Avatar of skullnobrains
skullnobrains
 asked on

ifconfig-push bypass

hello all

anyone knows of a way to bypass openvpn's ifconfig-push server setting from the client side ? basically overriding the ip the server wants to set.

... or can link to a documentation that clearly states it cannot be done or piece of code on the server side that implements said impossibility ?

context : openvpn server pushes ips using ifconfig-push in client scripts triggered based on the certificate used. i want to either make sure the clients cannot spoof one another or demonstrate they can.

thanks for sharing
VPNNetwork Security

Avatar of undefined
Last Comment
skullnobrains

8/22/2022 - Mon
noci

ifconfig-push only sets the clients address as such is doens help circumventing the routing.
Redirection is done on the server using a push redirect gateway.

See: https://openvpn.net/community-resources/how-to/#redirect
for more info.

And if you can set routes yourself then a specific route  (f.e. host route)  can still be set locally to go around this.
(use a host route or a route with a very narrow netmask  (/32 , /31...)
skullnobrains

ASKER
hi noci

thanks for chipping in

i guess my question was unclear : my concern is not with pushed routes. i'm interested in knowing whether the client can use a different ip than the one it has been assigned by the vpn server, possibly using crafted packets.

if the server says ifconfig push 172.16.200.12/24 for example, is there any way the client can use 172.16.200.13 for example, assuming no other user is connected with said IP

i'm not using per client /30 but i can switch to that setting should that make a difference

i want to either make sure the clients cannot spoof one another or demonstrate they can.



as far as routes are concerned i know for a fact the client can totally ignore whatever the vpn client tries to push, which is expected behavior since there is no reason why the server would have any control over the client os settings.



regarding ips, things can be different since the server should be able to control what packets are allowed through the tunnel. nevertheless openvpn has config options to use a separate dhcp server and can allow his client to act as a router for a different network so i'm concerned with what is actually enforced. both during the initial negotiation and once the tunnel is open.

my only concern is with packets sent through the tunnel. i do not care if the client sends whatever he wants to whatever network he is connected to. this is not the job of openvpn anyway.


thanks for your help
ASKER CERTIFIED SOLUTION
skullnobrains

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck