We have a requirement from the ISO auditors to restrict the OpenVPN client access to a corporate device (i.e. not allowing OpenVPN client access on a personal device).
We have responded that this requirement is not practical because users can install the same client and configuration file to access the server. The auditors replied that other companies met this requirement by using MAC address filtering. We have shared that MAC address can easily be spoofed and it operates only Layer 2 addressing (VPN is operating on Layer 3 addressing).
Does anyone know if there is any viable method on OpenVPN to restrict client to a specific set of device? Or, does OpenVPN has any check on the client to make sure it met certain criteria? For example, on Palo Alto Network's GlobalProtect, it has a feature called Host Information Profile (HIP) that will checks the client to make sure it has all the specific criteria:
- Operating system and patch level
- Host anti-malware version
- Host firewall version
- Disk encryption
- Data backup products
- Customized host conditions
2 posts • Page 1 of 1
- OpenVpn Newbie
- Posts: 1
- Joined: Tue Aug 15, 2017 5:40 am
- I should be on the dev team.
- Posts: 546
- Joined: Fri Apr 13, 2012 8:43 pm
Actually, it operates just fine on Layer 3 as well with the OpenVPN Access Server product. That is because OpenVPN clients can report certain details like MAC address and OpenVPN version number during the initial steps when making a VPN tunnel connection, and the Access Server can perform extra checks on this information before allowing the connection to fully establish.We have responded that this requirement is not practical because users can install the same client and configuration file to access the server. The auditors replied that other companies met this requirement by using MAC address filtering. We have shared that MAC address can easily be spoofed and it operates only Layer 2 addressing (VPN is operating on Layer 3 addressing).
If you open a support ticket by going to www.openvpn.net, then 'sign in' at the top, and once signed in, click 'support' at the top, and request information about a sample post_auth MAC address filter script, the support personnel there can provide you with a copy of that file with sample script, which you can implement to enable MAC address filtering. Further details are explained in the documentation of that script.
Regarding spoofing, yes, it is possible to spoof it. But it would require whoever tries to get in with a spoofed address to try over and over and over and over. They would need things like the certificate, username, and password, and optionally a 2FA code, and on top of that the right MAC address. It just adds another layer of protection, and I mean sure, you can spoof it... but then again you can also guess passwords. You're just adding another protection factor, which is a good thing. Makes it even more difficult to get in. So while I understand that yes, you can spoof a MAC address, without knowing which address to spoof, it's going to be yet another roadblock to overcome.
Using post_auth script it is also possible to get version numbers for software products installed on Windows and Macintosh devices, and to block/allow based on that information. However you can only load one post_auth script at a time. So if you were to add this function you would have to take the sample post_auth script for MAC address filtering, and then add extra code to it to perform the extra other checks. Also this would only work with the OpenVPN Connect Client, and not other OpenVPN client software, which may limit your options. The MAC address filter works with open source version of OpenVPN as well (though not all - has to be a somewhat up-to-date version).
Hope that helps.