Xaero Posted July 23, 2019 Share Posted July 23, 2019 So I'm going to be revisiting my home network soon as my needs, and the needs of users outside of my home network have shifted substantially since the dawn of me having my own network. Currently I'm between settled situations, and will be upgrading and/or replacing the majority of my network by the end of it. Currently users that have SSH access and I have granted the "tunnel" group to are able to open tunnels to ports I specify. This is great for certain things, but for a lot of stuff it's cumbersome, or it just doesn't work - namely hostname resolution doesn't work ever, and neither does SMB or NFS without some substantial doing. For one, I don't like the idea of having tunnel-only SSH users just to open certain applications (though it is quite secure, without their key and their password and all of the correct information, the service is just "unavailable") No do I feel like it's very end-user friendly. Moving forward, I'd like to have ipsec running on opnsense and have remote users just tossed into their own vlan. This saves a ton of headache manually sorting stuff out. The problem is ipsec doesn't do user management - and that's not it's job. Instead I need some sort of authentication service that sits outside of ipsec. I don't want to set up a full blown active directory rollout on Windows Server and arm myself to the teeth just to get some user account management. Ideally, I'd like to use plex-ldap in conjunction with ipsec to enable remote access for users I deem at will. To do this, obviously - I'd need to add an additional ou(s?) to those users (since all users by default exist in ou=users,o=plex.tv) But one this is done, the authentication will be hanled by Plex.tv (or, Google/Facebook, if they use that for their plex account) and I can establish their identity readily based on that information. On to the questions:1.) Is this feasible? 2.) Is this secure? 3.) Is there a better, or easier way? To exit - let me state that I don't know a lot about LDAP, IPSEC or VPN access outright. I use these technologies to access various systems for work - but I'm not a cybersecurity engineer, and I don't do user management on corporate networks. I just want to make it simpler to enable users access to systems I don't want open to the internet. IPSEC seems like the most widely supported VPN option, currently. Quote Link to comment
uldise Posted July 24, 2019 Share Posted July 24, 2019 8 hours ago, Xaero said: IPSEC seems like the most widely supported VPN option, currently. while it can be true, Ipsec comes with some downsides IMHO - the first thing is you need open specific ports(1701, 500, 4500) to get it to work, and these ports may be blocked on client side. i have Ipsec configured in my house, and while i can access it from one office, i can't from another. i have some success with OpenVPN on top of pfsense - it works just fine on UDP port 443, so there will be no problems on client side to connect. and i can issue specific configuration for every user with their own certificates. And i'm using 2FA authentication with Radius server inside pfsense too - user have to use Google Authenticator for example to log in. Quote Link to comment
Xaero Posted July 24, 2019 Author Share Posted July 24, 2019 3 minutes ago, uldise said: while it can be true, Ipsec comes with some downsides IMHO - the first thing is you need open specific ports(1701, 500, 4500) to get it to work, and these ports may be blocked on client side. i have Ipsec configured in my house, and while i can access it from one office, i can't from another. i have some success with OpenVPN on top of pfsense - it works just fine on UDP port 443, so there will be no problems on client side to connect. and i can issue specific configuration for every user with their own certificates. And i'm using 2FA authentication with Radius server inside pfsense too - user have to use Google Authenticator for example to log in. My problem with OpenVPN is that there is no layer 2 functionality. At least not without limiting the client options substantially. For example, in TUN mode, no broadcast packets are forwarded, hostname resolution and ARP dependent services immediately fail. In TAP mode you gain back the above, but lose your iOS, and (non-paid) Android support. And on ALL clients you must install a 3rd part VPN app to connect, rather than having native OS support. I did not however consider the port limitations. I am currently shoving SSH and SSL through 443 using the SSLH docker from dockerhub to circumvent a restrictive firewall. Perhaps ipsec isn't the end all answer for this... The other questions still stand. I'd ideally like to keep from having to set up a unique user database specifically for this application and my own authentication services. For one that means keeping user credentials on my box, and it also comes with all the headaches of password and user management. Authenticating with an external service and then correlating that authentication token somehow to a user on my box seems like the dream. Let another massive industry player handle the accounts and that headache, let me designate users and their permissions based on that validated identity. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.