Client export landing page?
-
Maybe I missed it somewhere, but when I read about the open vpn client export package for pfsense, I expected it to have some sort of landing page for users out on the internet, to log in to and download their package from.
From all the documentation I can find though, it seems like you need to log in to the firewall as an administrator to download the client packages?
Is this correct or am I just blind ???
If I'm not just blind is there any intention for there to be a WAN landing page like OpenVPN Access Server?
-
No, that would be very insecure.
You'd want a page, on your firewall no less, open to the internet protected by only a username and password, that would let someone get a VPN client and full access to your network, using that very same username and password?
You, as the admin, download their clients for them, and distribute them to users via network/usb/cd/etc. Because you are dealing with certificates and sensitive data, a physical means of transfer is preferred. I would not recommend e-mailing them.
But then again I tend to be paranoid when it comes to those things.
-
No, that would be very insecure.
You'd want a page, on your firewall no less, open to the internet protected by only a username and password, that would let someone get a VPN client and full access to your network, using that very same username and password?
You, as the admin, download their clients for them, and distribute them to users via network/usb/cd/etc. Because you are dealing with certificates and sensitive data, a physical means of transfer is preferred. I would not recommend e-mailing them.
But then again I tend to be paranoid when it comes to those things.
Yes that's exactly what I'm looking for. That's how the OpenVPN AS appliance works. That's how the Juniper Network Connect full tunnel vpn solution works. That's how Fortinet SSL VPN connect works, etc. etc.
This is standard practice. In a corporate implementation, authentication is going to be two factor, ala domain credentials + rsa (which itself will use a static N-digit PIN + random token number).
Regarding the security, I completely understand your position. But I respectfully request that you do not hold back function because you're concerned about the security of my implementation. When done right, more convenience does not always necessitate less security. I can do it right, I don't need a big brother holding my hand.