We help IT Professionals succeed at work.

ifconfig-push bypass

skullnobrains
on
279 Views
Last Modified: 2019-02-09
hello all

anyone knows of a way to bypass openvpn's ifconfig-push server setting from the client side ? basically overriding the ip the server wants to set.

... or can link to a documentation that clearly states it cannot be done or piece of code on the server side that implements said impossibility ?

context : openvpn server pushes ips using ifconfig-push in client scripts triggered based on the certificate used. i want to either make sure the clients cannot spoof one another or demonstrate they can.

thanks for sharing
Comment
Watch Question

nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
ifconfig-push only sets the clients address as such is doens help circumventing the routing.
Redirection is done on the server using a push redirect gateway.

See: https://openvpn.net/community-resources/how-to/#redirect
for more info.

And if you can set routes yourself then a specific route  (f.e. host route)  can still be set locally to go around this.
(use a host route or a route with a very narrow netmask  (/32 , /31...)
CERTIFIED EXPERT

Author

Commented:
hi noci

thanks for chipping in

i guess my question was unclear : my concern is not with pushed routes. i'm interested in knowing whether the client can use a different ip than the one it has been assigned by the vpn server, possibly using crafted packets.

if the server says ifconfig push 172.16.200.12/24 for example, is there any way the client can use 172.16.200.13 for example, assuming no other user is connected with said IP

i'm not using per client /30 but i can switch to that setting should that make a difference

i want to either make sure the clients cannot spoof one another or demonstrate they can.



as far as routes are concerned i know for a fact the client can totally ignore whatever the vpn client tries to push, which is expected behavior since there is no reason why the server would have any control over the client os settings.



regarding ips, things can be different since the server should be able to control what packets are allowed through the tunnel. nevertheless openvpn has config options to use a separate dhcp server and can allow his client to act as a router for a different network so i'm concerned with what is actually enforced. both during the initial negotiation and once the tunnel is open.

my only concern is with packets sent through the tunnel. i do not care if the client sends whatever he wants to whatever network he is connected to. this is not the job of openvpn anyway.


thanks for your help
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions