|
|
Steve Finkelstein ha scritto: > Hi all, > > This question is more educational than an actual technical/configuration > issue. I currently run a small network with an edge c2620 router and a > layer 2 3560G switch which does VLAN trunking to a linux > firewall/gateway for my end hosts. > > My firewall, which sits on the DMZ, is also currently running OpenVPN so > users can remotely VPN into the internal network. As this is just > currently a beta network, certificate based authentication is all that's > used. > > Now, this is where my slight dilemma falls into place. I need to allow a > set of users to VPN who I don't trust as much. I don't necessarily feel > it's a great idea to give them certificate based auth cause they can > just toss the certificate on any box and be able to open a VPN tunnel > into the internal network. Also, I'm not responsible for security on > their workstations, so if they get compromised, the attacker will have > access to my network. > > I'd like to figure out a solution to the above. My end users, located in > an overseas office, do not have access to their gateway. > > 1) Does it make sense that I create certificates for them and also > require them to authenticate with LDAP or some other username/password > schema? > > 2) Is it possible to have remote users, based on certificate, receive a > particular static tunneled IP so I can firewall them accordingly internally? > > 3) Can I require certain certificates to be granted access without > username/password auth, while others are required to use LDAP to auth > against? > > Thank you! > > - Steve > > Hi Steve, here are my 2cents.... Personally i can describe my actual set-up. I work as a Network Engineer at the Municipality of the city of Modena; we have a Firewall with a lot of DMZ and, obviously, an internal private network. I need to permit access not only to my net-group (as to make control or emergency intervention from an external public network (i.e. from home!)) but also to various tecnical consultant as they need to make regular maintenance to services the Municipality has acquired as a customer. Obviously for security reasons i need to give access to only the services (and also only the servers) involved and preserve all others; i also need to know ( i.e. log ) all the traffic done by each client ( even if they try to do something wrong ). I set up an openvpn server wich give to each client always the same IP ( in order to set up IpTables rules for each one of them ). I set up a CA using EJBCA: with some hack made by Jon Bendsten an some other by my self i proceed in this way: 1) Each time i receive an official request for a VPN, EJBCA send a mail to the user with a username, a one time passwd and a link to a public accessible https page 2) The user must follow the link and authenticate with these credentials 3) Then he/she can choose the lenght of his/her private key an also if he/she want to download a Windows-VPN client or a zip-file for installing it on Unix-OS. 4) After the flag is chosen EJBCA execute in background either the generation of the Openvpn-gui Win client or the zip-file ( decripting also the pkcs12 file that contain ca.crt, ta.key and the client.crt files ); in this way when the openvpn-client is started the user is only asked the credentials i personally give by phone. 5) The openvpn-server authenticate users directly on our open-ldap ( i used the great tool http://dpw.threerings.net/projects/openvpn-auth-ldap ) with the password given by phone and the username sent in the mail. 6) For stronger auth the openvpn-server run in chroot env and has is certificate marked as tls-server; each client as his marked as tls-client 7) Each client has assigned the same IP and has to pass two steps of firewall rules: the IpTables on the server itself an the ACL-rules on the DMZ in wich the OpenVPN server resides. 8) With the latest EJBCA release is possible to generate every minute a new CRL file; when i want to de-activate a client i only have to do it using the EJBCA webUI: after a minute a new CRL file is generated, a file with a simple "wget" on the OpenVPN server get it and the client is off..... 9) If i need to permit others client to auth directly and not with our ldap i only have to make onother openvpn.sever.conf file with different permissions and so on...... Sorry for the long post but i hope that my set-up help you to figure out some of the possibilities you have........... I need to remark my thanks to Jon Bendsten and to Ejbca-developers for their great help in setting up this centralized solution.... --Andrea ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users |