lock client hardware
-
Is there a way to prevent users from copying the ovpn-config to other devices?
I googled something around certs and TPM, sounds like overkill ... maybe there's a clever way to protect the tunnel-config via permissions/ACLs or so? -
@sgw said in lock client hardware:
Is there a way to prevent users from copying the ovpn-config to other devices?
No it's a simple text file. How should you lock that?
I googled something around certs and TPM, sounds like overkill ... maybe there's a clever way to protect the tunnel-config via permissions/ACLs or so?
Protect the tunnel config? How does tunnel and user-devices go together? What are you trying to do exactly?
-
My customer wants to make sure that his employees only use the openvpn-configs on company devices.
So we look for a way to "hide" the tunnel-config-files from the user.
Right now we set up authentication against Samba-ADS, so there is basically one overall ovpn-file for all the allowed users. If we can deploy that via group policy objects or so and let openvpn-client run as a service this should do the trick, right?
Is the way to deploy/install the provided windows installer exe from the client export tab maybe?
thanks ... -
@sgw said in lock client hardware:
My customer wants to make sure that his employees only use the openvpn-configs on company devices.
As long as he doesn't lock the company devices down to almost "dumb" mode, a user can always run its own OVPN configuration as they could simply run the OVPN exe with their config. That won't work.
Right now we set up authentication against Samba-ADS, so there is basically one overall ovpn-file for all the allowed users. If we can deploy that via group policy objects or so and let openvpn-client run as a service this should do the trick, right?
Yes every client can/will get the configuration via the group policy. But that won't stop the user from making manual changes (OK could be depending on where you deploy the ovpn configuration and if they have local admin rights) or using their own ovpn config.
Is the way to deploy/install the provided windows installer exe from the client export tab maybe?
If you wanna roll out that config via group policy I wouldn't use the windows installer exe. AFAIK you'd need an MSI anyways. Simply install OpenVPN on the clients (either manually or per group policy and with the official installer from the website - I think they even have an MSI there anywhere) and just deploy the configuration to the necessary directory. It can either be in %programm_path%\config (C:\Program Files\OpenVPN\config or sth.) or in %user%\OpenVPN (C:\Users\%Username%\OpenVPN\config).
But as it is I certainly doubt you can lock up the config in a way that a user couldn't just take it and copy it to another device if they want to. Only thing you can enforce is that one user could only login once with the same certificate/username combination so noone can use both at the same time.
