VPN Security Questions/Help

GStress
Posts: 11
Joined: Sun Nov 08, 2009 11:15 pm

VPN Security Questions/Help

Postby GStress » Sun Nov 08, 2009 11:19 pm

Hello, new to the forums here. After searching for some info on OpenVPN-als it lead me here and I'm glad there's lots of useful and interesting information here.

I'm having a bit of an issue though, adito is one of the greatest things I've used lately. I use it and have about 40+ user's who also use it. Problem is I don't want them accessing adito outside of their home or giving out their account info. What I would like to do is setup an access list via IP address, but I'm not sure exactly how to.

I'm also running apache, but it seems that adito being it's own service setting any security settings in apache won't effect adito. If anyone has any alternative methods or advice to offer it'd be greatly appreciated.

User avatar
cpg
Administrator
Posts: 2605
Joined: Wed Dec 03, 2008 7:40 am
Contact:

Re: Adito Security Help

Postby cpg » Tue Nov 10, 2009 5:06 am

not clear what you are asking.

in amahi we use it with apache proxying, in case that helps.
My HDA: Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz on MSI board, 8GB RAM, 1TBx2+3TBx1

User avatar
bigfoot65
Project Manager
Posts: 11465
Joined: Mon May 25, 2009 4:31 pm

Re: Adito Security Help

Postby bigfoot65 » Tue Nov 10, 2009 7:41 am

Hello,

I believe you can modify the settings to restrict what IP addresses it can be accessed from. It's a little outdated, but you could look in the administrator guide for answers. Keep in mind this guide is for the SSL Explorer of which Adito is a fork.

You can find a link in the Amahi wiki http://wiki.amahi.org/index.php/Adito. Hope this helps.
ßîgƒσστ65
Applications Manager

User avatar
lou1z
Posts: 206
Joined: Fri Jul 17, 2009 1:58 am

Re: Adito Security Help

Postby lou1z » Wed Nov 11, 2009 12:26 am

yes that can be done, however, your users will need to have static ip's at their homes.

GStress
Posts: 11
Joined: Sun Nov 08, 2009 11:15 pm

Re: Adito Security Help

Postby GStress » Thu Nov 12, 2009 5:12 pm

Thanks guys, I didn't think I was going to get any replies honestly, but Adito is a bit different then SSL-Explorer the attributes config is separate from the user's config but how in the world I overlooked numerous times that there is a built in IP Restrictions config I don't know. After looking at the Administrator's guide to SSL-Explorer I then noticed it when logging in.

It works great, thanks alot for the replies and advice.

GStress
Posts: 11
Joined: Sun Nov 08, 2009 11:15 pm

Re: Adito Security Help

Postby GStress » Sun Nov 15, 2009 12:29 am

One other ? I have my IP Address access list setup working great. Just wondering what I could do to setup some type of device access list. For example Bob goes home to log on and he has 5 PC's at home, but I want to allow access to only 1 specific PC. I'm thinking possibly some sort of certificate, but that of course could always be exported and copied.

User avatar
lou1z
Posts: 206
Joined: Fri Jul 17, 2009 1:58 am

Re: Adito Security Help

Postby lou1z » Mon Nov 16, 2009 1:37 am

not ever gone to that level and not sure if it can be done. the furthest i ever got with it was using rsa key tokens on a usb stick.
the only way i can think of to do that is multiple public ip's on the home router with the desired pc bound to one of those ip's and the above restriction placed upon it.
there may be another way, but i'm not sure.
ps you could always edit their host files so they never reach your network!!!

GStress
Posts: 11
Joined: Sun Nov 08, 2009 11:15 pm

Re: Adito Security Help

Postby GStress » Mon Nov 16, 2009 11:46 am

hmmm... that's a good idea to edit their hosts file. Problem is I don't have physical access to their pc's. Also multiple public ip's wouldn't be to cost friendly in my situation. However I have a PowerEdge 2500 that I'm running 2k3 on and going to be setting up a domain based environment, now I know there has to be a way to do this with group policy?

I'm running dcpromo hopefully tonight and then I'm sure I can someohow set it so that they have to VPN in before accessing the server and somehow set a rule or some sort of fingerprint for 1 specific pc in their network. I thought the IP authentication was going to be enough, but then I got people telling me their IP changed when really their giving me a friends IP or at a friends house so they can use it.

I want to restrict access to each client's home network only. You've given me some good idea's, but hopefully there is a good way to do this with AD.

User avatar
lou1z
Posts: 206
Joined: Fri Jul 17, 2009 1:58 am

Re: Adito Security Help

Postby lou1z » Mon Nov 16, 2009 1:40 pm

I'm running dcpromo hopefully tonight and then I'm sure I can someohow set it so that they have to VPN in before accessing the server and somehow set a rule or some sort of fingerprint for 1 specific pc in their network.
??? the whole idea of adito is a clientless vpn which can basically be used from wherever. your scenario sounds like you require an ipsec or openvpn setup via the remote router where you can restrict what traffic enters the tunnel. your friends would certainly not be able to take that around to their friends house without knowing the keys.
yes, M$ ipsec or ISA can restrict acccess via vpn also but that isn't adito.

i'm sure sslexplorer had a network extension (nEXT or something) that was installed on a client and gave transparent access, much like openvpn. it was installed via the portal. not sure if the portal could be locked off after that and just the nEXT access granted which would restrict it to just the client it was installed on.

GStress
Posts: 11
Joined: Sun Nov 08, 2009 11:15 pm

Re: Adito Security Help

Postby GStress » Mon Nov 16, 2009 3:46 pm

Yea I'm definitely setting up L2TP IPSec VPN connections and I know it's going to be a bit of configuration to get this setup the way I'm wanting being that Adito runs as it's own service, but someway somehow I'll figure this out... hopefully.

Hmmm... wondering I know there is the option to add "computers" via AD in 2k3, but what if I could add router's based off MAC Address and somehow I could set an access list to only the DC has access to adito via IP and then the clients VPN in to the server their assigned an allowed private ip range... hmmm.

Who is online

Users browsing this forum: No registered users and 4 guests