OpenVpn radom MAC address

[LTHE]

Dears,

we are using OpenVPN client to connect to our Softether server with Cisco Duo MFA.
When a user do a connection, his mac address is changing at each connection... is there a way to avoid it?
I saw an article that said that I need to fix the mac address for each user but since I used Cisco MFA I have users in my Active Directory and no more in Softether server.
The server is in version 4.42, build 9798.
Thanks a lot for your help!

Best regards,
Ludo

[solo]

Virtual MAC address reservation:

SoftEther VPN 4.31 Build 9727 Beta (November 18, 2019)
Added the new function to reserve and each Virtual MAC address and IP address for each user of L2TP/IPsec, SSTP and OpenVPN L3. Since SoftEther VPN Ver 4.31 Build 9727, we added the new function to make each L3 VPN users to use the reserved virtual MAC address and the virtual IP address. This function allows the DHCP server in the remote-access destination network to identify the connected user and to assign reserved IP addresses to each of users respectfully.   L3 VPN protocols, such as L2TP/IPsec, SSTP and OpenVPN L3, creates virtual L2/L3 layer-transformation adapter for each of VPN connections which are established to the Virtual Hub on SoftEther VPN Server. A virtual L2/L3 layer-transformation adapter has a virtual MAC address. In the previous versions of SoftEther VPN, virtual MAC addresses are randomly assigned each time when users connect to the VPN Server. There were no solution to assign fixed MAC addresses and IP addresses to each of users. SoftEther VPN Ver 4.31 Build 9727 and later supports the function to fix virtual MAC addresses of every L3 VPN users.

When the user object is using the standard user authentication, you need to write the arbitrary virtual MAC address on the "Note" field on the user object. For example, the "Note" field will have the MAC address format which starts with "MAC:" followed by a 6-bytes ASCII-encoded HEX string, such like "MAC:ae:00:00:00:00:01". We recommend to use the "ae" on the first byte of the MAC address...

https://www.softether.org/5-download/history

[LTHE]

thanks Solo!
that's indeed what I also found....
But that means that I need to add manualy a specific mac address in each user in my active directory?

[solo]

Or go TAP mode with static MACs.

[LTHE]

I don't understand what I can do 😅
A few more infos :
the hub where I connect can't have SecureNAT active because of ip telephony... so I need to send dhcp request to my dhcp server.
So can you help me more ?

Thanks a lot!

[solo]

The ovpn config info you got, states as follows:

* 2. How Different between L3 and L2?
Use L3 (IP Routing) if you want to install OpenVPN on the normal computer (for
example, a lap top PC), and make it connect to PacketiX VPN Server or SoftEther
VPN Server for the purpose of establishing a "Remote-Access VPN Connection" .
In this case, the IP address will be assigned on the virtual network adapter
of OpenVPN automatically when the OpenVPN will connect to the Virtual HUB on
the VPN Server successfully and request an IP address and other network
parameters (e.g. DNS server address).

In other hand, if you want to build a "Site-to-Site VPN Connection" ,
use L2 (Ethernet Bridging) for OpenVPN on the computer which is set up on the
remote place for bridging. No IP-specific treatment will be done. All Ethernet
packets (MAC frames) will exchanged transparently between two or more sites.
Any computers or network equipments (e.g. routers) will be able to communicate
to other sites mutually.

VPN Server will treat a virtual VPN session from L3-mode OpenVPN as a "VPN Client" session.
VPN Server will treat a virtual VPN session from L2-mode OpenVPN as a "VPN Bridge" session.

L3 = TUN
L2 = TAP

In TAP mode clients' MACs are preset during vNIC setup. Your DHCP server will have an easier job. Consider differences between bridging and routing before any re-configuration.

[LTHE]

ok, I better understand :)
but TAP mode is not supported anymore since 2 years.... So I can't use it anymore.
But I found something else with Softether client mangager that is working...
I'll keep this solution, thanks for your answers and advices :)