A few questions about restricting access to OpenVPN server
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
A few questions about restricting access to OpenVPN server
Hello,
I have some quedtions about the OpenVPN server:
1- How do I know how many people are connected to the OpenVPN server?
2- You give OpenVPN server keys to someone and he\she may share the keys with others, to avoid this problem is it possible to restrict connection to OpenVPN server based on the MAC address?
Hello,
I have some quedtions about the OpenVPN server:
1- How do I know how many people are connected to the OpenVPN server?
2- You give OpenVPN server keys to someone and he\she may share the keys with others, to avoid this problem is it possible to restrict connection to OpenVPN server based on the MAC address?
Thank you.
Answers to your questions are as follows:
1. Check the logs. There is one at /etc/openvpn/openvpn-status.log which shows a current client list.
2. You can't physically stop people from giving aways keys &/or passwords, but you can make the keys useless to thieves by encrypting them. MAC filters are pretty weak, since MAC addresses are quite easy to spoof. OpenVPN will allow you to filter by MAC address. It is easier to do with the paid-for version, and it is also possible with the Community Edition, but you'll have to write your own scripts to do it.
1. Check the logs. There is one at /etc/openvpn/openvpn-status.log which shows a current client list.
2. You can't physically stop people from giving aways keys &/or passwords, but you can make the keys useless to thieves by encrypting them. MAC filters are pretty weak, since MAC addresses are quite easy to spoof. OpenVPN will allow you to filter by MAC address. It is easier to do with the paid-for version, and it is also possible with the Community Edition, but you'll have to write your own scripts to do it.
Hello,
Thank you so much for your reply.
1- My question is how can you find out if someone has shared the key with others?
2- I know filtering by MAC address is somewhat useless, because as you said others can spoof the MAC address. I think it is somewhat helpful, because maybe not everyone can do it. Regarding the script you mentioned, can you guide me?
1- My question is how can you find out if someone has shared the key with others?
there is no way. Probably you can restrict the number of hosts by keys, but you will never know if a new device belongs to the same user (old one is replaced) or it is another user. Or if the same user wants to use the vpn from more than one host.
Quote:
Originally Posted by Jason.nix
2- I know filtering by MAC address is somewhat useless, because as you said others can spoof the MAC address. I think it is somewhat helpful, because maybe not everyone can do it. Regarding the script you mentioned, can you guide me?
Now I can change the MAC address on my phone with a single click. Probably not everyone can do that, but it is already documented on the net.
there is no way. Probably you can restrict the number of hosts by keys, but you will never know if a new device belongs to the same user (old one is replaced) or it is another user. Or if the same user wants to use the vpn from more than one host.
Now I can change the MAC address on my phone with a single click. Probably not everyone can do that, but it is already documented on the net.
Hello,
Thank you so much for your reply.
Is it possible to generate a key so that only 10 people can connect to the server through it?
About filtering by MAC address I found this article, but I have to test it.
Unless you change the default settings, the server will reject multiple concurrent connections with the same certificate.
You can also limit the number of concurrent connections to the server.
Hello,
Thanks again.
How? Can I use LDAP mechanism (openvpn-auth-ldap) instead of MAC address filtering? If someone shares his\her username and password with others, then two people cannot connect to the server at the same time. Is this true?
You cannot prevent the misappropriation of keys, but you can selectivelyrevoke any key that has been misused … and refer the employee to HR for violating company security policy. A revoked key is instantly useless.
You can prevent a given key from being used to initiate more than one session simultaneously.
You can password-protect (encrypt) a key to prevent unauthorized use.
Many commonly-used GUI clients can restrict management of the keys to “system administrators,” and will not disclose the key materials in any case. (Of course(!) the “traveling salesman” does not have “administrative access” to his computer …)
You should always(!) issue keys only to “uniquely identifiable individuals or computers.” (As the case may be.) Never “share them.” After all, the electronic badges that employees use to get past the front door are also never “shared.”
LDAP (“Microsoft OpenDirectory”) is commonly used for centralized key management, and it works very well.
Last edited by sundialsvcs; 01-12-2024 at 01:27 PM.
Can I use LDAP mechanism (openvpn-auth-ldap) instead of MAC address filtering? If someone shares his\her username and password with others, then two people cannot connect to the server at the same time. Is this true?
Possibly, but the same is true of certificates. The server will reject attempts by à second user to use the same keys as someone else.
What is your concern here? What problem are you trying to solve?
You cannot prevent the misappropriation of keys, but you can selectivelyrevoke any key that has been misused … and refer the employee to HR for violating company security policy. A revoked key is instantly useless.
You can prevent a given key from being used to initiate more than one session simultaneously.
You can password-protect (encrypt) a key to prevent unauthorized use.
Many commonly-used GUI clients can restrict management of the keys to “system administrators,” and will not disclose the key materials in any case. (Of course(!) the “traveling salesman” does not have “administrative access” to his computer …)
You should always(!) issue keys only to “uniquely identifiable individuals or computers.” (As the case may be.) Never “share them.” After all, the electronic badges that employees use to get past the front door are also never “shared.”
LDAP (“Microsoft OpenDirectory”) is commonly used for centralized key management, and it works very well.
Hello,
Thank you so much for your reply.
Quote:
You can prevent a given key from being used to initiate more than one session simultaneously.
Possibly, but the same is true of certificates. The server will reject attempts by à second user to use the same keys as someone else.
What is your concern here? What problem are you trying to solve?
Hello,
Thank you so much for you reply.
You give the OpenVPN keys to someone so he\she can connect to your server and he\she share the key with others. Now you have to look for a solution to detect and prevent this.
OpenVPN provides a server setting which prevents more than one simultaneous session from using the same credentials. (Everything in OpenVPN boils down to "the user's key." It knows nothing of system usernames, much less passwords.) The keys contain within their encrypted content a unique serial number, and the same number cannot be used twice at the same time.
Of course it goes without saying that you should never use PSKs = simple passwords." Every user or computer should be issued its own unique key, which you can if necessary selectively revoke.
Anyone who shares VPN key information should be subject to immediate employment termination. And they should be sternly warned of this on day one.
Also note that most software does not enable a "non-administrator user" to access the key information anyway: they are entitled to use the key, but they have no reason to know it. (Any more than they "need to know" what is actually encoded on the unique badge they use to get beyond the lobby of the building.)
If you further "password-protect" a key, you are actually encrypting it. So it must be successfully decrypted before it can then be used. But the security of the key rests only with "itself," encrypted or not. (And with the fact that it has not yet been revoked.) The key is "one of a kind," and the user cannot manufacture one for himself.
Give each user a unique key and a copy of the tls-auth certificate (which is common). The latter enables you to even try(!) to connect – completely shutting-down "unauthorized access attempts."
Last edited by sundialsvcs; 01-15-2024 at 08:52 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.