OpenVPN: Generate a random MAC Address for TAP Interfaces on Windows

Hi,

if you use some image based technology to deploy your Windows installation, for example SCCM, MDT, Acronis and/or sysprep based, and OpenVPM is already included, the MAC Address of the TAP LAN interface isn’t changed by that way. But a unique MAC Address is requiered if the clients conntects to the same OpenVPN server. If multiple clients have the same MAC Address ping from VPN Clients sometimes fails with error “TTL expired in transit” and the VPN connection is unstable.

This powershellscript sets a MAC Address for each OpenVPN TAP adapter. In detail:

  • Creating a Eventlog TAPsetMAC
  • Get all instances for TAP Adapters by reading HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\MatchingDeviceID == “tap0901”
  • Generate a random MAC Address. Starting with Prefix defined in $sMACPrefix.
  • Writing the MAC to each Adapter
  • Log the result to the EventLog
########################################################
# Generate a random MAC for all OpenVPN tap LAN interfaces
#  Michael Albert
#  05.04.2013
# License: GPLv2
########################################################
# HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
# MatchingDeviceID tap0901
# REG_SZ MAC=00-FF-8F-E3-A1-AE
$oRandom=New-Object System.random
function fGetRandomMAC([string]$sMACStart){
     if($sMACStart.length -ge 0 -and $sMACStart.length -le 11){
          for($iLoop=$sMACStart.length; $iLoop -le 11; $iLoop++){
               $iChar=$oRandom.Next(16)
               $sMACStart+=[String]::Format("{0:x}", $iChar).ToUpper()
          }
          return($sMACStart)
     }
     else{
          return $false
     }
}
function fConvert2MAC16([string]$sMAC12){
     [string]$sMAC16=""
     if($sMAC12.length -eq 12){
          for($iLoop=0;$iLoop -le 11;$iLoop++){
               $sMAC16+=$sMAC12.SubString($iLoop,1)
               if((($iLoop+1) % 2) -eq 0 -and ($iLoop+1) -lt 12){
                    $sMAC16+="-"
               }
          }
          return $sMAC16
     }
     else{
          return $false
     }
}
###############################################################################
# Currently not used but defined :-)
function fValidMAC([system.string]$sMAC){
          $RegExIP=new-object System.Text.RegularExpressions.Regex("^([0-9a-fA-F]{2}\-){5}([0-9a-fA-F]{2})$")
          return($RegExIP.IsMatch($sMAC))
}
###############################################################################
## MAIN
###############################################################################
$sMACPrefix="00FF8F"
if(! [System.Diagnostics.EventLog]::SourceExists("TAPsetMAC")){
     New-EventLog -Source TAPsetMAC -Log Application
}
$aTAPAdapter=Get-ChildItem "registry::HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}" -ErrorAction SilentlyContinue |where-object{$_.GetValue("MatchingDeviceID") -eq "tap0901"}
foreach($rTAPAdapter in $aTAPAdapter){
     # Get-ItemProperty -Path "registry::HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}"
     if(! ($rTAPAdapter.GetValue("MAC"))){
          #$rTAPAdapter
          #$rTAPAdapter.Name
          # Get-ItemProperty -Path ("registry::"+$rTAPAdapter.Name)
          $sMAC=fGetRandomMAC $sMACPrefix
          if($sMAC16=fConvert2MAC16 $sMAC){
               Write-Host -NoNewline  "Set MAC of TAP Adaper to" $sMAC16 "..."
               $Error.Clear()
               New-ItemProperty -Path ("registry::"+$rTAPAdapter.Name) -Force -Name MAC -PropertyType String -Value $sMAC16|Out-Null
               if(! $Error){
                    Write-Host "ok"
                    Write-EventLog -LogName Application -Source TAPsetMAC -EntryType Information -EventID 666 -Message ("TAP LAN Adapter: Altered MAC Address to "+$sMAC16)
               }
               else{
                    Write-EventLog -LogName Application -Source TAPsetMAC -EntryType Warning -EventID 666 -Message ("TAP LAN Adapter: Failed to altered MAC Address to "+$sMAC16)
               }
          }
     }
}

Michael

Generate MAC Address for OpenVPN
3.2 KiB
1651 Downloads
Details...

One thought on “OpenVPN: Generate a random MAC Address for TAP Interfaces on Windows”

  1. You might also want to automatically run the command:

    “C:\Program Files\TAP-Windows\bin\tapinstall.exe” restart tap0901

    after mucking with the registry. Otherwise the MAC address change won’t take effect until the next reboot.

Leave a Reply