Link to home
Start Free TrialLog in
Avatar of skullnobrains
skullnobrains

asked on

ifconfig-push bypass

hello all

anyone knows of a way to bypass openvpn's ifconfig-push server setting from the client side ? basically overriding the ip the server wants to set.

... or can link to a documentation that clearly states it cannot be done or piece of code on the server side that implements said impossibility ?

context : openvpn server pushes ips using ifconfig-push in client scripts triggered based on the certificate used. i want to either make sure the clients cannot spoof one another or demonstrate they can.

thanks for sharing
Avatar of noci
noci

ifconfig-push only sets the clients address as such is doens help circumventing the routing.
Redirection is done on the server using a push redirect gateway.

See: https://openvpn.net/community-resources/how-to/#redirect
for more info.

And if you can set routes yourself then a specific route  (f.e. host route)  can still be set locally to go around this.
(use a host route or a route with a very narrow netmask  (/32 , /31...)
Avatar of skullnobrains

ASKER

hi noci

thanks for chipping in

i guess my question was unclear : my concern is not with pushed routes. i'm interested in knowing whether the client can use a different ip than the one it has been assigned by the vpn server, possibly using crafted packets.

if the server says ifconfig push 172.16.200.12/24 for example, is there any way the client can use 172.16.200.13 for example, assuming no other user is connected with said IP

i'm not using per client /30 but i can switch to that setting should that make a difference

i want to either make sure the clients cannot spoof one another or demonstrate they can.



as far as routes are concerned i know for a fact the client can totally ignore whatever the vpn client tries to push, which is expected behavior since there is no reason why the server would have any control over the client os settings.



regarding ips, things can be different since the server should be able to control what packets are allowed through the tunnel. nevertheless openvpn has config options to use a separate dhcp server and can allow his client to act as a router for a different network so i'm concerned with what is actually enforced. both during the initial negotiation and once the tunnel is open.

my only concern is with packets sent through the tunnel. i do not care if the client sends whatever he wants to whatever network he is connected to. this is not the job of openvpn anyway.


thanks for your help
ASKER CERTIFIED SOLUTION
Avatar of skullnobrains
skullnobrains

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial