filter addresses - TinCanTech/easy-tls GitHub Wiki

This page describes Easy-TLS CLIENT TLS-Crypt-V2 key filter-address fields.

Easy-TLS filter-address

Easy-TLS filter-addresses allow for access policies to be applied to a clients source IP and MAC address.

• IP addresses must be in a form which is valid for Easy-TLS.
• MAC address is the hardware address of your device.

Verifying a filter-address

Easy-TLS allows you to verify a filter-address prior to building a key.

• Verify a hardware address (MAC):
  • ./easytls vhw AA:BB:55:FF:AA:BB
• Verify an IPv4 address:
  • ./easytls vip 1.2.3.0/24
• Verify an IPv6 address.
  • ./easytls vip 2001:a:b:c::c0ff:ee/128

Expanding an IP filter-address

• Expand an IPv4 address:
  • ./easytls x4ip 1.2.3.0/24
• Expand an IPv6 address.
  • ./easytls x6ip 2001:a:b:c::c0ff:ee/128

Easy-TLS validates and then expands each address to ensure the address is suitable for use. Your addresses must pass this test.

VERY IMPORTANT NOTES:

Modern operating systems make it utterly trivial for the user to change their hardware address, so this check is only valid if you have absolute control of your users machines.

While IP address spoofing is simple, OpenVPN does not tolerate such activity. Your OpenVPN Server protects itself from spoofing. This means that an IP filter-address is a valid filter.