[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Authentication solution


  • Subject: Re: [Openvpn-users] Authentication solution
  • From: Andrea <arussos@xxxxxxxxxxxxxxxx>
  • Date: Thu, 05 Apr 2007 09:02:18 +0200

Steve Finkelstein ha scritto:
> Andrea,
>
> I'd like to personally thank you for explaining your network setup. I'm
> going to take a look into EJBCA and let you know how it has gone for me.
>
> Thanks a lot!
>
> - Steve
>
> Andrea wrote:
>   
>> Steve Finkelstein ha scritto:
>>
>>     
>>> Hi all,
>>>
>>> This question is more educational than an actual technical/configuration
>>> issue. I currently run a small network with an edge c2620 router and a
>>> layer 2 3560G switch which does VLAN trunking to a linux
>>> firewall/gateway for my end hosts.
>>>
>>> My firewall, which sits on the DMZ, is also currently running OpenVPN so
>>> users can remotely VPN into the internal network. As this is just
>>> currently a beta network, certificate based authentication is all that's
>>> used.
>>>
>>> Now, this is where my slight dilemma falls into place. I need to allow a
>>> set of users to VPN who I don't trust as much. I don't necessarily feel
>>> it's a great idea to give them certificate based auth cause they can
>>> just toss the certificate on any box and be able to open a VPN tunnel
>>> into the internal network. Also, I'm not responsible for security on
>>> their workstations, so if they get compromised, the attacker will have
>>> access to my network.
>>>
>>> I'd like to figure out a solution to the above. My end users, located in
>>> an overseas office, do not have access to their gateway.
>>>
>>> 1) Does it make sense that I create certificates for them and also
>>> require them to authenticate with LDAP or some other username/password
>>> schema?
>>>
>>> 2) Is it possible to have remote users, based on certificate, receive a
>>> particular static tunneled IP so I can firewall them accordingly
>>> internally?
>>>
>>> 3) Can I require certain certificates to be granted access without
>>> username/password auth, while others are required to use LDAP to auth
>>> against?
>>>
>>> Thank you!
>>>
>>> - Steve
>>>
>>>   
>>>       
>> Hi Steve, here are my 2cents....
>>
>> Personally i can describe my actual set-up.
>>
>> I work as a Network Engineer at the Municipality of the city of Modena;
>> we have a Firewall with a lot of DMZ and, obviously, an internal private
>> network. I need to permit access not only to my net-group (as to make
>> control or emergency intervention from an external public network (i.e.
>> from home!)) but also to various  tecnical consultant  as  they  need to
>> make regular  maintenance to services the Municipality has acquired as a
>> customer. Obviously for security reasons i need to give access to only
>> the services (and also only the servers) involved and preserve all
>> others; i also need to know ( i.e. log ) all the traffic done by each
>> client ( even if they try to do something wrong ).
>> I set up an openvpn server wich give to each client always the same IP (
>> in order to set up IpTables rules for each one of them ).
>> I set up a CA using EJBCA: with some hack made by Jon Bendsten an some
>> other by my self i proceed in this way:
>>
>> 1) Each time i receive an official request for a VPN, EJBCA send a mail
>> to the user with a username, a one time passwd and a link to a public
>> accessible https page
>> 2) The user must follow the link and authenticate with these credentials
>> 3) Then he/she can choose the lenght of  his/her private key an  also if
>> he/she want  to  download  a Windows-VPN client  or a zip-file for
>> installing it on Unix-OS.
>> 4) After the flag is chosen EJBCA execute in background either the
>> generation of the Openvpn-gui Win client or the zip-file ( decripting
>> also the pkcs12 file that contain ca.crt, ta.key and the client.crt
>> files ); in this way when the openvpn-client is started the user is only
>> asked the credentials i personally give by phone.
>> 5) The openvpn-server authenticate users directly on our open-ldap ( i
>> used the great tool http://dpw.threerings.net/projects/openvpn-auth-ldap
>> ) with the password given by phone and the username sent in the mail.
>> 6) For stronger auth the openvpn-server run in chroot env and has is
>> certificate marked as tls-server; each client as his marked as tls-client
>> 7) Each client has assigned the same IP and has to pass two steps of
>> firewall rules: the IpTables on the server itself an the ACL-rules on
>> the DMZ in wich the OpenVPN server resides.
>> 8) With the latest EJBCA release is possible to generate every minute a
>> new CRL file; when i want to de-activate a client i only have to do it
>> using the EJBCA webUI: after a minute a new CRL file is generated, a
>> file with a simple "wget" on the OpenVPN server get it and the client is
>> off.....
>> 9) If i need to permit others client to auth directly and not with our
>> ldap i only have to make onother openvpn.sever.conf file with different
>> permissions and so on......
>>
>> Sorry for the long post but i hope that my set-up help you to figure out
>> some of the possibilities you have...........
>> I need to remark my thanks to Jon Bendsten and to Ejbca-developers for
>> their great help in setting up this centralized solution....
>>
>> --Andrea
>>
>> !DSPAM:1020,46142cb0832141388512629!
>>
>>     
>
>
>   
Hi Steve, feel free to contact me directly for ask any question 
reguarding my solution ( there are several steps to set it all up and 
running......).
I'm happy you  find it interesting, thanks  for your kindness,

--Andrea
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users