Link for users to direct download Windows Installer (client export)
-
I'm trying to see if I can offer a link for end users to directly download the OpenVPN Windows installer package from the pfSense box (OpenVPN: Client Export Utility -> Client Install Packages).
I don't like either of the possible methods I've come up with but here they are.
- embed temp credentials in the url sent to the user
ie:```
https://tempuser:temppass@sample.domain.com/vpn_openvpn_export.php?act=inst-2.3-x86&srvid=0&usrid=5&crtid=0&useaddr=serveraddr"eservercn=0&usetoken=0&advancedoptions=
(I don't know yet if #1 will work the way I posted.) 2) user logs in with temp account and navigates to the package download As you can see, neither of these are great choices. I'm wondering how other admins handle distributing installer packages. Although I could download the packages and host them on another webserver, it's time consuming when there's a lot of users to setup. A more secure direct download option would really help. Thanks for any input you could give.
- embed temp credentials in the url sent to the user
-
Think about that for a second. You want to take your nice secure VPN with certificates in front of your network and then potentially expose that to anyone who can guess the right password.
There is no way to do that which I would consider secure or safe.
We've looked into doing that before but so far none of the suggestions or methods we've come up with have addressed the fact that it's basically taking all of your built-up security measures and reducing them to just a username/password prompt that could be accessed by others.
Unless you have some other secure means of locking that down aside from their own username/password I wouldn't pursue it.
There is always a security vs. convenience tradeoff. If you want it to be secure, you can't make it too easy.
Downloading the clients yourself (perhaps just use a download manager to scrape every .exe link off the page) and putting them into a user's home directory on a local file server isn't much better, but assuming you have proper permissions and security in place on their machines, it may still be somewhat acceptable.
I try to hand-deliver VPN configurations where possible, or at least put them into a directory that can only be accessed via something more secure (typically an SCP host set for key-only auth, etc).
-
I try to hand-deliver VPN configurations where possible, or at least put them into a directory that can only be accessed via something more secure (typically an SCP host set for key-only auth, etc).
You're right and I eventually came to the same conclusion.
So I'm sending them a 15+ char disposable pass in an encrypted email that's good for a 3 hour download window from a server that publishes to rotating ports.I've also been using pfBlocker to restrict server access to our local ISPs.
It's not a key but it's something.