A few questions about restricting access to OpenVPN server
 

Hello,
I have some quedtions about the OpenVPN server:
1- How do I know how many people are connected to the OpenVPN server?

2- You give OpenVPN server keys to someone and he\she may share the keys with others, to avoid this problem is it possible to restrict connection to OpenVPN server based on the MAC address?

Thank you.

vpn is a good, diverse learning project
 

IDK vpn, but I say this to be globally helpful (not scolding):
Might you prefer the instant results from web-searching?

For these 2 questions, answers look plentiful.
(In other instances, less-definitive search results may help clarify keywords & info needed.)

&I don't mean to derail those who enjoy answering. Best wishes.


Edit, added after #3-on +1: I was wrong, sorry:
just-google probably wouldn't have found
the discussion of security issues.

Answers to your questions are as follows:

1. Check the logs. There is one at /etc/openvpn/openvpn-status.log which shows a current client list.

2. You can't physically stop people from giving aways keys &/or passwords, but you can make the keys useless to thieves by encrypting them. MAC filters are pretty weak, since MAC addresses are quite easy to spoof. OpenVPN will allow you to filter by MAC address. It is easier to do with the paid-for version, and it is also possible with the Community Edition, but you'll have to write your own scripts to do it.

Hello,
Thank you so much for your reply.
1- My question is how can you find out if someone has shared the key with others?

2- I know filtering by MAC address is somewhat useless, because as you said others can spoof the MAC address. I think it is somewhat helpful, because maybe not everyone can do it. Regarding the script you mentioned, can you guide me?

there is no way. Probably you can restrict the number of hosts by keys, but you will never know if a new device belongs to the same user (old one is replaced) or it is another user. Or if the same user wants to use the vpn from more than one host.
Now I can change the MAC address on my phone with a single click. Probably not everyone can do that, but it is already documented on the net.

Hello,
Thank you so much for your reply.
Is it possible to generate a key so that only 10 people can connect to the server through it?
About filtering by MAC address I found this article, but I have to test it.

Unless you change the default settings, the server will reject multiple concurrent connections with the same certificate.

You can also limit the number of concurrent connections to the server.

Hello,
Thanks again.
How? Can I use LDAP mechanism (openvpn-auth-ldap) instead of MAC address filtering? If someone shares his\her username and password with others, then two people cannot connect to the server at the same time. Is this true?

You cannot prevent the misappropriation of keys, but you can selectively revoke any key that has been misused … and refer the employee to HR for violating company security policy. A revoked key is instantly useless.

You can prevent a given key from being used to initiate more than one session simultaneously.

You can password-protect (encrypt) a key to prevent unauthorized use.

Many commonly-used GUI clients can restrict management of the keys to “system administrators,” and will not disclose the key materials in any case. (Of course(!) the “traveling salesman” does not have “administrative access” to his computer …)

You should always(!) issue keys only to “uniquely identifiable individuals or computers.” (As the case may be.) Never “share them.” After all, the electronic badges that employees use to get past the front door are also never “shared.”

LDAP (“Microsoft OpenDirectory”) is commonly used for centralized key management, and it works very well.

Possibly, but the same is true of certificates. The server will reject attempts by à second user to use the same keys as someone else.

What is your concern here? What problem are you trying to solve?

Hello,
Thank you so much for your reply.
How? By setting username and password?

Hello,
Thank you so much for you reply.
You give the OpenVPN keys to someone so he\she can connect to your server and he\she share the key with others. Now you have to look for a solution to detect and prevent this.

what about looking for an answer yourself, like this: https://serverfault.com/questions/22...taneous-access

OpenVPN provides a server setting which prevents more than one simultaneous session from using the same credentials. (Everything in OpenVPN boils down to "the user's key." It knows nothing of system usernames, much less passwords.) The keys contain within their encrypted content a unique serial number, and the same number cannot be used twice at the same time.

Of course it goes without saying that you should never use PSKs = simple passwords." Every user or computer should be issued its own unique key, which you can if necessary selectively revoke.

Anyone who shares VPN key information should be subject to immediate employment termination. And they should be sternly warned of this on day one.

Also note that most software does not enable a "non-administrator user" to access the key information anyway: they are entitled to use the key, but they have no reason to know it. (Any more than they "need to know" what is actually encoded on the unique badge they use to get beyond the lobby of the building.)

If you further "password-protect" a key, you are actually encrypting it. So it must be successfully decrypted before it can then be used. But the security of the key rests only with "itself," encrypted or not. (And with the fact that it has not yet been revoked.) The key is "one of a kind," and the user cannot manufacture one for himself.

Give each user a unique key and a copy of the tls-auth certificate (which is common). The latter enables you to even try(!) to connect – completely shutting-down "unauthorized access attempts."

Hello,
Thank you so much for your reply.
Are you saying that by default two people cannot use the same key at the same time?