Opened 4 years ago
Closed 3 years ago
#1317 closed Feature Wish (notabug)
openVPN push-peer-info
| Reported by: | DFu | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Generic / unclassified | Version: | |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: | dfu@…, tct |
Description
at the moment some information are pushed over push-peer-info to VPN-Server. For example, MAC / GUI-Version and so on. But no secure computerinformation is pushed at the moment. For examle serial number / ActiveDirectory? SID and so on. We want to add an connect script on server that only allows connections from "internal" AD connected computers. So we need some secure Information from Client computer to identify. MAC or some env which i can set in client configuration is not secure enough, because each user can edit this file / information. I think it will be very easy to add some more "static" and secure information with push-peer-info command.
Change History (11)
comment:1 Changed 4 years ago by
| Cc: | tct added |
|---|
comment:2 Changed 4 years ago by
comment:3 Changed 4 years ago by
This is only a suggestion: TLS Crypt V2 looks like it fulfils most of the requirements here.
See:
comment:4 follow-up: 5 Changed 4 years ago by
okay, but how should this prevent if user copy client configuration and client certs / keys to an other machine?
Only MAC from connected device is sent to openVPN Server, not all local MACs... thats a problem
comment:8 Changed 4 years ago by
Hi, i think you have created some scripts about this topic.... is there something finished? Or is it now possible to send more information from local client to server with push-peer-info function?
Thanks
comment:9 Changed 4 years ago by
or is it possible to use computername / username / domainname from local computer env and push with push-peer-info?
comment:10 Changed 3 years ago by
@DFu https://github.com/TinCanTech/easy-tls is now at v2.2 and it does what you wanted and also detects when a user mixes TLS keys with incorrect X509 certificates. I would like to see it getting used and have some feedback of it's performance in a real world environment.
comment:11 Changed 3 years ago by
| Resolution: | → notabug |
|---|---|
| Status: | new → closed |
This is somewhat non-trivial, because OpenVPN is open source, so sophisticated users could just compile their own binary to transmit whatever they want...
I'd just go with MAC address. Already built-in functionality (just enable --push-peer-info on the client) and not easy to modify.