Hi!
I’ve just noticed something off on OpenVPN clients?
Remote clients connecting back to our network are now getting the MAC address and IP of our LAN interface.
How to fix this?
Hey @edanpedragosa so VPN clients don’t actually have a MAC address, so it seems like adam:ONE is using the host interface instead.
In the past they would have been added to the Dashboard grouped under a device without a MAC.
Do you know when this started happening? Did is start happening after an upgrade or a setting change?
Hi @atw, I am not pretty sure when it started happening.
I just noticed it when setting a user’s laptop for OpenVPN access and was puzzled why the policy is always changed to whatever I set for the device with say 192.168.1.n connecting via OpenVPN.
All OpenVPN devices are getting the same policy and are also registering the LAN interface IP and MAC address aside from the set OpenVPN client IP.
What I normally do is create a device with a fake MAC address and the IP address of the VPN connection that I want to put on a separate policy.
With OpenVPN you would have to use some method of ensuring a user always has the same IP. For example on pfSense® you could use this Virtual Private Networks — OpenVPN — OpenVPN Configuration Options — Client Specific Overrides | pfSense Documentation
In the IPv4/IPv6 Tunnel Network setting you can give a username (entered into Common Name) a static IP.
@atw, I have been using the client overrides ever since but now added fake mac addresses for the OpenVPN clients. The Bulk Import tool is a fine utility!
Thanks so very much for the tip!
I thought adding the device manually and setting a fake mac address worked but it did not.
It worked for a while last night until I test it this morning. The fake MAC address is gone and the LAN interface mac and IP addresses has been set to the OpenVPN clients again.
On a side note, is there a way to not set the LAN interface mac and IP address to any OpenVPN clients?
Hey @edanpedragosa we’re not seeing this behaviour, any chance that your OpenVPN server is in tap (bridged) mode?
Assigning fake mac addresses seems to work now.
Thank you so very much!