verifying the device connecting to OpenVPN server?

[joebonomo]

We are testing an OpenVPN installation for remote access to our company LAN using ethernet bridging ('tap' interface). Server is running on linux. Clients will be on Mac, Windows, and Linux. I'm currently testing from a Mac with Tunnelblick.

We would like to prevent remote users from easily moving their keys from one remote device to another, especially to unauthorized mobile/handheld devices. Inside the LAN, we authorize devices by MAC address via static DHCP. We'd love to extend this to clients connected via OpenVPN. I'm working on configuring our DHCP server as mentioned in the Installation Notes (http://openvpn.net/index.php/open-sourc ... ml?start=1).

I understand from this post that the virtual tap adaptor gets assigned a random MAC address, which I've seen in action:
topic8212.html

Is there any way to pre-set this virtual tap MAC address per device? If not, once a virtual MAC address is assigned, does it stay the same from connection to connection? Does it ever change on a given device?

I'm also open to other approaches to resolving this issue...

Thanks,
Joe

[janjust]

in 'tap' mode you can preset the MAC address of a device using

Code: Select all

lladdr <MAC>

there's nothing preventing a user from stealing this address however.

The MAC address for the tap-win32 adapter is fixed during installation time; for Linux clients the MAC address is set to a random value every time the 'tap' device is created (i.e. after a restart, shutdown etc).

[maikcat]

>We would like to prevent remote users from easily moving their keys from one remote device to another

if your clients using windows you can install certificates to your win and use them
from config file,and also protect the key from extraction with password inside windows.

just my 2 cents

Michael.

[joebonomo]

Thank you, Jan Just and Michael.

@maikcat: That's a good suggestion. Unfortunately, only a small percentage of our clients will be on Windows. Most will be on Mac or Linux. Also, the remote computers will mostly be personal/home computers, so we (the company) won't have administrative access to them.

@janjust: Thanks for the info. While this might sound like a good approach, the config file holding the 'lladdr' line is tied to the Common Name (CN), which can be moved to other devices, correct?

Perhaps is there a script that I could modify (or add) to check the MAC address of the current device before allowing the device to connect? I recognize that MAC addresses are spoofable, but we're willing to accept that risk for now.

Thanks.
- Joe -

[janjust]

the question 'how can I bind an openvpn configuration to a specific machine' comes up from time to time. The answer is always 'no there is no fool proof method to do so - openvpn is about getting access, not about restricting it'

there is some support in the openvpn source code for generating automatic userids (i.e. based on the local hardware or MAC address) but this is not enabled by default in the binaries, and again, this is not foolproof.

Your best bet would be to use the 'lladdr' option, in combination with the client CN (which is in the certificate, not in the client config file). On the server side you could then add a check to see if the same lladdr MAC + client CN is logging on twice and disallow that.

[danny70437]

Hi all,

we are also interesting in binding a certificate to a hardware dependent "topic".
David Sommerseth wrote a nice blog reply http://www.mentby.com/david-sommerseth/ ... dware.html

Because I'm a newbie in openvpn, I'm not able to implement his suggestions. Maybe somebody will do ?

Kind regards
Danny