1.9 KiB
1.9 KiB
Based on my research, here's how the VPN server can extract MAC addresses:
MAC Address Extraction Methods
- IV_HWADDR Environment Variable (Primary Method)
- Client Configuration: Add push-peer-info to client .ovpn config
- Environment Variable: IV_HWADDR contains the client's MAC address
- Format: Standard MAC format (e.g., 00:FF:01:02:03:04)
- Client Configuration Requirements
In client.ovpn file
push-peer-info
- Server Script Access
import os
def extract_mac_address(): # Primary method - IV_HWADDR from push-peer-info mac_address = os.environ.get('IV_HWADDR')
if mac_address:
return mac_address.strip()
# Fallback - check other environment variables
return None
Important Considerations
Client Compatibility Issues:
- OpenVPN2 clients: Generally send MAC addresses reliably
- OpenVPN3 clients: May send UUID strings instead of MAC addresses
- Older clients: May not provide MAC address at all
Alternative Approaches:
- TAP Mode (Layer 2): - Use --dev tap instead of --dev tun - MAC addresses available through --learn-address script - More complex network setup required
- Client Certificate Binding: - Embed MAC address in certificate Common Name or Subject Alt Name - More secure but requires certificate management per device
- Custom Client Reporting: - Modify client to report MAC through custom authentication
Recommended Implementation
For your VPN access server, the most practical approach is:
- Require push-peer-info in all client configurations
- Extract from IV_HWADDR environment variable in client-connect script
- Handle missing MAC addresses gracefully (log and potentially deny access)
- Document client requirements for users/administrators
This method integrates seamlessly with your existing MySQL-based validation system in access/auth.py.