pfSense OpenVPN server with user auth (LDAP) and hardware certificate
-
Hi OpenVPN gurus!
I currently run an OpenVPN server in Server Mode "Remote Access (User Auth)" to an LDAP backend. It works without any issues.
I'm wondering if there's a way to make sure that OpenVPN users will only use allowed hardware to connect to the OpenVPN server. I thought about a certificate for the hardware or sth. similar. The server mode "Remote Access (User Auth + TLS/SSL)" would be a combination of user authentication and user certificate, if I understood the Netgate docs correctly.
I'd appreciate very much if you had a hint how to achieve the goal.
Thank you!
-
No, there isn't. Even if you issue a certificate, the user could copy that certificate to something else.
Even if you had a security token those can be moved between devices.
-
Thank you @jimp!
I understand that you cannot prevent disallowed devices from establishing the connection to the OpenVPN server.
What about the firewall rules for the virtual OpenVPN adapter (Firewall > Rules > OpenVPN). Is there a way to restrict the OpenVPN clients accessing the LAN segment - e.g. only clients registered in the LAN segment's DHCP server table are allowed to access the LAN?
-
No, once it has enough connectivity to reach the DHCP server it's already past OpenVPN auth and so on.
-
OK, so there is no way. Thanks again!
