Opened 12 months ago

Last modified 7 weeks ago

#1317 new Feature Wish

openVPN push-peer-info

Reported by: DFu Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: dfu@…, tct


at the moment some information are pushed over push-peer-info to VPN-Server. For example, MAC / GUI-Version and so on. But no secure computerinformation is pushed at the moment. For examle serial number / ActiveDirectory? SID and so on. We want to add an connect script on server that only allows connections from "internal" AD connected computers. So we need some secure Information from Client computer to identify. MAC or some env which i can set in client configuration is not secure enough, because each user can edit this file / information. I think it will be very easy to add some more "static" and secure information with push-peer-info command.

Change History (10)

comment:1 Changed 12 months ago by tct

Cc: tct added

comment:2 Changed 11 months ago by Gert Döring

This is somewhat non-trivial, because OpenVPN is open source, so sophisticated users could just compile their own binary to transmit whatever they want...

I'd just go with MAC address. Already built-in functionality (just enable --push-peer-info on the client) and not easy to modify.

comment:3 Changed 11 months ago by tct

This is only a suggestion: TLS Crypt V2 looks like it fulfils most of the requirements here.


comment:4 Changed 11 months ago by DFu

okay, but how should this prevent if user copy client configuration and client certs / keys to an other machine?

Only MAC from connected device is sent to openVPN Server, not all local MACs... thats a problem

comment:5 in reply to:  4 Changed 11 months ago by tct

Write a script to verify that the client MAC is correct.

comment:6 Changed 11 months ago by DFu

do you mean a client script or a server script?

comment:8 Changed 9 months ago by DFu

Hi, i think you have created some scripts about this topic.... is there something finished? Or is it now possible to send more information from local client to server with push-peer-info function?

comment:9 Changed 9 months ago by DFu

or is it possible to use computername / username / domainname from local computer env and push with push-peer-info?

comment:10 Changed 7 weeks ago by tct

@DFu is now at v2.2 and it does what you wanted and also detects when a user mixes TLS keys with incorrect X509 certificates. I would like to see it getting used and have some feedback of it's performance in a real world environment.

Note: See TracTickets for help on using tickets.