Preventing IP Spoofing TUN Server.

[abgenius]

Hi everyone,

I am new to OpenVpn so I have a question regarding IP spoofing and authentication. I have an OpenVpn server (UDP TUN) with many untrusted clients which do not and should not communicate with each other. My main goal is to prevent IP spoofing. Is there any script I can use for that?

One way I was thinking it could prevent IP Spoofing is to have a list of the IP addresses and of the certificates installed in each client, and OpenVpn or some custom script checks for each incoming packet in the server if the source IP address matches the client certificate. I was reading that there are some scripts with tls-verify that authenticate the clients when they connect but I don't know if I can authenticate each incoming packet. Am I missing something? Or is there any simpler solution?

Thank you for your attention and sorry if I am posting in the wrong board.

[Traffic]

I don't know if I can authenticate each incoming packet

Not sure exactly what you want to achieve but here is some info:

OpenVPN offers a client packet filter plugin:
http://backreference.org/2010/06/18/ope ... et-filter/

This thread has some details:
topic17891.html

If you get this setup you can block all intra-client data regardless of source IP.

[abgenius]

Hi,

Thank you for your answer.

What I want to achieve is this. Suppose I have the OpenVPN server and a client with Ip address 10.8.0.4 and certificate A. I want OpenVPN every time that the client sends a packet, to check if connection.sourceIP = 10.8.0.4 and connection.sourceCertificate = A then Accept the packet, otherwise drop it. In addition, does this prevent IP Spoofing?