A Virtual Private Network (VPN) provides encrypted connections for remote access to a network. To enhance security beyond traditional VPN mechanisms, integrating MAC address filtering with the server setup ensures that only devices with specific MAC addresses are granted access. This method effectively prevents unauthorized devices from connecting to your VPN server.
Prerequisites for the Setup
Before setting up a VPN server with MAC address filtering, ensure you have the following:
A Linux-based server (e.g., Ubuntu, CentOS)
Root access to the server
OpenVPN installed on the server
Access to the router or firewall to configure network settings
A list of trusted MAC addresses for devices you want to allow
Step 1: Installing OpenVPN Server
Begin by installing OpenVPN, which will handle the VPN connections. On an Ubuntu-based system, execute the following command:
sudo apt update
sudo apt install openvpn easy-rsa
This installs OpenVPN and the Easy-RSA utility for managing certificates.
Step 2: Setting Up the OpenVPN Server
Next, configure the OpenVPN server. First, generate the server certificates using Easy-RSA:
make-cadir /openvpn-ca
cd /openvpn-ca
source vars
./clean-all
./build-ca
Now, build the server keys and certificate:
./build-key-server server
./build-dh
openvpn –genkey –secret keys/ta.key
With certificates and keys generated, you can create the server configuration file. Open the configuration file for editing:
sudo nano /etc/openvpn/server.conf
Inside the file, configure the basic server settings:
conf
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
keepalive 10 120
cipher AES-256-CBC
auth SHA256
compress lz4
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
Step 3: Enabling MAC Address Filtering
Now, implement the MAC address filtering mechanism. OpenVPN doesn’t natively support MAC address filtering, so we’ll use a firewall rule to reject connections from devices with unauthorized MAC addresses.
First, list the MAC addresses of the devices you want to allow. For each client, use the following script to filter based on MAC addresses:
sudo iptables -A INPUT -i tun0 -m mac –mac-source 00:11:22:33:44:55 -j ACCEPT
This rule allows a specific MAC address (e.g., 00:11:22:33:44:55) to connect to the VPN.
To apply MAC address filtering for multiple devices, you can add additional lines with different MAC addresses:
sudo iptables -A INPUT -i tun0 -m mac –mac-source 00:11:22:33:44:55 -j ACCEPT
sudo iptables -A INPUT -i tun0 -m mac –mac-source 66:77:88:99:AA:BB -j ACCEPT
Make sure to replace the MAC addresses with the ones of your trusted devices.
Step 4: Applying Firewall Rules
To ensure your changes are persistent after reboot, save the firewall rules:
sudo iptables-save > /etc/iptables/rules.v4
Next, reload the firewall rules to apply them immediately:
sudo systemctl restart iptables
Step 5: Testing the Setup
Now that the OpenVPN server is configured with MAC address filtering, it’s time to test the connection. From a client device with an allowed MAC address, connect to the VPN using the OpenVPN client:
sudo openvpn –config client.ovpn
Check the server logs to verify that the connection was successful. If a device with an unauthorized MAC address attempts to connect, the connection will be blocked.
Conclusion
Setting up a VPN server with MAC address filtering increases the security of your VPN environment by restricting access to known devices. The use of firewall rules in conjunction with OpenVPN allows you to create an extra layer of security without modifying the core OpenVPN setup.
