Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Can a user supply a password for vpn connection with pfsense-as-client?

    OpenVPN
    2
    4
    298
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      minektur last edited by

      I'm envisioning something like handing a not-very-technical user a voip phone and a sg-3100 and a computer to set up a temporary remote office. Ideally the user would connect the 3, and then plugin the uplink to some internet access (e.g. home…) and get remote vpn access to one of my networks in the office. But, I really don't want password-less vpn access - the device can be stolen or just used when the person isn't there.... I'm leaning toward ipsec tunnel to the phone switch and then requring the computer to use software to separately vpn in (e.g. openvpn since that is what we use for remote access right now).

      I know there are software voip phones, but I really need this specific physical handset...
      I have a bunch of point-to-point ipsec vpns using pfsense, but I need admin access to pfsense to reconfigure them. Same for openvpn - requires admin login...

      Is there some easy way to allow the pfsense box be the vpn endpoint, but require/allow the user to supply the authentication for the connection? The box may be left alone in a hotel for instance - I need to have more than just physical possession of the box to get in to my network.

      Or is there some better/easier way that my tunnel-vision is keeping me from seeing?

      1 Reply Last reply Reply Quote 0
      • M
        minektur last edited by

        perhaps using captive portal somehow?  the tunnels can be automatic but no use of devices on any of the ports without portal authentication?  I've never used captive portal before… I'll have to go read up on it.

        1 Reply Last reply Reply Quote 0
        • Derelict
          Derelict LAYER 8 Netgate last edited by

          No. Captive portal is not going to work.

          Use SSL/TLS remote access with a CRL and revoke the certificate if the router is lost/stolen.

          Use SSL/TLS + User auth with an out-of-band factor like Duo.

          Chattanooga, Tennessee, USA
          The pfSense Book is free of charge!
          DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • M
            minektur last edited by

            captive portal is not going to work.

            Can you elaborate?  Why?

            revoke the certificate if the router is lost/stolen

            This isn't really a good defense against someone with physical access to the router.  I'm less concerned about theft and more concerned about possible unauthorized use by others who may have physical access to where the router is stored.

            Use SSL/TLS + User auth

            How can I do this with a voip phone I'm attaching via one of the ports on an sg-3100 that needs vpn'd access to a non-public phone switch?  I can certainly do openvpn connections with password protected certs - in fact this is what I use for my other remote access clients.

            I'd like to use the sg3100 to provide vpn services for other hardware that can't do vpn services for itself, and I'd like it to take a user supplied password for initial connection to prevent casual access by unauthorized people.

            At this point, I'm leaning toward password-saved-in-the-router ipsec vpn for JUST the voip phone and software (openvpn client) on the laptop.

            I was just hoping to find some way to do both with the hardware.  Thanks for your suggestions.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post