[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Authentication solution

  • Subject: Re: [Openvpn-users] Authentication solution
  • From: Andrea <arussos@xxxxxxxxxxxxxxxx>
  • Date: Thu, 05 Apr 2007 00:53:57 +0200

Steve Finkelstein ha scritto:
> Hi all,
> This question is more educational than an actual technical/configuration
> issue. I currently run a small network with an edge c2620 router and a
> layer 2 3560G switch which does VLAN trunking to a linux
> firewall/gateway for my end hosts.
> My firewall, which sits on the DMZ, is also currently running OpenVPN so
> users can remotely VPN into the internal network. As this is just
> currently a beta network, certificate based authentication is all that's
> used.
> Now, this is where my slight dilemma falls into place. I need to allow a
> set of users to VPN who I don't trust as much. I don't necessarily feel
> it's a great idea to give them certificate based auth cause they can
> just toss the certificate on any box and be able to open a VPN tunnel
> into the internal network. Also, I'm not responsible for security on
> their workstations, so if they get compromised, the attacker will have
> access to my network.
> I'd like to figure out a solution to the above. My end users, located in
> an overseas office, do not have access to their gateway.
> 1) Does it make sense that I create certificates for them and also
> require them to authenticate with LDAP or some other username/password
> schema?
> 2) Is it possible to have remote users, based on certificate, receive a
> particular static tunneled IP so I can firewall them accordingly internally?
> 3) Can I require certain certificates to be granted access without
> username/password auth, while others are required to use LDAP to auth
> against?
> Thank you!
> - Steve
Hi Steve, here are my 2cents....

Personally i can describe my actual set-up.

I work as a Network Engineer at the Municipality of the city of Modena; 
we have a Firewall with a lot of DMZ and, obviously, an internal private 
network. I need to permit access not only to my net-group (as to make 
control or emergency intervention from an external public network (i.e. 
from home!)) but also to various  tecnical consultant  as  they  need to 
make regular  maintenance to services the Municipality has acquired as a 
customer. Obviously for security reasons i need to give access to only 
the services (and also only the servers) involved and preserve all 
others; i also need to know ( i.e. log ) all the traffic done by each 
client ( even if they try to do something wrong ).
I set up an openvpn server wich give to each client always the same IP ( 
in order to set up IpTables rules for each one of them ).
I set up a CA using EJBCA: with some hack made by Jon Bendsten an some 
other by my self i proceed in this way:

1) Each time i receive an official request for a VPN, EJBCA send a mail 
to the user with a username, a one time passwd and a link to a public 
accessible https page
2) The user must follow the link and authenticate with these credentials
3) Then he/she can choose the lenght of  his/her private key an  also if 
he/she want  to  download  a Windows-VPN client  or a zip-file for 
installing it on Unix-OS.
4) After the flag is chosen EJBCA execute in background either the 
generation of the Openvpn-gui Win client or the zip-file ( decripting 
also the pkcs12 file that contain ca.crt, ta.key and the client.crt 
files ); in this way when the openvpn-client is started the user is only 
asked the credentials i personally give by phone.
5) The openvpn-server authenticate users directly on our open-ldap ( i 
used the great tool http://dpw.threerings.net/projects/openvpn-auth-ldap 
) with the password given by phone and the username sent in the mail.
6) For stronger auth the openvpn-server run in chroot env and has is 
certificate marked as tls-server; each client as his marked as tls-client
7) Each client has assigned the same IP and has to pass two steps of 
firewall rules: the IpTables on the server itself an the ACL-rules on 
the DMZ in wich the OpenVPN server resides.
8) With the latest EJBCA release is possible to generate every minute a 
new CRL file; when i want to de-activate a client i only have to do it 
using the EJBCA webUI: after a minute a new CRL file is generated, a 
file with a simple "wget" on the OpenVPN server get it and the client is 
9) If i need to permit others client to auth directly and not with our 
ldap i only have to make onother openvpn.sever.conf file with different 
permissions and so on......

Sorry for the long post but i hope that my set-up help you to figure out 
some of the possibilities you have...........
I need to remark my thanks to Jon Bendsten and to Ejbca-developers for 
their great help in setting up this centralized solution....

OpenVPN mailing lists