Can OpenVPN Clients change IP addresses on the Server side?

[favelon]

Ok, I'm trying to make it simple. Is it possible for a OpenVPN Client to change the IP address it is talking on the destination network with? In my case the server talks with an IP of 10.10.0.4/16 on the destination network. All clients use the same IP on the destination obviously due to OpenVPN architecture (as I understand it).

Now I have more hosts on the same L2 network but different IP range let's say 10.128.0.0/16. They cannot be reached by the VPN client, there is no routing. Could a Client 'hack' his config so he talks with a 10.128.0.0/16 subnet address while being connected to the 10.10.0.4 OpenVPN server?

Yes, I am the admin and I can change all configs but this is more of a theoretical question. Cause if I create VPN accounts for my tenants I don't want them to reach the 10.128.0.0/16 network.

Cheers,


FYI this is my OpenVPN Client config (confidential data removed):

View OriginalClient config

client
proto tcp-client
remote *.*.*.* *public port*
route-nopull
route 10.10.0.0 255.255.0.0
dhcp-option DNS 10.10.10.10
dhcp-option DOMAIN mgmt.lab
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_coUWOVLqgrOqJrPm name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
<ca>
-----BEGIN CERTIFICATE-----
*****
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
*****
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
*****
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
*****
-----END OpenVPN Static key V1-----
</tls-crypt>

[TinCanTech]

Could a Client 'hack' his config so he talks with a 10.128.0.0/16 subnet address while being connected to the 10.10.0.4 OpenVPN server?

Easily.

[favelon]

Could a Client 'hack' his config so he talks with a 10.128.0.0/16 subnet address while being connected to the 10.10.0.4 OpenVPN server?

Easily.

Great, so how does it work?

[favelon]

I can add a route to 10.128.0.0/16 on the client but the server doesn't have a route so doesn't forward the package

[TinCanTech]

I did not say it would work .. that is all down to your network.

[favelon]

Okay, I get you. That makes sense. But the server always performs NAT right? The client cannot get around that? Therefore it depends on the server IP and routing table at destination.

[TinCanTech]

the server always performs NAT right?

If you configure it to do NAT .. otherwise no.

[favelon]

Okay cool I think I understand now. It will actually all go into the tun0 interface and the rest entirely depends on the server OS and its routing table. Now I feel like it was a stupid question but anyway, I've figured it out and you helped me. THanks a lot!

[TinCanTech]

Now I feel like it was a stupid question

Nope, questions are simply questions..

I've figured it out and you helped me

You figured it out (with the least help) and now you understand