Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Limit vpn access to one computer per account.

    General pfSense Questions
    5
    11
    235
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gridxvpn last edited by

      We want to limit access to one computer per account. i.e. only the computer an user used to connect the first time from is allowed to connect for that account. It will be denied if he try to connect from another computer. I know one way to accomplish that is to setup static mapping. However, we're running pfSense on AWS ec2 and it's not possible to setup DHCP in ec2. So we need an alternate way to do it.

      C 1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by johnpoz

        Huh? So I get info and cert for how to connect to openvpn.. What stops me from connecting from another device with that same cert and info? Not sure how you think dhcp mac static thing comes into play here?

        What exactly are you trying to prevent? Say I connect in with my laptop, but then I also want to connect with my tablet.. Why does it matter? I can only have 1 connection at a time, etc.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

        1 Reply Last reply Reply Quote 0
        • G
          gridxvpn last edited by

          So if you have static IP for MAC address and disallow any access not in that mapping table, then you can stop another device.

          Although it's still 1 connection at a time, it matters where the connection is coming from. We don't want users to use their own devices to access vpn.

          JKnott 1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            Mac has nothing to do with it.. Mac only matters on a L2 network, not across the internet or across L3 networks..

            If you don't want users using their own devices.. Then don't let them.. But it has nothing to do with mac addresses.. Use certs assigned to their machines from your AD or something, etc.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

            1 Reply Last reply Reply Quote 0
            • JKnott
              JKnott @gridxvpn last edited by

              @gridxvpn said in Limit vpn access to one computer per account.:

              So if you have static IP for MAC address and disallow any access not in that mapping table, then you can stop another device.

              Devices connected via VPN do not use DHCP. Their address is provided via the tunnel connection, so the MAC address of the remote device is irrelevant.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 64 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • stephenw10
                stephenw10 Netgate Administrator last edited by

                Yeah, this is probably a lot harder to achieve that you imagine.

                You can use some sort of physical authentication device but it's complex to setup and administer. It also still only limits you to one device per user not necessarily the same device.

                You could imagine using something like the trusted platform key somehow but.... good luck with that! 😉

                Steve

                1 Reply Last reply Reply Quote 0
                • C
                  coffeecup25 @gridxvpn last edited by coffeecup25

                  @gridxvpn Easy peasy. All of my devices are set up exactly this way.

                  1. Create user certificates for each device. Make the password unique for each certificate
                  2. On the OpenVPN server configuration screen, there's a checkbox that requires the certificate in use to match the user id being tried.
                  3. Download the certificates / configuration files to each designated device.
                  4. Assign the devices to their designated users. Tell users not to share passwords AND let others use their PCs.

                  The effect: UserABC can only use the PC assigned to UserABC unless they know the password for another device AND they have access to that other device. You're creating a type of two factor authentication - They must KNOW the password AND have access to the PC it was assigned to.

                  G 1 Reply Last reply Reply Quote 0
                  • stephenw10
                    stephenw10 Netgate Administrator last edited by

                    That doesn't prevent those users copying the cert to a different device though... if that's something the OP is trying to prevent.

                    C 1 Reply Last reply Reply Quote 0
                    • C
                      coffeecup25 @stephenw10 last edited by coffeecup25

                      @stephenw10
                      If you're looking for perfection, it does not exist anywhere. Users can share passwords. Users can share devices. Users can share config files. Users can lie and cheat and steal regardless of the best efforts of anyone. This is why the concept of 'controls' and 'audits' exists, which must be accompanied by penalties for infractions, otherwise they are useless efforts. For home use, there's little need to panic. For business use, it's all about protecting the assets of the business and the jobs of everyone else which could disappear if the computer system gets screwed up enough. Employee feelings are for HR to make better. The front door is also a good tool in some cases.

                      1 Reply Last reply Reply Quote 1
                      • G
                        gridxvpn @coffeecup25 last edited by

                        This could potential work. Is there a way to automate the certificate creation or I'll have to manually create it? THere is a pfSense python API pfsense-fauxapi, but I don't think it can do that

                        1 Reply Last reply Reply Quote 0
                        • stephenw10
                          stephenw10 Netgate Administrator last edited by

                          Not easily. You might be better off generating the certs externally and autenticating users separately as well if you went that route.

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post