Autologin only for known IP

Post Reply
ecasti
OpenVpn Newbie
Posts: 2
Joined: Mon Aug 17, 2015 9:00 am

Autologin only for known IP

Post by ecasti » Mon Aug 17, 2015 9:10 am

Hi all,
i'm planning to use you OpenVPN-AS on AWS for permit connection to multiple user ( developer and sysadmin ) to our Environment from internal.
Everything meet our need, and the prototipe is working, but we need this rule:
- A user can connect from known IP ( our offices ) using Autologin profile
- A user must use login/password and MFA if is trying to connect from unknown IP ( eg. from home,airport, etc ).

Is possible this kind of setup, for example starting multiple daemon on multiple port/IP and enabling Autologin only to one daemon and filtering ( using AWS firewall ) the source IP that can access to privileged demon ?

Regards,
Enrico Casti
Last edited by maikcat on Tue Aug 18, 2015 6:05 am, edited 1 time in total.
Reason: subject corrected

ecasti
OpenVpn Newbie
Posts: 2
Joined: Mon Aug 17, 2015 9:00 am

Re: Otology only for known IP

Post by ecasti » Mon Aug 17, 2015 2:42 pm

The Subject of the topic should be "Autologin only for known IP", my mistake

skillbuilders-dave
OpenVpn Newbie
Posts: 2
Joined: Tue May 23, 2017 6:00 pm

Re: Autologin only for known IP

Post by skillbuilders-dave » Tue Nov 07, 2017 9:15 pm

Did anyone answer this question?

"but we need this rule:
- A user can connect from known IP ( our offices ) using Autologin profile
- A user must use login/password and MFA if is trying to connect from unknown IP ( eg. from home,airport, etc ).
"

novaflash
OpenVPN Expert
Posts: 493
Joined: Fri Apr 13, 2012 8:43 pm

Re: Autologin only for known IP

Post by novaflash » Wed Nov 08, 2017 8:16 am

I cannot think of any way to do that with one server, sorry. An auto-login profile implies complete trust and does not go through any authentication steps at all. It just connects. To apply additional restrictions to this type of profile is just not possible.

The only thing I can think of that can work is setting up two servers, one with auto-login profile, and then another with username+password authentication, and lock down the one that accepts auto-login connections using a firewall to only allow connections from the known trusted IP.

Post Reply