VPN Portal?

  • One thing I liked about Sophos was the ability to have a VPN Portal where you could authenticate and then download the various VPN client packages to get connected.

    Can pfsense do this?

  • There isn't a specific "Portal" to accomplish this.

    One way you can achieve some of this capability is to create a login user and give them only access the OpenVPN Client Export page.

    Unfortunately they would still have access to all the available clients for that pfSense box.
    It would be nice if you could limit them to only "their" specific client choices.

    I suspect we might be opening a potentially larger can of worms here in terms of secure access to pfSense by users that will only need very limited access.
    On the one hand it's definitely nice to have from the client's POV, on the other I don't know how much work we're talking about to enforce user security at that level.

    Would be nice to have though  :)

  • LAYER 8 Global Moderator

    Are you talking about a portal like the openvpn access server has?

    If you give the user the config, they can use that config in any client they want to use normal.  Be it windows, linux or ios type device.  Not sure I see the point of a portal to be honest.  You could always run the openvpn access server, but that is limited to 2 concurrent connections unless you buy licenses from them.. And it doesn't run on pfsense - wonder if there would be a way to run the AS on pfsense vs the open community version?

  • The convenience I guess. I could just be on a computer anywhere open a browser authenticate and grab the client package.

  • Rebel Alliance Developer Netgate

    This request pops up frequently but we are really hesitant to allow it for security reasons. If you setup this nice, secure VPN with user certs, TLS auth, authentication, etc, and then you allow anyone with their username and password to download the client, you have effectively nullified all of your extra authentication factors. Especially if you allow such access remotely! It's really, really dangerous to do that. Anyone that has the password anywhere in the world could just login and get full access to your network.

    If you're doing that, you may as well just have a VPN with no per-user certs, just user auth, and then everyone can use the same client. And in that case, you don't need a per-user download, which eliminates the need for the feature entirely.

    Until a secure method of allowing user access to download such things can be designed, it's not a good idea. It is convenient, sure, but not secure.

  • Good points. Thanks.

Log in to reply