Opened 9 months ago

Last modified 7 months ago

#1317 new Feature Wish

openVPN push-peer-info

Reported by: DFu Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: dfu@…, tincantech

Description

at the moment some information are pushed over push-peer-info to VPN-Server. For example, MAC / GUI-Version and so on. But no secure computerinformation is pushed at the moment. For examle serial number / ActiveDirectory? SID and so on. We want to add an connect script on server that only allows connections from "internal" AD connected computers. So we need some secure Information from Client computer to identify. MAC or some env which i can set in client configuration is not secure enough, because each user can edit this file / information. I think it will be very easy to add some more "static" and secure information with push-peer-info command.

Change History (9)

comment:1 Changed 9 months ago by tincantech

Cc: tincantech added

comment:2 Changed 9 months ago by Gert Döring

This is somewhat non-trivial, because OpenVPN is open source, so sophisticated users could just compile their own binary to transmit whatever they want...

I'd just go with MAC address. Already built-in functionality (just enable --push-peer-info on the client) and not easy to modify.

comment:3 Changed 9 months ago by tincantech

This is only a suggestion: TLS Crypt V2 looks like it fulfils most of the requirements here.

See:

comment:4 Changed 9 months ago by DFu

okay, but how should this prevent if user copy client configuration and client certs / keys to an other machine?

Only MAC from connected device is sent to openVPN Server, not all local MACs... thats a problem

comment:5 in reply to:  4 Changed 9 months ago by tincantech

Write a script to verify that the client MAC is correct.

comment:6 Changed 8 months ago by DFu

do you mean a client script or a server script?

comment:8 Changed 7 months ago by DFu

Hi, i think you have created some scripts about this topic.... is there something finished? Or is it now possible to send more information from local client to server with push-peer-info function?
Thanks

comment:9 Changed 7 months ago by DFu

or is it possible to use computername / username / domainname from local computer env and push with push-peer-info?

Note: See TracTickets for help on using tickets.