Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Prevent access to personal devices

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 4 Posters 608 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      josea.guardia
      last edited by

      Hi.

      I want to secure connections to openVPN by being able to control which devices can connect, preventing devices from outside the company from accessing (or at least being able to launch a script or write the hostname and MAC in a log to alert).

      There are all kinds of clients: Ubuntu, CentOS, Windows 10 and server, OSX, Android, IOS.

      Any ideas how to do this?

      JKnottJ 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        Device names, MAC's etc can be changed easily.
        Users that can/should access your VPN have credentials like password, certificates. These can be copied.
        It all boils to tu usual issue : don't hand out these credentials in case of doubt.
        And limit on a per user basis what a user can access.

        Why should you care if the user uses OSx, or an iOS or Windows XP ?

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • JKnottJ
          JKnott @josea.guardia
          last edited by

          @josea-guardia

          Also, you'll never see a MAC address from a remote device. They never leave the local network.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • J
            josea.guardia
            last edited by

            @Gertjan said in Prevent access to personal devices:

            And limit on a per user basis what a user can access.

            That does not solve the problem, since what we want to avoid is that users use a different laptop than the company to connect to the openVPN

            "Also, you'll never see a MAC address from a remote device. They never leave the local network." -> But you can launch a script when connecting on the client side, but it can be skipped very easily since it is plain text in the configuration file.

            Thaks

            GertjanG 1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan @josea.guardia
              last edited by

              @josea-guardia said in Prevent access to personal devices:

              we want to avoid is that users use a different laptop than the company to connect to the openVPN

              Like to meet these 'we'.

              Users (with an average number of neurons) can and will use login credentials on devices when they think they have to do use.

              You should consider taking the source of VPN, recompile it with some extra code so that executing only works on a well defined device. Like pay-ware software does, using the TPM chip, BIOS ID, hardware references etc.
              The OPENVPN is "open source", and you are asking for a version that executes on one device only, using, for example, a hard coded certificate and user credentials based on this cert.
              It can be done.

              Way easier is : have these users sign a contract that extends their work contract. That should bring you somewhat into the right direction.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • PippinP
                Pippin
                last edited by

                Something to read:
                https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16128.html

                I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                Halton Arp

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.