nanog mailing list archives
Re: SSL VPN
From: Stephen Cotton <stephen@cotton.email>
Date: Fri, 14 Jun 2019 14:18:47 -0600
If you are authenticating off radius the profile the profile then only contains the ta.key preauth key, as well as the server certs and settings. So multiple people (or:and office) can use a single profile with their unique credentials. I believe this may be succeptable to having the password cached in memory though as it will auto reconnect on failure. The default on the server setups also only allow a single active connection per user. There is a checkbox (in the pfsense server config page) to override this. It’s important to be congnizant of because there’s nothing stopping someone from using the same profile and radius creds on two devices (say a phone and computer) and the behavior they will see if just constant disconnects and reconnects. On Fri, Jun 14, 2019 at 11:55 AM Jasper Backer <jasper () jbacker nl> wrote:
Just wondering, is the client export actually tied to the logged in user, or can every user download all other VPN profiles (which hopefully are of little use as credentials are likely unknown)? It used to be that way, would be nice if it is tied to just the logged in user. Cheers, Jasper On 13-06-19 20:06, Matt Harris wrote: On Thu, Jun 13, 2019 at 12:59 PM Mark Tinka <mark.tinka () seacom mu> wrote:OpenVPN in pfSense? We run tons of these around the world. Mark.With the client config generator package, "openvpn-client-export", installed, this is imho the best option for an end-user VPN. pfSense has a much nicer UI than OpenVPN AS, and that UI also supports other things you might need (like routing protocols via bird or quagga, managing the firewall, etc) as well. I can't see any reason to pay money for OpenVPN AS when you compare it to what you get for free with pfSense. The NetGate pfSense appliances are quite nicely spec'd, too, if you just have cash burning a hole in your pocket. It also easily ties in OpenVPN authentication to RADIUS or LDAP, and getting it working with Active Directory on the backend is trivially simple.
Current thread:
- [nanog] Re: SSL VPN, (continued)
- [nanog] Re: SSL VPN Hansen, Christoffer (Jun 01)
- Re: [nanog] Re: SSL VPN Ross Tajvar (Jun 01)
- Re: SSL VPN Warren Kumari (Jun 01)
- Re: SSL VPN Ross Tajvar (Jun 01)
- Re: SSL VPN Brielle (Jun 01)
- Re: SSL VPN Ross Tajvar (Jun 01)
- Re: SSL VPN Mark Tinka (Jun 13)
- Re: SSL VPN Matt Harris (Jun 13)
- Re: SSL VPN Mark Tinka (Jun 14)
- Re: SSL VPN Jasper Backer (Jun 14)
- Re: SSL VPN Mark Tinka (Jun 15)
- Re: SSL VPN Stephen Cotton (Jun 16)
- Re: SSL VPN Matt Harris (Jun 13)
- Re: SSL VPN Randy Bush (Jun 13)
- Re: SSL VPN Eric Tykwinski (Jun 13)
- Re: SSL VPN Matt Harris (Jun 13)
- Re: SSL VPN Hansen, Christoffer (Jun 14)
- Re: SSL VPN Curtis, Bruce (Jun 14)
- [nanog] Re: SSL VPN Hansen, Christoffer (Jun 01)
- Re: SSL VPN santiago.martinez.uk (Jun 13)