ifconfig-push bypass

skullnobrains
skullnobrains used Ask the Experts™
on
hello all

anyone knows of a way to bypass openvpn's ifconfig-push server setting from the client side ? basically overriding the ip the server wants to set.

... or can link to a documentation that clearly states it cannot be done or piece of code on the server side that implements said impossibility ?

context : openvpn server pushes ips using ifconfig-push in client scripts triggered based on the certificate used. i want to either make sure the clients cannot spoof one another or demonstrate they can.

thanks for sharing
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
nociSoftware Engineer
Distinguished Expert 2018

Commented:
ifconfig-push only sets the clients address as such is doens help circumventing the routing.
Redirection is done on the server using a push redirect gateway.

See: https://openvpn.net/community-resources/how-to/#redirect
for more info.

And if you can set routes yourself then a specific route  (f.e. host route)  can still be set locally to go around this.
(use a host route or a route with a very narrow netmask  (/32 , /31...)
hi noci

thanks for chipping in

i guess my question was unclear : my concern is not with pushed routes. i'm interested in knowing whether the client can use a different ip than the one it has been assigned by the vpn server, possibly using crafted packets.

if the server says ifconfig push 172.16.200.12/24 for example, is there any way the client can use 172.16.200.13 for example, assuming no other user is connected with said IP

i'm not using per client /30 but i can switch to that setting should that make a difference

i want to either make sure the clients cannot spoof one another or demonstrate they can.



as far as routes are concerned i know for a fact the client can totally ignore whatever the vpn client tries to push, which is expected behavior since there is no reason why the server would have any control over the client os settings.



regarding ips, things can be different since the server should be able to control what packets are allowed through the tunnel. nevertheless openvpn has config options to use a separate dhcp server and can allow his client to act as a router for a different network so i'm concerned with what is actually enforced. both during the initial negotiation and once the tunnel is open.

my only concern is with packets sent through the tunnel. i do not care if the client sends whatever he wants to whatever network he is connected to. this is not the job of openvpn anyway.


thanks for your help
i hav no definitive answer or time to dig in the code extensively but here are some empiric test results.

i have run tests on pfsense : freebsd kernel, latest openvpn, pf firewall
i have only tested with the internal dhcp server of openvpn and per client ifconfig-push.
i made no test with non-ip traffic which afaik would not be allowed by openvpn and is enforced at the firewall level anyway.

some source broadcast packets went through and need to be limited to local dhcp at the firewall level.
other experiments with crafted packets produced loss of connectivity almost immediately in all cases.
i have not been able to demonstrate a single non broadcast rogue packet went through but it is fairly possible that some where caught by other mechanisms at the firewall or kernel level.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial