Allowing access from company devices only?

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
DaMiBu
OpenVpn Newbie
Posts: 6
Joined: Thu Jun 01, 2017 9:40 am

Allowing access from company devices only?

Post by DaMiBu » Mon Nov 22, 2021 11:20 am

Has anyone a way to restrict OpenVPN access to just company devices? This is by far our biggest request and while the 'post_auth hardware address checking script' works it is cumbersome to manage. (https://openvpn.net/vpn-server-resource ... -checking/)

We use the Azure NPS agent so all logins are via Azure + MFA push but looking to add conditional access rules so you can only connect if your device is AD or Hybrid AD joined. Alternatively, maybe install a certificate on each company device that we could check for but have not had any luck figuring this out?

In meanwhile we will use the "post_auth hardware address checking script" but the limitation to just two MAC addresses per user is a problem as most users have three MACs (NIC, Wifi, and docking).

Any ideas?

Thank you

PS: we run Access Server in AWS and all 100+ systems are up to date running 2.9.5 on Ubuntu 18.

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: Allowing access from company devices only?

Post by chilinux » Tue Nov 23, 2021 3:16 pm

If you know a little python, you can easily extend the existing post_auth script to support three MACs instead of just two.

If you are already using Azure MFA push then maybe what you are looking for to accomplish locking to a device is Windows Hello for Business to leverage the device's TPM. I recommend you get in touch with Azure support.

PS: 2.9.5 is no longer up to date. 2.9.6 provides a security fix.

Post Reply