Client device filtering

cofee

Hi,

in other VPN systems have client-side quarantine. I mean, I can block a client from connecting if he doesn’t have an active antivirus or doesn’t have the latest operating system (e.g.: Windows) running on his computer, or isn't a member of a domain, or isn't a PC but a mobile device...
Please tell me what filtering options are in OpenVPN?

Thanks

Gertjan

@cofee said in Client device filtering:

Please tell me what filtering options are in OpenVPN?

Which one https://openvpn.net/ ?
pfSense uses the Open Community one. Nothing added, nothing removed.
If it's here https://community.openvpn.net/openvpn/wiki, you have it.

noplan

And if you found what u r looking for tell us how u implemented it

Thanks in advance

jimp

If you want to block a specific client, you have a couple options:

• If you have user auth enabled, disable their account/change their password
• If you are using certificates, revoke the certificate
• Add a client-specific override for their username/CN with Connection Blocking checked

If you want to go the other way and whitelist clients, then:

• Create a client specific override with the Common Name set to DEFAULT (exactly that, in all caps), with Connection Blocking checked
• Create client specific overrides for the clients you want to allow without that box checked.

noplan

I guess he was looking for the fancy stuff
Like is patch level or anti virus and on and on

jimp

Yeah, nothing that fancy. The client would have to self-report to the server which it doesn't support... And you'd still be relying on the client to police itself.

johnpoz

Your thinking of vpn's that run their own client, like (anyconnect) cisco or securepulse (juniper), etc..

with the openvpn access server you could do some "fancy" stuff
https://openvpn.net/vpn-server-resources/post-auth-programming-notes-and-examples/

noplan

@jimp
Or you let handle this things from something behind the openVpn server

But hey we live in a world where we find conficker malware on highly protected (they said so) notebooks

noplan

@johnpoz

But still free of charge ??

johnpoz

No cisco or juniper is not free, nor is openvpn access server ;)

Such features always come with a cost... And to be honest they are pretty useless.. So you don't want to let the client on if their antivirus software is out of date... How does the company IT fix that if they can not get on the vpn so the company IT can fix it ;)

The client already has to have cert, and username and password... And sure if you want do something with OTP to login is... What other checks do you need?

If you want to do some sort of 802.1x check for up to date software at the office - sure, they can always have local IT fix it.. But when your remote via vpn, such checks become more of problem then any sort of solution to a problem.

noplan

@johnpoz

U r totally right!

That's why we banned all these features.

When I m at the airport I need a connection not
A call to my it Guys to make a workaround

So no more fancy expensive & useless toys :)
They still got enough to do fixin my mess

cofee

@johnpoz
In my opinion, the certificate, username, and password primarily identify the user (I know this can be argued). I’m looking for a way to filter the device and environment.

If you have internal IT staff who can manage your av-s, certs etc., then you are right and this is not a problem.

But, if you don’t have internal(!) IT staff and therefore give users the data they need to connect to a VPN, they can connect from any device (e.g. rooted Android). I think this is a real problem.

johnpoz

Why is it a problem? You just stated the client is using their own devices and your just giving them the info... If your concerned that they only connect via work laptop, then you wouldn't give this info (cert), etc. etc..

You would give them just the device, and they wouldn't eve have the permissions to pull the certs off, etc.

If you don't have an IT staff - why and the F are you worried what device the client uses to connect to the network to get their job done?

Like saying hey Bob, I need you to deliver these boxes.. But no you can not use your ford truck.. only your chevy truck.. No I am not going to give you the chevy truck... But you can only use the chevy not the ford... Why - because I don't want you to... But I am too cheap to give you the chevy..

cofee

@johnpoz
Okay :) and which truck is safer for Ford or Chevy? If you can answer, all you have to do is get the driver to use it. What tools do you have (no need to answer)?

johnpoz

Safer at what - what is the actual job... The user sure isn't going to be able to use a hammer to screw in a screw, etc.. So if they want to use their phone to check their email.. Why is that a problem - but if they need to run some 3D modeling software, then no their jailbroken android prob not going to work..

Sounds like your working up issues for non issue things.. If you need boxes moved from A to B - what does it matter which truck they use to you? Do the boxes get moved - then great!

If you want to control what tools they use, then you have to provide the tools.. You for sure can prevent them using laptop B to get on the vpn if you give them only laptop A with the stuff to get on the vpn...

cofee

@johnpoz said in Client device filtering:

If you need boxes moved from A to B - what does it matter which truck they use to you?

Yes, it matters because the boxes contain valuable data.

I think we got back to where we started :)

Thank you for your comment!

johnpoz

@cofee said in Client device filtering:

boxes contain valuable data.

Then provide them the TOOLS!!! You want to limit them to use, not just the info to get on the vpn... Yes if I give user password and cert.. He can use that on any tool he wants..

What you want to do can be done - but it requires the tools to do it. You want to do it free.. And don't have any staff to even do it using their won skills... So you want some button you can press??

How is that going to work - who is going to limit what devices can connect? Even if there was a button to press? You - you stated you don't have a staff, etc.

Give an example of if there was some magic button that you could press in pfsense that would only allow X to connect... What would that X be? How are you going to identify the hardware, that you did not provide?

Yeah full circle... Because what you want to do is a non issue that your asking to do, but don't want to pay for and don't know how to do anyway..

dotdash

You could use Duo as another level of auth for OpenVPN. This is a bit clumsy, as it uses a proxy between the client and the auth server, but Duo has some options to disallow clients with old OS, no AV, etc.

cofee

@johnpoz
Excuse me, please show me where I wrote that I don't want to pay?

Please try to understand what I am writing (my English is bad, I know too). I'm looking for the TOOLS!

I am not waiting for a miracle, but for advice, experience (see Cisco, Juniper or Duo).

noplan

hey folks i'm the one who is not willing to pay for useless fancy stuff that
keeps me off work when i need it cuz i have not patched my OS and
a fancy tool is keepin / shuttin me off the vpn

airports are not that lovely when u travel a lot !