Home / server / Questions / 834826
In Process
Adam Kaplan
Asked: 2017-02-25 14:41:42 +0800 CST

Configure OpenVPN to block clients by OS?

  • 772

Is there a way to configure an OpenVPN server so that it restricts the clients that connect to it by operating system?

We currently use an OpenVPN server to connect our laptops to our servers on AWS (running in a VPC). A customer of ours has requested that we prohibit VPN access from mobile devices - hence we'd want to block Android, iOS, and Windows Phone clients.

vpn openvpn security

3 Answers

  1. Use the IV_PLAT peer info and a connect script (on the server) to reject connections if they use the wrong OS (exit with non-zero)

    There is a bit of explanation around here : https://books.google.co.uk/books?id=_1MoDwAAQBAJ&pg=PA318&lpg=PA318&dq=openvpn+peer+info+as+environment+variable&source=bl&ots=CIue3PwB-g&sig=ACfU3U1QW1IKrjiRPyRyBRM1wC6GQlNVeg&hl=en&sa=X&ved=2ahUKEwjawdOe-JfqAhVzsHEKHetZDKwQ6AEwBnoECAwQAQ#v=onepage&q=openvpn%20peer%20info%20as%20environment%20variable&f=false

    Copy/pasted here for future generations.

    1. Append the following lines to the basic-udp-server.conf server configuration file:

      script-security 2 
client-connect /etc/openvpn/cookbook/example9-11.sh

    2. Next, create the connect script: /etc/openvpn/cookbook/example9-11.sh

       #!/bin/bash
 # Redirect the default gateway for all Android clients 
 if [ "x_${IV_PLAT}" = "x_android" ] then
   echo "push "redirect-gateway def1" >> $1
 fi

    You would want to change the "echo" command to an "exit 99" or similar which should disconnect the client. (I haven't tried it.) And obviously use different names for the conf file and script!

    • 3

  2. So if you have access to the OpenVPN server you could block the requests there by using Passive OS Fingerprinting. and osf to whitelist your desktop OS.

    I'm going to write this for Centos since it is when I used it. You are installing an app nfnl_osf and then the fingerprint signature database from OpenBSD to help match the machines. 

    yum -y install libpcap libpcap-devel iptables-utils
wget http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/etc/pf.os?rev=1.27 -O /usr/libexec/iptables/pf.os
nfnl_osf -f /usr/libexec/iptables/pf.os

    After we have them both setup we import the database into iptables and then run the below iptables commands to run the check.

    iptables -I INPUT -j ACCEPT -p udp --dport 1194 -m osf --genre Windows --log 2 --ttl 2    
iptables -I INPUT -j ACCEPT -p udp --dport 1194 -m osf --genre Mac --log 2 --ttl 2     
iptables -A INPUT -p udp --dport 1194 -j DROP

    Hope that helps!

    • 1

  3. OpenVPN does push client information to the server via --push-peer-info .. the client OS is among those elements which are pushed and could theoretically be used to screen the connection based on the expected/blocked client OS.

    Example server log:

    Tue Dec 19 13:21:42 2017 us=348489 v3.rsa.anet.cli.lx64/x.4.232.194:51806 peer info: IV_PLAT=linux
Tue Dec 19 13:21:42 2017 us=348521 v3.rsa.anet.cli.lx64/x.4.232.194:51806 peer info: IV_PROTO=2
Tue Dec 19 13:21:42 2017 us=348551 v3.rsa.anet.cli.lx64/x.4.232.194:51806 peer info: IV_NCP=2
Tue Dec 19 13:21:42 2017 us=348580 v3.rsa.anet.cli.lx64/x.4.232.194:51806 peer info: IV_LZ4=1
Tue Dec 19 13:21:42 2017 us=348608 v3.rsa.anet.cli.lx64/x.4.232.194:51806 peer info: IV_LZ4v2=1
Tue Dec 19 13:21:42 2017 us=348636 v3.rsa.anet.cli.lx64/x.4.232.194:51806 peer info: IV_LZO=1
    • 1