The OpenVPN forum suggested I post this question to the listserve…. Is it possible to use the server generated user .conf files without having the server automatically distribute them to users upon successful login verification?
Our objective is to make sure that a user can only log in from a single designated machine. The general workflow we're aiming for is: 1. We generate a profile for the user on the server and generate a DMG installer for that user 2. The DMG installer is installed on a user's designated machine and the included profile is 'trusted' 3. User is able to login from that computer but can't copy the conf file to a different machine and thus log in from anywhere We've been able to do all three of the above and it appears that once installed a user conf file is kept quite secure within OS X (it seems to be placed in a folder under /Library/Application Support/OpenVPN that's well locked down and only readable by root… even an admin needs to sudo su to get into that directory). Our users in this use case are not admins and are all on Macs. The issue is that if a user simply logs in from another computer the access server is being too helpful and just sending out the locally stored profile. How can we stop that (or alternatively pre-configure .conf files with all the necessary keys without having the server automatically send them to the authenticated user). Thanks in advance for comments and feedback! I appreciate any thoughts and advice people could provide on this topic. P.S. I realize that the above could also be accomplished using a fully separate External PKI setup with client keys installed into the OS X keychain but A) We've had some difficulties getting that to work with OpenVPN (topic for another thread) and B) Simply letting the server generate the fully self-contained .conf files is quite nice... we just want it to stop simply sending it down to any random client machine on a successful login. Thanks, — Nick This message is intended for the above named only and may be privileged or confidential. If this message has come to you in error, you may not copy, distribute or take action based on it; please notify us immediately by replying to the sender. Any views expressed in this email are those of the original sender, except where the sender specifically states otherwise.
------------------------------------------------------------------------------
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
