Single Client Package, Multiple Users
-
We have almost 100 clients who need to connect at one point or another (and at least 10 simultaneously) through our VPN. Currently we use an IPCop firewall with roadwarrior connections. We have a separate client package for each computer. It seems to use a similar setup in pfSense we will need to create Users for every single one of them and then re export the client package.
In order to simplify this in the future, what settings do we need to have a single certificate that can be put on multiple clients? Rather than have a single package for every client could we have one for each type of client (i.e. employees need complete VPN access, customers only need limited access, etc.).
I'm not quite sure the best way to go about this so some help would be great. In the end we'll want our web server accessible by the VPN network and our local network but not allow access to the local network by the VPN network.
-
For what we are wanting, I followed these instructions and it worked great: http://forum.pfsense.org/index.php/topic,38692.msg200040.html#msg200040
Don't forget to allow multiple connections from the same certificate in the Server settings.
-
When I do it this way, are individual IPs given to each client even though they are using the same certificate? Or are they all getting one internal ip (192.168.3.6 for example) and having to share it?
-
Of course, now if one person loses their laptop or any certificate is otherwise lost, you have to replace every single client… Probably not ideal ;)
However, each client will get a different IP.
-
Why not simply set up OpenVPN in "user auth" mode with a static key? Isnt that what youre basically doing anyways?
When I do that, i get a single export installer that works for multiple users.
-
Why not simply set up OpenVPN in "user auth" mode with a static key? Isnt that what youre basically doing anyways?
When I do that, i get a single export installer that works for multiple users.
Hmm, that might be a better way to do it. What advantages/disadvantages are there between the two methods? These are remote systems with no active user so we can't type in a password each reboot.
-
SSL/TLS with no auth is best for that kind of setup. That way you can still revoke the certificate if something gets compromised.
You should still have one certificate per user/site.
-
Currently we have a bunch of 'satellite' systems that all serve the same purpose and don't have active users. It was looking to be a bit tedious (as we are constantly sending out new systems and such) to have to create a separate user in pfSense for our fluid usage of the network. However, as you have mentioned, if the certificate is compromised then anyone could have access to the network (which only allows access to one IP but that is beside the point) and we'd have to replace the certificate on all the systems.
Is there an easier way to create a user/certificate combination without having to go through so many steps every time? On IPCop, for example, you type in the hostname and one or two other things and it created the user and certificate and everything.