Can a user supply a password for vpn connection with pfsense-as-client?

  • I'm envisioning something like handing a not-very-technical user a voip phone and a sg-3100 and a computer to set up a temporary remote office. Ideally the user would connect the 3, and then plugin the uplink to some internet access (e.g. home…) and get remote vpn access to one of my networks in the office. But, I really don't want password-less vpn access - the device can be stolen or just used when the person isn't there.... I'm leaning toward ipsec tunnel to the phone switch and then requring the computer to use software to separately vpn in (e.g. openvpn since that is what we use for remote access right now).

    I know there are software voip phones, but I really need this specific physical handset...
    I have a bunch of point-to-point ipsec vpns using pfsense, but I need admin access to pfsense to reconfigure them. Same for openvpn - requires admin login...

    Is there some easy way to allow the pfsense box be the vpn endpoint, but require/allow the user to supply the authentication for the connection? The box may be left alone in a hotel for instance - I need to have more than just physical possession of the box to get in to my network.

    Or is there some better/easier way that my tunnel-vision is keeping me from seeing?

  • perhaps using captive portal somehow?  the tunnels can be automatic but no use of devices on any of the ports without portal authentication?  I've never used captive portal before… I'll have to go read up on it.

  • LAYER 8 Netgate

    No. Captive portal is not going to work.

    Use SSL/TLS remote access with a CRL and revoke the certificate if the router is lost/stolen.

    Use SSL/TLS + User auth with an out-of-band factor like Duo.

  • captive portal is not going to work.

    Can you elaborate?  Why?

    revoke the certificate if the router is lost/stolen

    This isn't really a good defense against someone with physical access to the router.  I'm less concerned about theft and more concerned about possible unauthorized use by others who may have physical access to where the router is stored.

    Use SSL/TLS + User auth

    How can I do this with a voip phone I'm attaching via one of the ports on an sg-3100 that needs vpn'd access to a non-public phone switch?  I can certainly do openvpn connections with password protected certs - in fact this is what I use for my other remote access clients.

    I'd like to use the sg3100 to provide vpn services for other hardware that can't do vpn services for itself, and I'd like it to take a user supplied password for initial connection to prevent casual access by unauthorized people.

    At this point, I'm leaning toward password-saved-in-the-router ipsec vpn for JUST the voip phone and software (openvpn client) on the laptop.

    I was just hoping to find some way to do both with the hardware.  Thanks for your suggestions.

Log in to reply