Can OpenVPN be set up so the server doesn't have interface that is part of the VPN?

I'm looking to set up a VPN (OpenVPN is my first choice but I'm not stuck with it) in such a way that the server that hosts the VPN is not visible from within the VPN. That is; any packet that a client sends via the VPN interface will get delivered to another client's VPN interface or get dropped. In the other direction, the server shouldn't have a VPN interface at all and normal network operations shouldn't be able to send packets on the network.

Can this be done?

All the docs I have found have assumed that clients will connect via DHCP (this requiring that the server connect at least to that extent) but I can't think of any reason that a VPN couldn't use static IP's or that the DHCP server couldn't be implemented inside the VPN (see edit) server without setting up a VPN interface on the server.

Edit: Based on the link on bridged mode from Phil Hollenback's answer it seems that OpenVPN does in fact have the "internal DHCP server" that I'm thinking of.


Solution 1:

I suspect this is possible (although pretty weird). Use the tap device so that the remote machines are bridged over the vpn instead of routed. OpenVPN lets you push scripts to the clients to execute on connection, so you can use that facility to configure networking on the client machines instead of using the server push directives to configure dhcp. Instead, directly run the appropriate ifconfig and route commands on the client to tell it to connect to the network over the vpn. That probably gets complicated as you have to deal with different network config tools on linux vs. windows, but it should be doable.

My guess however is this will only be sufficient to avoid casual inspection. It's very likely there will be information leakage that would allow a client to detect that it is connected to the network via a particular openvpn server.

Here's some info on openvpn bridging that might be useful.

Solution 2:

This isn't going to answer your OpenVPN question, but let us take a step back if you don't mind.

You want a client-only VPN, is that correct? You have clients potentially anywhere in the world and you want to connect only those clients via VPN? There are no central resources that you want the clients to connect to, just each other. Gotcha.

Have you looked at Hamachi^2? It does exactly what you're trying to achieve.

If what you're doing is non-commercial and you have 16 or fewer clients, Hamachi^2 is free. If you have commercial needs and/or or you require more than 16 clients, it's $199/year.

$199/year is probably less money than it takes than to acquire hardware for OpenVPN (if necessary), your time to configure and maintain OpenVPN and your time to support the clients/users.

Of course, if this purpose is non-commercial, greater than 16 clients, you're donating your time and hardware has already been provided, I can definitely see why Hamachi^2 isn't the solution for you.

That being the case, I'm not entirely sure why a total lockdown firewall solution on the tunnel interface of the OpenVPN isn't adequate for your needs.