Auto account creation with downloadable files?
-
I am setting up a virtual pen-testing lab on my ESXi host. Right now users are able to connect to it by VPNing to my ISP Modem/Router and it has port forwarding enabled to push all UDP 1194 connections to my pfSense (virtual) router which then puts them in my virtual network. It is working but I have to create each user and then send them the login information and files. I was wanting to set up a site that would allow them to create a username and password and then either automatically generate keys and package them up for download, or only use username and password credentials for authentication.
This is going to be used in a very small group of people who I know personally so super secure isn't that important to me. I would just like to automate it as much as possible. Basically I will say connect to http://xxx.xxx.xxx.xxx:80 to be granted a webpage. If it doesn't load then my server is not on and you would have to wait. Once my server is on and running and the site loads, your able to create a username and password. Then you can either download the certificates or just username and password. Then you open up OpenVPN and it would connect you back to my IP but this time port forwarding would push you to the pfSense which would handle the VPN aspect and authenticate you.
I am not sure the best route to do this.
-
while i think this is an extremely bad idea….
why not
-create 1 user-account in user manager
-- Add Privileges: OpenVPN: Client Export Utility page.
-create an openvpn user/server that allows enough simultanious connections of the same userThis way, you just have to email a single login/password, and everyone can download the same certs from the GUI
-
while i think this is an extremely bad idea….
why not
-create 1 user-account in user manager
-- Add Privileges: OpenVPN: Client Export Utility page.
-create an openvpn user/server that allows enough simultanious connections of the same userThis way, you just have to email a single login/password, and everyone can download the same certs from the GUI
Why do you think it is a bad idea? Also, if I create 1 account and allow simultaneous connections. Then I could just post the username and password and cert files on a site and the users I allow to connect to can just download the cert and they all share the credentials for logging in?
Also, would they be interfering with each other? Would this cause any sort of issue? I am not sure if this would cause any sort of IP conflicts if I have 10 different people connect? I don't think it would since the connecting users are put into their own subnet. I just want to double check before I start making some changes.
Also, I am getting a Netgear ac2350 Nighthawk x4 router that I will be putting DD-WRT on it and setting the ISP Modem as bridge. This should give me some dynamic DNS and a few more features that can help with the lab setup. If you have any idea of some features that would offer to help with this let me know.
Thanks.
-
Allowing users to download their own VPN installers is not currently possible and not something we are likely to implement until a secure method can be devised.
Giving users access to the export package will let any user download an installer for any other user. It does not restrict them to their own installers.
The main reason it's a bad idea is that it takes all your extra security/authentication factors (TLS key, certificates, etc) and makes them practically worthless. All someone would need to do is obtain a user's name/password and they could download their VPN installer. Even though we do protect against brute force attacks, that doesn't help if someone gets the user/pass directly by phishing, social engineering, and so on.
Search around on the forum and reddit. I've ranted about it several times before.