OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: guest16566 on June 05, 2018, 10:32:45 am

Title: DHCP Server: Don't pass out default gateway to OpenVPN clients
Post by: guest16566 on June 05, 2018, 10:32:45 am
While configuring my OpenVPN server to run in tap & therefore bridged mode I stumbled upon a major issue:

If I want to use my already setup DHCP server I would have to prevent it to pass out the default gateway to my connecting OpenVPN clients as per this FAQ (https://openvpn.net/index.php/open-source/faq/77-server/323-i-want-to-set-up-an-ethernet-bridge-on-the-1921681024-subnet-existing-dhcp.html (https://openvpn.net/index.php/open-source/faq/77-server/323-i-want-to-set-up-an-ethernet-bridge-on-the-1921681024-subnet-existing-dhcp.html)).
Without this everything seems to work fine in the same subnet but any connection to the internet or other subnets fails.

My setup also seems to work if I use the Bridge DHCP option but this seems to require setting up a different dhcp pool. I want to avoid that option if possible to centralize the lease management.

How would I go about preventing the passing out of a default gateway to OpenVPN clients without editing the dhcpd config manually like described in the install notes (https://openvpn.net/index.php/open-source/documentation/install.html (https://openvpn.net/index.php/open-source/documentation/install.html))?

Thanks for any help

Code: [Select]
[Editors note: The 00:FF MAC prefix is not my original idea -- I got it from the Linux TAP driver.]

I've been using openVPN since you ported it to windows, and I must say it is fantastic. In just 2 short weeks of testing, I have decided to scrap my IPSec VPN that I have been using for my small business in place of openVPN. One thing that I have found to be immensely useful is the ethernet bridging. I would rather bridge than route for my particular situation, because I want my remote vpn clients to be on the same subnet as the office-bound clients for myriad reasons. I did not like having to manually configure IP addresses for each client, so I elected to use a dhcp server to serve my remote clients an IP address through the openVPN tunnel.

Rather than relying on client hostnames to distinguish between openVPN and non-openVPN connections, I took advantage of your clever idea to create MAC addresses for the Tap adapters as 00:FF:xx:xx:xx:xx, and I wrote my dhcpd.conf file accordingly. The reason this is necessary for me is that I do not want to hand out a default gateway or DNS server to my openVPN clients, I only want local traffic going through the tunnel. I'm sure there are many other possible instances in which the dhcp server would like to handle openVPN clients differently from standard clients, so I though I would share my dhcp server config with you on the off chance that it might be useful to others. This particular config is for ISC's dhcp3 server, but I'm sure it would work with just about anything. There is nothing particularly clever or tricky about this config file, I just did not happen to see any examples of it anywhere, so if this could save someone some time and effort, that would be great:

Thank you, Jim, for writing this fantastic piece of software.

Dave Lau

beefcake:~# cat /etc/dhcp3/dhcpd.conf
## If hardware address begins with 00:FF, the client is an
## openvpn tap adapter, and we do not want to assign a
## default gateway or dns server.  Assign then to a special
## subclass and configure a pool which does not hand out
## these parameters.

class "openvpn" {
     match if substring (hardware, 1, 2) = 00:FF;
## end class declaration

## subnet for br0

subnet netmask {
always-broadcast on;
max-lease-time 3600;
default-lease-time 1800;
option domain-name "ezone.net";
option subnet-mask;

pool {
     deny members of "openvpn";
     option routers;
     option domain-name-servers;
     option tftp-server-name "";

pool {
     allow members of "openvpn";