OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

Notes — Setting TAP-Windows address/subnet automatically via DHCP

Setting the TAP-Windows address/subnet automatically via DHCP is a convenient method of managing IP addresses in a bridge situation, though there are some caveats that must be handled.

The problem with getting addresses for VPN clients via DHCP is that you only want to get the IP address and subnet mask, not the gateway. Therefore in a bridge situation, a DHCP server must be able to differentiate between local clients and remote VPN clients.

Dave Lau contributed a config file for ISC’s dhcp3 server that does just this. I reproduce Dave’s email describing his setup in full below, including the DHCP server config file.

[Editors note: The 00:FF MAC prefix is not my original idea — I got it from the Linux TAP driver.]

I’ve been using openVPN since you ported it to windows, and I must say it is fantastic. In just 2 short weeks of testing, I have decided to scrap my IPSec VPN that I have been using for my small business in place of openVPN. One thing that I have found to be immensely useful is the ethernet bridging. I would rather bridge than route for my particular situation, because I want my remote vpn clients to be on the same subnet as the office-bound clients for myriad reasons. I did not like having to manually configure IP addresses for each client, so I elected to use a dhcp server to serve my remote clients an IP address through the openVPN tunnel.

Rather than relying on client hostnames to distinguish between openVPN and non-openVPN connections, I took advantage of your clever idea to create MAC addresses for the Tap adapters as 00:FF:xx:xx:xx:xx, and I wrote my dhcpd.conf file accordingly. The reason this is necessary for me is that I do not want to hand out a default gateway or DNS server to my openVPN clients, I only want local traffic going through the tunnel. I’m sure there are many other possible instances in which the dhcp server would like to handle openVPN clients differently from standard clients, so I though I would share my dhcp server config with you on the off chance that it might be useful to others. This particular config is for ISC’s dhcp3 server, but I’m sure it would work with just about anything. There is nothing particularly clever or tricky about this config file, I just did not happen to see any examples of it anywhere, so if this could save someone some time and effort, that would be great:

Thank you, Jim, for writing this fantastic piece of software.

Dave Lau

beefcake:~# cat /etc/dhcp3/dhcpd.conf
## If hardware address begins with 00:FF, the client is an
## openvpn tap adapter, and we do not want to assign a
## default gateway or dns server.  Assign then to a special
## subclass and configure a pool which does not hand out
## these parameters.

class "openvpn" {
     match if substring (hardware, 1, 2) = 00:FF;
## end class declaration

## subnet for br0

subnet netmask {
always-broadcast on;
max-lease-time 3600;
default-lease-time 1800;
option domain-name "";
option subnet-mask;

pool {
     deny members of "openvpn";
     option routers;
     option domain-name-servers;
     option tftp-server-name "";

pool {
     allow members of "openvpn";