just being snarky
In what way ? :evil:

My answer is 100% accurate. :geek:

Post Reply