Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Client export landing page?

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      seijirou
      last edited by

      Maybe I missed it somewhere, but when I read about the open vpn client export package for pfsense, I expected it to have some sort of landing page for users out on the internet, to log in to and download their package from.

      From all the documentation I can find though, it seems like you need to log in to the firewall as an administrator to download the client packages?

      Is this correct or am I just blind  ???

      If I'm not just blind is there any intention for there to be a WAN landing page like OpenVPN Access Server?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        No, that would be very insecure.

        You'd want a page, on your firewall no less, open to the internet protected by only a username and password, that would let someone get a VPN client and full access to your network, using that very same username and password?

        You, as the admin, download their clients for them, and distribute them to users via network/usb/cd/etc. Because you are dealing with certificates and sensitive data, a physical means of transfer is preferred. I would not recommend e-mailing them.

        But then again I tend to be paranoid when it comes to those things.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • S
          seijirou
          last edited by

          @jimp:

          No, that would be very insecure.

          You'd want a page, on your firewall no less, open to the internet protected by only a username and password, that would let someone get a VPN client and full access to your network, using that very same username and password?

          You, as the admin, download their clients for them, and distribute them to users via network/usb/cd/etc. Because you are dealing with certificates and sensitive data, a physical means of transfer is preferred. I would not recommend e-mailing them.

          But then again I tend to be paranoid when it comes to those things.

          Yes that's exactly what I'm looking for.  That's how the OpenVPN AS appliance works.  That's how the Juniper Network Connect full tunnel vpn solution works.  That's how Fortinet SSL VPN connect works, etc. etc.

          This is standard practice.  In a corporate implementation, authentication is going to be two factor, ala domain credentials + rsa (which itself will use a static N-digit PIN + random token number).

          Regarding the security, I completely understand your position.  But I respectfully request that you do not hold back function because you're concerned about the security of my implementation.  When done right, more convenience does not always necessitate less security.  I can do it right, I don't need a big brother holding my hand.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.