I have an openvpn server behind a firewall, clients are assigned static IP addresses with specific ifconfig-push directives in the client-config-dir. The problem is that clients can change their assigned IP's (e.g: ifconfig tap0 a.b.c.d up) making all my firewall rules useless… is there a way to prevent them from changing their IP?
server.conf:
mode server
tls-server
local 10.0.0.150
port 1194
proto udp
#bridging directive
dev tap0 ## If you need multiple tap devices, add them here
up "/etc/openvpn/up.sh br0 tap0 1500"
down "/etc/openvpn/down.sh br0 tap0"
persist-key
persist-tun
#certificates and encryption
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 # This file is secret
#DHCP Information
ifconfig-pool-persist ipp.txt
server-bridge 10.0.0.150 255.255.255.0 10.0.0.151 10.0.0.170
client-config-dir /etc/openvpn/client-config
#log and security
user nobody
group nogroup
keepalive 60 240
status openvpn-status.log
verb 3
client-config/some_client:
ifconfig-push 10.0.0.1 255.255.255.0
Best Answer
Why
server-bridge? Why would you use a bridge if you want to implement firewall rules? If you give clients a layer 2 tunnel to work with, then they are going to be able to change their layer 3 addressing.