Skip to content

Hardware Address Access Policy

Jump to bottom Edit New page
TinCanTech edited this page Dec 13, 2021 · 1 revision

Hardware address access policy details

Save your client hardware-addresses into the client key-metadata and then have the server verify
the client key hardware-addresses to the client pushed hardware-address.

hardware-address = MAC-address = OpenVPN variable IV_HWADDR

Interactive commands:

  • Use easytls build to build a TLS key using the interactive menus.

  • Use easytls inline to inline a TLS key using the interactive menus.

  • Use easytls script to create a configuration file for your server using the interactive menus.

Command to build a TLS-Crypt-V2 key with encrypted hardware addresses:

easytls --custom-group=MY_CUSTOM_GROUP build-tls-crypt-v2-client server-01 client-05 ab1234567890 cd0987654321

In the example above ab1234567890 cd0987654321 could be the client Ethernet and Wifi MAC addresses.
Change the Custom-Group to your preference.

Verify the TLS-Crypt-V2 metadata from a client key:

  • Use easytls-cryptv2-verify.sh in your server config to extract the key metadata:
tls-crypt-v2-verify '/home/tct/easy-rsa/easyrsa3/easytls-cryptv2-verify.sh -v -c=/home/tct/easy-rsa/easyrsa3/pki -g=MY_CUSTOM_GROUP --pid-file=/etc/openvpn/server.pid -t=/home/tct/temp'

writepid /etc/openvpn/server.pid

This script needs access to the server PID, which is only available via a PID file. -t - The temporary directory where easytls-cryptv2-verify.sh writes the hardware address file.

Verify the hardware addresses from the verified TLS-Crypt-V2 client key metadata:

  • Use easytls-cryptv2-client-connect.sh in your server config to verify hardware addresses extracted from the key:
client-connect 'easytls-cryptv2-client-connect.sh -v -a|p|k -t=/home/tct/temp'

-t - The temporary directory where easytls-cryptv2-verify.sh writes the hardware address file.
-a - Clients can connect even if they do not use --push-peer-info
-p - Clients are required to use --push-peer-info and will be disconnected if they do not.
-k - Client key must have an encrypted hardware address and must use --push-peer-info

Notes:

  • The client must use OpenVPN option --push-peer-info in order to push the hardware-address.
    This is not fool proof because MAC addresses can be spoofed.
  • Once encrypted, the hardware-addresses that this TLS-key is expected to connect from cannot be changed.

Needs updating

Add a custom sidebar
Clone this wiki locally