Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Client device filtering

    Scheduled Pinned Locked Moved OpenVPN
    20 Posts 6 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ
      jimp Rebel Alliance Developer Netgate
      last edited by

      Yeah, nothing that fancy. The client would have to self-report to the server which it doesn't support... And you'd still be relying on the client to police itself.

      Remember: Upvote with the šŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Your thinking of vpn's that run their own client, like (anyconnect) cisco or securepulse (juniper), etc..

        with the openvpn access server you could do some "fancy" stuff
        https://openvpn.net/vpn-server-resources/post-auth-programming-notes-and-examples/

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        noplanN 1 Reply Last reply Reply Quote 1
        • noplanN
          noplan
          last edited by

          @jimp
          Or you let handle this things from something behind the openVpn server

          But hey we live in a world where we find conficker malware on highly protected (they said so) notebooks

          1 Reply Last reply Reply Quote 0
          • noplanN
            noplan @johnpoz
            last edited by

            @johnpoz

            But still free of charge ??

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by johnpoz

              No cisco or juniper is not free, nor is openvpn access server ;)

              Such features always come with a cost... And to be honest they are pretty useless.. So you don't want to let the client on if their antivirus software is out of date... How does the company IT fix that if they can not get on the vpn so the company IT can fix it ;)

              The client already has to have cert, and username and password... And sure if you want do something with OTP to login is... What other checks do you need?

              If you want to do some sort of 802.1x check for up to date software at the office - sure, they can always have local IT fix it.. But when your remote via vpn, such checks become more of problem then any sort of solution to a problem.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              noplanN C 2 Replies Last reply Reply Quote 0
              • noplanN
                noplan @johnpoz
                last edited by

                @johnpoz

                U r totally right!

                That's why we banned all these features.

                When I m at the airport I need a connection not
                A call to my it Guys to make a workaround

                So no more fancy expensive & useless toys :)
                They still got enough to do fixin my mess

                1 Reply Last reply Reply Quote 0
                • C
                  cofee @johnpoz
                  last edited by

                  @johnpoz
                  In my opinion, the certificate, username, and password primarily identify the user (I know this can be argued). I’m looking for a way to filter the device and environment.

                  If you have internal IT staff who can manage your av-s, certs etc., then you are right and this is not a problem.

                  But, if you don’t have internal(!) IT staff and therefore give users the data they need to connect to a VPN, they can connect from any device (e.g. rooted Android). I think this is a real problem.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by johnpoz

                    Why is it a problem? You just stated the client is using their own devices and your just giving them the info... If your concerned that they only connect via work laptop, then you wouldn't give this info (cert), etc. etc..

                    You would give them just the device, and they wouldn't eve have the permissions to pull the certs off, etc.

                    If you don't have an IT staff - why and the F are you worried what device the client uses to connect to the network to get their job done?

                    Like saying hey Bob, I need you to deliver these boxes.. But no you can not use your ford truck.. only your chevy truck.. No I am not going to give you the chevy truck... But you can only use the chevy not the ford... Why - because I don't want you to... But I am too cheap to give you the chevy..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    C 1 Reply Last reply Reply Quote 0
                    • C
                      cofee @johnpoz
                      last edited by

                      @johnpoz
                      Okay :) and which truck is safer for Ford or Chevy? If you can answer, all you have to do is get the driver to use it. What tools do you have (no need to answer)?

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Safer at what - what is the actual job... The user sure isn't going to be able to use a hammer to screw in a screw, etc.. So if they want to use their phone to check their email.. Why is that a problem - but if they need to run some 3D modeling software, then no their jailbroken android prob not going to work..

                        Sounds like your working up issues for non issue things.. If you need boxes moved from A to B - what does it matter which truck they use to you? Do the boxes get moved - then great!

                        If you want to control what tools they use, then you have to provide the tools.. You for sure can prevent them using laptop B to get on the vpn if you give them only laptop A with the stuff to get on the vpn...

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        C 1 Reply Last reply Reply Quote 0
                        • C
                          cofee @johnpoz
                          last edited by

                          @johnpoz said in Client device filtering:

                          If you need boxes moved from A to B - what does it matter which truck they use to you?

                          Yes, it matters because the boxes contain valuable data.

                          I think we got back to where we started :)

                          Thank you for your comment!

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            @cofee said in Client device filtering:

                            boxes contain valuable data.

                            Then provide them the TOOLS!!! You want to limit them to use, not just the info to get on the vpn... Yes if I give user password and cert.. He can use that on any tool he wants..

                            What you want to do can be done - but it requires the tools to do it. You want to do it free.. And don't have any staff to even do it using their won skills... So you want some button you can press??

                            How is that going to work - who is going to limit what devices can connect? Even if there was a button to press? You - you stated you don't have a staff, etc.

                            Give an example of if there was some magic button that you could press in pfsense that would only allow X to connect... What would that X be? How are you going to identify the hardware, that you did not provide?

                            Yeah full circle... Because what you want to do is a non issue that your asking to do, but don't want to pay for and don't know how to do anyway..

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            C 1 Reply Last reply Reply Quote 0
                            • dotdashD
                              dotdash
                              last edited by

                              You could use Duo as another level of auth for OpenVPN. This is a bit clumsy, as it uses a proxy between the client and the auth server, but Duo has some options to disallow clients with old OS, no AV, etc.

                              1 Reply Last reply Reply Quote 0
                              • C
                                cofee @johnpoz
                                last edited by

                                @johnpoz
                                Excuse me, please show me where I wrote that I don't want to pay?

                                Please try to understand what I am writing (my English is bad, I know too). I'm looking for the TOOLS!

                                I am not waiting for a miracle, but for advice, experience (see Cisco, Juniper or Duo).

                                1 Reply Last reply Reply Quote 0
                                • noplanN
                                  noplan
                                  last edited by

                                  hey folks i'm the one who is not willing to pay for useless fancy stuff that
                                  keeps me off work when i need it cuz i have not patched my OS and
                                  a fancy tool is keepin / shuttin me off the vpn

                                  airports are not that lovely when u travel a lot !

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.