We have an OpenVPN server that clients connect to using X509 certificates. Some clients that connect to it get a random IP using its DHCP server, while others have a user config file that says something like:
ifconfig-push 192.168.67.24 255.255.255.0
which essentially sets that client to always have the same IP when it connects.
What we've done in the past is have some iptables firewall rules that say things like
if the source IP is 192.168.67.24, allow it access to servers X and Y only
My question is this: is that effective at all as a means of access control? Or can a client just override the IP the OpenVPN DHCP server gives them with a static IP whenever they feel like, as long as it's not already taken, and on the same subnet?
If they can change their IP, I guess the solution would be to create multiple instances of OpenVPN servers, and setup iptables rules based on the interface (tun0, tun1, etc), rather than individual IPs? Or is the way we're doing it now fine, and the OpenVPN server will prevent them from changing their IP?