ifconfig-push bypass

hello all

anyone knows of a way to bypass openvpn's ifconfig-push server setting from the client side ? basically overriding the ip the server wants to set.

... or can link to a documentation that clearly states it cannot be done or piece of code on the server side that implements said impossibility ?

context : openvpn server pushes ips using ifconfig-push in client scripts triggered based on the certificate used. i want to either make sure the clients cannot spoof one another or demonstrate they can.

thanks for sharing
LVL 28
skullnobrainsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
ifconfig-push only sets the clients address as such is doens help circumventing the routing.
Redirection is done on the server using a push redirect gateway.

See: https://openvpn.net/community-resources/how-to/#redirect
for more info.

And if you can set routes yourself then a specific route  (f.e. host route)  can still be set locally to go around this.
(use a host route or a route with a very narrow netmask  (/32 , /31...)
skullnobrainsAuthor Commented:
hi noci

thanks for chipping in

i guess my question was unclear : my concern is not with pushed routes. i'm interested in knowing whether the client can use a different ip than the one it has been assigned by the vpn server, possibly using crafted packets.

if the server says ifconfig push 172.16.200.12/24 for example, is there any way the client can use 172.16.200.13 for example, assuming no other user is connected with said IP

i'm not using per client /30 but i can switch to that setting should that make a difference

i want to either make sure the clients cannot spoof one another or demonstrate they can.



as far as routes are concerned i know for a fact the client can totally ignore whatever the vpn client tries to push, which is expected behavior since there is no reason why the server would have any control over the client os settings.



regarding ips, things can be different since the server should be able to control what packets are allowed through the tunnel. nevertheless openvpn has config options to use a separate dhcp server and can allow his client to act as a router for a different network so i'm concerned with what is actually enforced. both during the initial negotiation and once the tunnel is open.

my only concern is with packets sent through the tunnel. i do not care if the client sends whatever he wants to whatever network he is connected to. this is not the job of openvpn anyway.


thanks for your help
skullnobrainsAuthor Commented:
i hav no definitive answer or time to dig in the code extensively but here are some empiric test results.

i have run tests on pfsense : freebsd kernel, latest openvpn, pf firewall
i have only tested with the internal dhcp server of openvpn and per client ifconfig-push.
i made no test with non-ip traffic which afaik would not be allowed by openvpn and is enforced at the firewall level anyway.

some source broadcast packets went through and need to be limited to local dhcp at the firewall level.
other experiments with crafted packets produced loss of connectivity almost immediately in all cases.
i have not been able to demonstrate a single non broadcast rogue packet went through but it is fairly possible that some where caught by other mechanisms at the firewall or kernel level.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.