Device Security & other questions on Openvpn

Networking & Firewalls
1

Corona has affected everyone including my company.

Management of our Company wants to use company laptop in wor-from-home arrangement [ with hardened os + custom security patches ] only while connecting to company network over vpn.
My questions - 1. Is it possible to allow only registered devices to lot with OpenVPN ? [ Thru mac-id identifications. ] 2. Is it possible to bind specific ip when you connect with OpenVpn ? 3. Is it possible to create a post-vpn-connect script to inspect the connecting device for viruses/malware [ Windows only devices ] on pfsense side. 4. Single sign on [ MS AD ]- with OpenVpn - is it possible. 5. What could be potential hardware sizing for about 500 vpn connection [ Wan - 1 gbps port ] for OpnVPN

Looking for some help.

Regards.

2
  1. There is nothing really stopping someone with OpenVPN installed from cloning it to another computer
  2. Yes, with a Radius server https://youtu.be/jEK-O3U3gdg
  3. That is not really a VPN function
  4. It can be done
  5. Depends on bandwidth needs, they can all connect, but how fast does it need to be?
3

Thank you so much for a very relevant reply…

Regards,

4

Here is my take on said issue:

  1. Yes, you can do this multiple ways, including GPOs. This is also what certificates are for as well.
  2. Yes, as Tom has pointed out, a Radius server.
  3. Why would you need to do that if an active ant-virus is running all the time already?
  4. You can have OpenVPN use the windows certificate store for its Key to connect (which resolved question 1 too).
  5. I have not seen openvpn do 1 gigabit on a single session and am not aware if it can spread the load of connections across multiple cores. Some testing can be done to find out.

At your company size. you would want to explore other options such as fortinet products (best cost effective solutions compared to something like Cisco). My previous job included managing deployments and it’s been doing everything you want it to do. Take a look at the FortiGate 60F or the Fortigate 100F (pick your poison). I know it not an open source solution and that it costs money, but it may be the appropriate solution for the size of your organization. Fortinet had some security issues in the past but it you look beyond that, it’s actually a solid product. You can push out the VPN client via a GPO and the profile configuration as well. Plus you can dial-in from the lock screen, which is a must if you are working remotely, otherwise you may have users running into the domain not found issue.

5

I have about 800 Mbit/s from a VPN client to a PIA VPN Server in my country. CPU Utilization is nown around 3-4%, so I suspect a lot of reserve capacity - only restricted by the GB Ethernet ports.