pfSense Support Subscription

Author Topic: Single Client Package, Multiple Users  (Read 1153 times)

0 Members and 1 Guest are viewing this topic.

Offline ieatfish

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +0/-0
    • View Profile
Single Client Package, Multiple Users
« on: September 13, 2011, 12:55:10 pm »
We have almost 100 clients who need to connect at one point or another (and at least 10 simultaneously) through our VPN. Currently we use an IPCop firewall with roadwarrior connections. We have a separate client package for each computer. It seems to use a similar setup in pfSense we will need to create Users for every single one of them and then re export the client package.

In order to simplify this in the future, what settings do we need to have a single certificate that can be put on multiple clients? Rather than have a single package for every client could we have one for each type of client (i.e. employees need complete VPN access, customers only need limited access, etc.).

I'm not quite sure the best way to go about this so some help would be great. In the end we'll want our web server accessible by the VPN network and our local network but not allow access to the local network by the VPN network.

Offline ieatfish

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +0/-0
    • View Profile
Re: Single Client Package, Multiple Users
« Reply #1 on: September 14, 2011, 01:43:37 pm »
For what we are wanting, I followed these instructions and it worked great: http://forum.pfsense.org/index.php/topic,38692.msg200040.html#msg200040

Don't forget to allow multiple connections from the same certificate in the Server settings.
« Last Edit: September 16, 2011, 01:07:55 pm by ieatfish »

Offline ieatfish

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +0/-0
    • View Profile
Re: Single Client Package, Multiple Users
« Reply #2 on: September 19, 2011, 02:31:04 pm »
When I do it this way, are individual IPs given to each client even though they are using the same certificate? Or are they all getting one internal ip (192.168.3.6 for example) and having to share it?

Offline Cry Havok

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2792
  • Karma: +0/-0
  • Backup: n. What you should have done yesterday.
    • View Profile
Re: Single Client Package, Multiple Users
« Reply #3 on: September 19, 2011, 03:41:32 pm »
Of course, now if one person loses their laptop or any certificate is otherwise lost, you have to replace every single client... Probably not ideal ;)

However, each client will get a different IP.
If you're planning on PMing me to ask me to look at a thread, or for individual support, don't.

Offline limecat

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +0/-0
    • View Profile
Re: Single Client Package, Multiple Users
« Reply #4 on: September 22, 2011, 06:37:26 pm »
Why not simply set up OpenVPN in "user auth" mode with a static key?  Isnt that what youre basically doing anyways?

When I do that, i get a single export installer that works for multiple users.

Offline ieatfish

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +0/-0
    • View Profile
Re: Single Client Package, Multiple Users
« Reply #5 on: September 22, 2011, 06:49:04 pm »
Why not simply set up OpenVPN in "user auth" mode with a static key?  Isnt that what youre basically doing anyways?

When I do that, i get a single export installer that works for multiple users.

Hmm, that might be a better way to do it. What advantages/disadvantages are there between the two methods? These are remote systems with no active user so we can't type in a password each reboot.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14990
  • Karma: +4/-0
    • View Profile
Re: Single Client Package, Multiple Users
« Reply #6 on: September 26, 2011, 11:44:24 am »
SSL/TLS with no auth is best for that kind of setup. That way you can still revoke the certificate if something gets compromised.

You should still have one certificate per user/site.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline ieatfish

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +0/-0
    • View Profile
Re: Single Client Package, Multiple Users
« Reply #7 on: September 26, 2011, 01:35:59 pm »
Currently we have a bunch of 'satellite' systems that all serve the same purpose and don't have active users. It was looking to be a bit tedious (as we are constantly sending out new systems and such) to have to create a separate user in pfSense for our fluid usage of the network. However, as you have mentioned, if the certificate is compromised then anyone could have access to the network (which only allows access to one IP but that is beside the point) and we'd have to replace the certificate on all the systems.

Is there an easier way to create a user/certificate combination without having to go through so many steps every time? On IPCop, for example, you type in the hostname and one or two other things and it created the user and certificate and everything.