For those deploying OVPN at businesses using pfsense what are you using to ensure that only allowed assets are part of the security check to ensure only employees can remote in.
In other vendors this is carried out using HIP checks but OpenVPN doesn’t seem to offer that so curious as to how to prevent a user from taking the ovpn.conf file and loading it up on another workstation and remoting in that way.
Boil it down: Restrict OVPN client to only specific devices
This is the realm of PKI public key infrastructure, using certificates to secure hardware and hardware to secure certificates, hardware security modules!
It’s what stops you from just walking up to an ethernet port and plugging in to the network.
Worked for a bank on a programme doing exactly this.
How does using certs prevent someone/anyone from loading a OVPN profile and logging in remotely.
Because if they don’t have the accompanying certificates with the ovpn file then they cannot authenticate.
So help me understand…
In pfsense openvpn export there is an option to export the ovpn with the client certificate. Actually, I think the user certificate is part of the ovpn file. Whats to stop anyone else from copying the opvn file over to another machine OR that same user copying it to their personal laptop and remoting in?
You wouldn’t download the “all-in-one” file from pfsense. You would download the bundle with the certificates.
Look at number 8 in this article. The rest of the article is a good read too. It talks about using security devices for private keys.
You would authenticate the device too, that’s part of the PKI.
If someone can plug their laptop into your network and connect in the office then if you can transpose all the openvpn over to another laptop then they should be able to connect as well.
Can’t do it if you have setup PKI.
There is nothing stopping someone from doing that with OpenVPN.