[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] Securing Openvpn with IP based rules, need help!


  • Subject: [Openvpn-users] Securing Openvpn with IP based rules, need help!
  • From: Patrick Steiner <steiner@xxxxxxxxx>
  • Date: Wed, 30 May 2007 13:02:44 +0200

Hi,

We have here a solution with openvpn in bridge mode. now we have two 
groups of vpn users. the fist group withe the ip range 192.168.2.100-200 
is used by all employees and the second group has the ip range 
192.168.2.200-254 which is used by our partner organization.
these ip's are provided with a client config file (example: 
ifconfig-push 192.168.2.102 255.255.255.0)
now every works fine all clients receive the right ip. i can separate 
these two groups with firewall rules. the fist group has access to all 
service and the second group to a limited range of ip's
but now the problem: when e member of the second group change his ip 
manual after connecting (example: from 192.168.2.201 to 192.168.2.102) 
the user bypass the firewall rule and he can act as an user from the 
first group.

now my question: is it possible to make the vpn connection unusable when 
the client change his ip manual or to forbid that the client user can 
change his ip? or any other ideas how i can separate this two groups?



here are my server config:

port 1194
proto udp
dev tap

### Keys und Certs
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
#crl-verify keys/crl.pem

server-bridge 192.168.2.2 255.255.255.0 192.168.2.100 192.168.2.254

float

ifconfig-pool-persist ipp.txt

route-up "echo '1' > /proc/sys/net/ipv4/ip_forward"

push "dhcp-option DNS 192.168.1.11"
push "dhcp-option WINS 192.168.1.11"
push "dhcp-option DOMAIN xxxxxx.ch"
push "redirect-gateway def1"
push "ping 15"
push "ping-restart 120"
push "persist-key"
push "persist-tun"

client-config-dir .
ccd-exclusive

#keepalive 10 45
ping 15
ping-restart 180
ping-timer-rem
persist-tun
persist-key

#mtu-test
mssfix

tls-server
tls-auth keys/ta.key 0
tls-timeout 30
reneg-sec 0

auth-nocache
plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn

comp-lzo

nice -3

user nobody
group nogroup

chroot /etc/openvpn/ccd
status openvpn-status.log
verb 5
mute 20


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users