Hi all,
i'm planning to use you OpenVPN-AS on AWS for permit connection to multiple user ( developer and sysadmin ) to our Environment from internal.
Everything meet our need, and the prototipe is working, but we need this rule:
- A user can connect from known IP ( our offices ) using Autologin profile
- A user must use login/password and MFA if is trying to connect from unknown IP ( eg. from home,airport, etc ).
Is possible this kind of setup, for example starting multiple daemon on multiple port/IP and enabling Autologin only to one daemon and filtering ( using AWS firewall ) the source IP that can access to privileged demon ?
Regards,
Enrico Casti
Autologin only for known IP
-
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Aug 17, 2015 9:00 am
Autologin only for known IP
Last edited by maikcat on Tue Aug 18, 2015 6:05 am, edited 1 time in total.
Reason: subject corrected
Reason: subject corrected
-
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Aug 17, 2015 9:00 am
Re: Otology only for known IP
The Subject of the topic should be "Autologin only for known IP", my mistake
-
- OpenVpn Newbie
- Posts: 2
- Joined: Tue May 23, 2017 6:00 pm
Re: Autologin only for known IP
Did anyone answer this question?
"but we need this rule:
- A user can connect from known IP ( our offices ) using Autologin profile
- A user must use login/password and MFA if is trying to connect from unknown IP ( eg. from home,airport, etc ).
"
"but we need this rule:
- A user can connect from known IP ( our offices ) using Autologin profile
- A user must use login/password and MFA if is trying to connect from unknown IP ( eg. from home,airport, etc ).
"
- novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Re: Autologin only for known IP
I cannot think of any way to do that with one server, sorry. An auto-login profile implies complete trust and does not go through any authentication steps at all. It just connects. To apply additional restrictions to this type of profile is just not possible.
The only thing I can think of that can work is setting up two servers, one with auto-login profile, and then another with username+password authentication, and lock down the one that accepts auto-login connections using a firewall to only allow connections from the known trusted IP.
The only thing I can think of that can work is setting up two servers, one with auto-login profile, and then another with username+password authentication, and lock down the one that accepts auto-login connections using a firewall to only allow connections from the known trusted IP.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.