This forum is for admins who are looking to build or expand their OpenVPN setup.
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
brunobronosky
- OpenVpn Newbie
- Posts: 8
- Joined: Thu Feb 09, 2017 7:26 pm
Post
by brunobronosky » Tue Jun 06, 2017 7:55 pm
It seems to be a common pattern that people put something like this in a ccd file:
Code: Select all
ifconfig-push 172.141.127.1 172.141.127.2
And then use iptables to limit what access 172.141.127.1 has. But is there an server side enforcement to prevent the client matching that ccd common_name from using a different address?
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Wed Jun 07, 2017 11:01 am
brunobronosky wrote:is there an server side enforcement to prevent the client matching that ccd common_name from using a different address?
No .. the client can use --
pull-filter and then assign themself any IP address they like .. but the server will not speak to them and your server log will show you what address they are trying to use
-
brunobronosky
- OpenVpn Newbie
- Posts: 8
- Joined: Thu Feb 09, 2017 7:26 pm
Post
by brunobronosky » Fri Jun 09, 2017 3:41 pm
TinCanTech wrote:but the server will not speak to them
Does this mean that the client will not have access to anything on the private network? Or does it mean that the client can access any server on the private network except the VPN server (assuming the iptables accepts the hijacked IP)?
-
brunobronosky
- OpenVpn Newbie
- Posts: 8
- Joined: Thu Feb 09, 2017 7:26 pm
Post
by brunobronosky » Tue Jun 13, 2017 1:43 pm
I'd really like to get an answer to this question. I think it's very important to not only me, but the community as a whole.
-
TiTex
- OpenVPN Super User
- Posts: 310
- Joined: Tue Apr 12, 2011 6:22 am
Post
by TiTex » Tue Jun 13, 2017 1:59 pm
if the client changes his/her ip address , won't be able to access anything on the remote network
the server will not communicate with IP addresses not assigned by it.
-
brunobronosky
- OpenVpn Newbie
- Posts: 8
- Joined: Thu Feb 09, 2017 7:26 pm
Post
by brunobronosky » Tue Jun 13, 2017 2:07 pm
Thank you! I also just tried adding:
Code: Select all
pull-filter ignore ifconfig
ifconfig 172.30.0.253 172.30.0.254
to the end of
a client config which had tight filtering and confirmed that even though the local TUN interface appeared to have 172.30.0.253, I could not reach any remote resources.
I think TinCanTech was just being snarky. But now it's recorded for posterity.
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Tue Jun 13, 2017 2:37 pm
brunobronosky wrote:I think TinCanTech was just being snarky
In what way ?
My answer is 100% accurate.