verifying the device connecting to OpenVPN server?

How to customize and extend your OpenVPN installation.
Post Reply
joebonomo
OpenVpn Newbie
Posts: 2
Joined: Wed Aug 31, 2011 6:50 pm

verifying the device connecting to OpenVPN server?

Post by joebonomo » Wed Sep 07, 2011 2:37 pm

We are testing an OpenVPN installation for remote access to our company LAN using ethernet bridging ('tap' interface). Server is running on linux. Clients will be on Mac, Windows, and Linux. I'm currently testing from a Mac with Tunnelblick.

We would like to prevent remote users from easily moving their keys from one remote device to another, especially to unauthorized mobile/handheld devices. Inside the LAN, we authorize devices by MAC address via static DHCP. We'd love to extend this to clients connected via OpenVPN. I'm working on configuring our DHCP server as mentioned in the Installation Notes (http://openvpn.net/index.php/open-sourc ... ml?start=1).

I understand from this post that the virtual tap adaptor gets assigned a random MAC address, which I've seen in action:
topic8212.html

Is there any way to pre-set this virtual tap MAC address per device? If not, once a virtual MAC address is assigned, does it stay the same from connection to connection? Does it ever change on a given device?

I'm also open to other approaches to resolving this issue...

Thanks,
Joe

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: verifying the device connecting to OpenVPN server?

Post by janjust » Wed Sep 07, 2011 3:38 pm

in 'tap' mode you can preset the MAC address of a device using

Code: Select all

lladdr <MAC>
there's nothing preventing a user from stealing this address however.

The MAC address for the tap-win32 adapter is fixed during installation time; for Linux clients the MAC address is set to a random value every time the 'tap' device is created (i.e. after a restart, shutdown etc).

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: verifying the device connecting to OpenVPN server?

Post by maikcat » Thu Sep 08, 2011 1:42 pm

>We would like to prevent remote users from easily moving their keys from one remote device to another

if your clients using windows you can install certificates to your win and use them
from config file,and also protect the key from extraction with password inside windows.

just my 2 cents

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

joebonomo
OpenVpn Newbie
Posts: 2
Joined: Wed Aug 31, 2011 6:50 pm

Re: verifying the device connecting to OpenVPN server?

Post by joebonomo » Thu Sep 08, 2011 2:31 pm

Thank you, Jan Just and Michael.

@maikcat: That's a good suggestion. Unfortunately, only a small percentage of our clients will be on Windows. Most will be on Mac or Linux. Also, the remote computers will mostly be personal/home computers, so we (the company) won't have administrative access to them.

@janjust: Thanks for the info. While this might sound like a good approach, the config file holding the 'lladdr' line is tied to the Common Name (CN), which can be moved to other devices, correct?

Perhaps is there a script that I could modify (or add) to check the MAC address of the current device before allowing the device to connect? I recognize that MAC addresses are spoofable, but we're willing to accept that risk for now.

Thanks.
- Joe -

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: verifying the device connecting to OpenVPN server?

Post by janjust » Thu Sep 08, 2011 3:00 pm

the question 'how can I bind an openvpn configuration to a specific machine' comes up from time to time. The answer is always 'no there is no fool proof method to do so - openvpn is about getting access, not about restricting it'

there is some support in the openvpn source code for generating automatic userids (i.e. based on the local hardware or MAC address) but this is not enabled by default in the binaries, and again, this is not foolproof.

Your best bet would be to use the 'lladdr' option, in combination with the client CN (which is in the certificate, not in the client config file). On the server side you could then add a check to see if the same lladdr MAC + client CN is logging on twice and disallow that.

danny70437
OpenVpn Newbie
Posts: 3
Joined: Fri Sep 09, 2011 5:25 pm

Re: verifying the device connecting to OpenVPN server?

Post by danny70437 » Mon Sep 12, 2011 5:29 pm

Hi all,

we are also interesting in binding a certificate to a hardware dependent "topic".
David Sommerseth wrote a nice blog reply http://www.mentby.com/david-sommerseth/ ... dware.html

Because I'm a newbie in openvpn, I'm not able to implement his suggestions. Maybe somebody will do ?

Kind regards
Danny

Post Reply