Page 1 of 1
OpenVPN clients to an Official Laptop system MAC (Media Access Control) address
Posted: Fri Feb 26, 2021 5:46 pm
by kaushalshriyan
Hi,
I am running the below OpenVPN version on CentOS Linux release 7.9.2009 (Core).
Code: Select all
OpenVPN 2.5.1 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 24 2021
library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=yes enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=yes enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
Is there a way to restrict OpenVPN clients to an Official Laptop system MAC (Media Access Control) address to prevent users to install the OpenVPN Client to their own personal laptop or desktop as part of the security governance ( ISO 27001)
Please suggest if there are any alternative ways. Thanks in Advance. I look forward to hearing from you.
Best Regards,
Kaushal
Re: OpenVPN clients to an Official Laptop system MAC (Media Access Control) address
Posted: Fri Feb 26, 2021 6:14 pm
by Pippin
Re: OpenVPN clients to an Official Laptop system MAC (Media Access Control) address
Posted: Fri Feb 26, 2021 6:38 pm
by TinCanTech
@Pippin. Thanks!
@kaushalshriyan, If you have any question then you can ask me here.
Re: OpenVPN clients to an Official Laptop system MAC (Media Access Control) address
Posted: Fri Feb 26, 2021 6:46 pm
by TinCanTech
FYI: github.com is down! for me ...
It is Firefox 86.0 at fault. Or M$ don't want to play now that Firefox has "Cookie Jar" ..
Re: OpenVPN clients to an Official Laptop system MAC (Media Access Control) address
Posted: Mon May 10, 2021 3:41 pm
by kaushalshriyan
@TinCanTech
I am referring to
https://github.com/TinCanTech/easy-tls/ ... ess-Policy to enable Metadata Access Policy to restrict OpenVPN clients to an Official Laptop system MAC (Media Access Control) address to prevent users to install the OpenVPN Client to their own personal laptop or desktop as part of the security governance. I have copied easy-tls to /etc/easy-rsa/ and while running ./easytls-cryptv2-verify.sh. I get
This script can ONLY be used by a running openvpn server.ERROR: Missing: OPENVPN_METADATA_FILE:
#ps aux | grep vpn
avahi 820 0.0 0.0 85280 4892 ? Ss May09 0:00 avahi-daemon: running [secondaryopenvpnserver.local]
nobody 55730 0.1 0.1 83568 8440 ? Ss 10:10 1:17 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config server.conf
root 55737 0.0 0.0 76536 4928 ? S 10:10 0:00 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config server.conf
root 92257 0.0 0.0 11780 1084 pts/0 S+ 21:07 0:00 grep --color=auto vpn
Please guide. I look forward to hearing from you. Thanks in Advance.
Best Regards,
Kaushal
Re: OpenVPN clients to an Official Laptop system MAC (Media Access Control) address
Posted: Mon May 10, 2021 5:33 pm
by TinCanTech
kaushalshriyan wrote: ↑Mon May 10, 2021 3:41 pm
This script can ONLY be used by a running openvpn server.ERROR: Missing: OPENVPN_METADATA_FILE
Indeed, that is correct.
Simple answer:
- Install Easy-RSA version 3
- Create your Public Key Infra-structure
What a load of Horse dung.. Public Key Infra-structure
Who ever came up with that expression got a medal in Talking Bollocks
- Install Easy-TLS
Essentially, copy Easy-TLS into your working Easy-RSA directory
- Use Easy-TLS
Configure your own Custom-Group
Create any OpenVPN defined TLS-Key
Also, auto-inline upon request.
Create Inline files not auto-created (Show me an example and I'll even considering adding it).
Create Openvpn Server configuration file to use Easy-TLS keys. data and scripts.
- Start your server using the Inline-file and configuration-file created above.
- Start your client using the Inline-file created above
- Stand back in Wonder and Awe ..
as OpenVPN now verifies your Client hardware-address tied to your Client TLS-Crypt-V2 Key,
all created and configured by Easy-TLS
By me a beer!
Re: OpenVPN clients to an Official Laptop system MAC (Media Access Control) address
Posted: Tue May 11, 2021 10:07 am
by kaushalshriyan
@TinCanTech Thanks a lot for sharing the steps and appreciate your help. I am currently going through it and setting it up on the server. I will keep you posted.