Opened 2 years ago

Closed 11 months ago

#1317 closed Feature Wish (notabug)

openVPN push-peer-info

Reported by: DFu Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: dfu@…, tct

Description

at the moment some information are pushed over push-peer-info to VPN-Server. For example, MAC / GUI-Version and so on. But no secure computerinformation is pushed at the moment. For examle serial number / ActiveDirectory? SID and so on. We want to add an connect script on server that only allows connections from "internal" AD connected computers. So we need some secure Information from Client computer to identify. MAC or some env which i can set in client configuration is not secure enough, because each user can edit this file / information. I think it will be very easy to add some more "static" and secure information with push-peer-info command.

Change History (11)

comment:1 Changed 2 years ago by tct

Cc: tct added

comment:2 Changed 2 years ago by Gert Döring

This is somewhat non-trivial, because OpenVPN is open source, so sophisticated users could just compile their own binary to transmit whatever they want...

I'd just go with MAC address. Already built-in functionality (just enable --push-peer-info on the client) and not easy to modify.

comment:3 Changed 2 years ago by tct

This is only a suggestion: TLS Crypt V2 looks like it fulfils most of the requirements here.

See:

comment:4 Changed 2 years ago by DFu

okay, but how should this prevent if user copy client configuration and client certs / keys to an other machine?

Only MAC from connected device is sent to openVPN Server, not all local MACs... thats a problem

comment:5 in reply to:  4 Changed 2 years ago by tct

Write a script to verify that the client MAC is correct.

comment:6 Changed 2 years ago by DFu

do you mean a client script or a server script?

comment:8 Changed 2 years ago by DFu

Hi, i think you have created some scripts about this topic.... is there something finished? Or is it now possible to send more information from local client to server with push-peer-info function?
Thanks

comment:9 Changed 2 years ago by DFu

or is it possible to use computername / username / domainname from local computer env and push with push-peer-info?

comment:10 Changed 16 months ago by tct

@DFu https://github.com/TinCanTech/easy-tls is now at v2.2 and it does what you wanted and also detects when a user mixes TLS keys with incorrect X509 certificates. I would like to see it getting used and have some feedback of it's performance in a real world environment.

comment:11 Changed 11 months ago by tct

Resolution: notabug
Status: newclosed
Note: See TracTickets for help on using tickets.