Hi Nick,
Your setup is somehow strange. In order to answer your question
I also have some questions:
(1) Are you using the community version of OpenVPN?
If not, maybe you want to consult the vendor's professional
support.
(2) How are you generating the configs and DMG files?
What is the name of the tool/script or is it written by you?
(3) Why does the user have access to the DMG, but is not supposed
to run/install it somewhere else?
The service that sends .conf files does not sound like the community
version. From a high-level view it sounds like you want to secure a
computer pool, or the like, where users don't have admin privileges.
Why not installing a central VPN gateway for that network?
P.S. With the community edition one would just provide a generic
client conf/ovpn file and the user authentication relies
on X.509 certificates. Just those would need to be deployed over
a secure channel (offline, PGP, etc).
Just my 2 cents,
Mathias.
On 10/24/2014 06:10 PM, Nicholas Hartman wrote:
> The OpenVPN forum suggested I post this question to the listserve….
>
> Is it possible to use the server generated user .conf files without
> having the server automatically distribute them to
> users upon successful login verification?
>
> Our objective is to make sure that a user can only log in from a single
> designated machine. The general workflow we're aiming for is:
>
> 1. We generate a profile for the user on the server and generate a DMG
> installer for that user
> 2. The DMG installer is installed on a user's designated machine and the
> included profile is 'trusted'
> 3. User is able to login from that computer but can't copy the conf file
> to a different machine and thus log in from anywhere
>
> We've been able to do all three of the above and it appears that once
> installed a user conf file is kept quite secure within OS X (it seems to
> be placed in a folder under /Library/Application Support/OpenVPN that's
> well locked down and only readable by root… even an admin needs to sudo
> su to get into that directory). Our users in this use case are not
> admins and are all on Macs.
>
> The issue is that if a user simply logs in from another computer the
> access server is being too helpful and just sending out the locally
> stored profile. How can we stop that (or alternatively pre-configure
> .conf files with all the necessary keys without having the server
> automatically send them to the authenticated user).
>
> Thanks in advance for comments and feedback!
>
> I appreciate any thoughts and advice people could provide on this topic.
>
> P.S. I realize that the above could also be accomplished using a fully
> separate External PKI setup with client keys installed into the OS X
> keychain but A) We've had some difficulties getting that to work with
> OpenVPN (topic for another thread) and B) Simply letting the server
> generate the fully self-contained .conf files is quite nice... we just
> want it to stop simply sending it down to any random client machine on a
> successful login.
>
> Thanks,
>
> — Nick
------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
