Our business is currently running a VPN using OpenVPN on a server we host ourselves.
We have a need to lock down our internal network for client reasons – so the desired outcome is that only whitelisted hardware/MAC addresses can connect to our network via our Draytek 2925 router. That's easy – we can simply use the strict bind feature of the router to prevent random connections. However, I cannot figure out a way to make this work with OpenVPN. It occurred to me that we could look to assign static IP addresses to VPN clients, but from what I can find online these can only be assigned to user accounts rather than MAC addresses.
As well as this, even if I can figure out a way to assign static IPs, I'm not sure how to make these work in the whitelist – currently if I try to enter a normal OpenVPN address like 10.8.0.2 to the whitelist, the router is telling me this is outside the router LAN address range (presumably I can add this somehow but I haven't figured out how yet).
I'm new to all of this kind of stuff so apologies if my question is seen as a bit behind the eight ball.
If anyone can help with the MAC question I'd really appreciate it; alternatively if anyone has a better idea for achieving the end goal I'd also appreciate that.
Cheers.
Best Answer
You can't really tie a connection to "hardware" unless you are storing the connection keys in a hardware-integrated key store like, for example, the TPM module which is integrated with the mainboard. The source MAC addresses are not preserved as soon as IP packets get routed, other possible machine-specifig identifiers are not exchanged during the handshake or configuration phases of the OpenVPN connection.
That being said, there have been some efforts for implementing policies in software. Network Access Protection (deprecated) was a Windows-generic approach to this, also VPN gateway specific clients (Checkpoint, Cisco) allow you to configure checks to meet before a connection can be established.
While this might be possible to implement with the OpenVPN client as well (either by trying to push the "route-up" script option or by working on the OpenVPN code to run a server-supplied script and check the result), be aware that OpenVPN has not been designed with this use case in mind, so things might break for you when trying.