Identity management for WireGuard

Posted Oct 18, 2022 19:52 UTC (Tue) by intelfx (subscriber, #130118)
In reply to: Identity management for WireGuard by Cyberax
Parent article: Identity management for WireGuard

What reasons, besides performance?

Identity management for WireGuard

Posted Oct 18, 2022 19:58 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link] (11 responses)

OpenVPN support for IPv6 is kinda buggy from my experience. But the main problem is the TCP mode of OpenVPN, it suffers from all the usual head-of-the-line blocking issues.

For the UDP mode, you have to be careful of MTU issues.

Then there's the usual configuration hell with OpenVPN.

Identity management for WireGuard

Posted Oct 18, 2022 20:04 UTC (Tue) by dskoll (subscriber, #1630) [Link] (10 responses)

Yes, you definitely should avoid TCP mode for OpenVPN. But I'm curious about your Then there's the usual configuration hell with OpenVPN. sentence. I find OpenVPN pretty easy to configure. I generate certificates for each client and drop their respective configs in the ccd/ directory and that's it. Very easy.

Identity management for WireGuard

Posted Oct 18, 2022 20:38 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link] (9 responses)

You have to run your own CA to work with OpenVPN, which is quite a bit of work. Especially if you want proper CRLs and everything. There's also no way to NOT use certs, if you want to set it up on a mobile device.

Identity management for WireGuard

Posted Oct 18, 2022 20:43 UTC (Tue) by dskoll (subscriber, #1630) [Link] (1 responses)

In principle, you could use LetsEncrypt certs, but that would require a lot of work and resolvable hostnames for all the clients, so yes... in practice you need to run your own CA. It took me a few hours to set up the scripts, and now I have a script that just spits out keys and certificates as I require them.

I also use certs on my mobile devices. It's not hard to import a cert into the Android OpenVPN client. (In fact, my script puts it inline in the .ovpn config file.)

Identity management for WireGuard

Posted Oct 18, 2022 20:44 UTC (Tue) by dskoll (subscriber, #1630) [Link]

Also, you can effectively revoke a client certificate by deleting it from the ccd directory. Just don't reuse that CN (call the new client vpn-2.client.example.com or something instead.)

Identity management for WireGuard

Posted Oct 18, 2022 22:12 UTC (Tue) by dankamongmen (subscriber, #35141) [Link] (1 responses)

? untrue, there's a simple PSK mode using "static keys"

Identity management for WireGuard

Posted Oct 18, 2022 22:14 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

The last time I checked it, it worked with exactly one key. No per-client keys or anything.

Identity management for WireGuard

Posted Oct 19, 2022 12:48 UTC (Wed) by GhePeU (subscriber, #56133) [Link] (2 responses)

There are ways to avoid certificates even on mobile clients.

If you're already using an LDAP server (AD included) you can configure the LDAP plugin that's available on most if not all distros, or you can use the "auth-user-pass-verify" option to execute an external program, passing to it the username and password via environment variables or a temporary file and having it return 0 if the user is authorized and 1 if he's not.

In both cases you still need to distribute the CA certificate, but that can be done easily enough by including it in an .ovpn profile (inside a <ca> tag) that you would use it anyway to tell the mobile client to authenticate with username and password ("auth-user-pass" option) and not to require a client certificate ("client-cert-not-required" option).

Identity management for WireGuard

Posted Oct 19, 2022 19:35 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

> If you're already using an LDAP server (AD included)

On a mobile device?

Identity management for WireGuard

Posted Oct 20, 2022 9:39 UTC (Thu) by GhePeU (subscriber, #56133) [Link]

I don't follow, did you mean you want to set up an OpenVPN *server* on a mobile device?

I thought you meant you wanted username/password authentication on the mobile *clients*, if that's the case both the Android and the iOS clients support it, you only need to include the options I mentioned in the .ovpn profile.

Identity management for WireGuard

Posted Oct 20, 2022 14:22 UTC (Thu) by auxsvr (guest, #120007) [Link] (1 responses)

You have to run your own CA to work with OpenVPN, which is quite a bit of work.

easyrsa makes this easy.

Identity management for WireGuard

Posted Oct 20, 2022 15:36 UTC (Thu) by jhoblitt (subscriber, #77733) [Link]

FreeIPA has a built in CA.

Identity management for WireGuard

Posted Oct 18, 2022 20:54 UTC (Tue) by brunowolff (guest, #71160) [Link] (14 responses)

I looked at it a while back and it seems to not be OK in the default setup if the server and the client are not in the same trust domain. Some scripts generated by the server are used to control routing on the client. That in itself is problematic. I remember looking at how it worked and it looked like the server could run arbitrary commands as root. I might have missed something there.
It is possible to ignore commands from the server and manually set up the routing needed to make things work.

Identity management for WireGuard

Posted Oct 18, 2022 21:04 UTC (Tue) by dskoll (subscriber, #1630) [Link] (13 responses)

I think earlier versions of OpenVPN may have executed shell commands to set up routing, but I'm pretty sure current releases update the routing table directly via netlink.

Identity management for WireGuard

Posted Oct 19, 2022 1:16 UTC (Wed) by riking (subscriber, #95706) [Link] (2 responses)

This implies that servers can still do that by simply pretending to be an older version :(

Identity management for WireGuard

Posted Oct 19, 2022 1:35 UTC (Wed) by intelfx (subscriber, #130118) [Link]

> This implies that servers can still do that by simply pretending to be an older version :(

Why? The protocol didn't change, the client implementation did.

The ability to execute arbitrary programs is a completely separate concept, (1) which is disabled by default and (2) servers are disallowed from pushing any options that control execution of external programs anyway.

Identity management for WireGuard

Posted Oct 19, 2022 12:59 UTC (Wed) by dskoll (subscriber, #1630) [Link]

No; this is controlled by the client, not the server.

Identity management for WireGuard

Posted Oct 19, 2022 4:09 UTC (Wed) by donald.buczek (subscriber, #112892) [Link] (9 responses)

This is exactly why I rejected OpenVPN when I Iooked at it (long ago) and get angry when our users want to install openVPN just to access some Intranet site of another organization. I don't want third party servers to configure the network of our clients. There is a reason, we have a Firewall router.

We have that scenario often because of a cooperation. For Linux, luckily, we've created a wrapper which runs a Firefox browser in its own network namespace, so the remote OpenVPN server can configure that namespace however it likes. It doesn't have access to our protected networks.

https://github.molgen.mpg.de/mariux64/mxtools/tree/master...

Identity management for WireGuard

Posted Oct 19, 2022 4:22 UTC (Wed) by donald.buczek (subscriber, #112892) [Link] (3 responses)

Oh, and for our own "Access internal site" or more often "Access IP-Address protected subscribed online journals", we do have VPN (SoftEtherVPN) which works with the native clients on all operating systems. So we don't ask users to trust and install any software, just configure their native clients.

But we very much prefer to teach people to use ssh with a socks tunnel and configure their browsers to use it instead. People just keep asking vor VPN because they think they need it and we talk them into ssh.

And *if* they configure VPN, they may be dissapointed to learn, that the client terminates in a guest network with very little more access rights than any other system from the big bad Internet. Of course, no access to networks shares.

Identity management for WireGuard

Posted Oct 19, 2022 4:55 UTC (Wed) by intelfx (subscriber, #130118) [Link] (2 responses)

> But we very much prefer to teach people to use ssh with a socks tunnel and configure their browsers to use it instead. People just keep asking vor VPN because they think they need it and we talk them into ssh.

Well, I would very much prefer *not* to use ssh -D, exactly for the reasons discussed above which are inherent to any TCP-over-TCP tunneling solution.

It does work okay-ish for one-off management & rescue tasks, but for anything remotely serious? I'd like my OpenVPN, complete with all the routing automation and split DNS forwarding, thank you very much, and please leave the security theater at the door.

Identity management for WireGuard

Posted Oct 19, 2022 14:30 UTC (Wed) by patrakov (subscriber, #97174) [Link]

SSH SOCKS tunneling is not a TCP-over-TCP tunneling solution. It works on byte streams, not TCP packets. TCP connections are terminated by the SSH server.

Identity management for WireGuard

Posted Oct 20, 2022 5:34 UTC (Thu) by donald.buczek (subscriber, #112892) [Link]

> Well, I would very much prefer *not* to use ssh -D, exactly for the reasons discussed above which are inherent to any TCP-over-TCP tunneling solution.

I can just say, that I work like that all day (even with an additional ProxyJump) when in home office and I don't notice any difference in my browser when I go to public sites whether socks proxy is on or not.

Identity management for WireGuard

Posted Oct 19, 2022 4:52 UTC (Wed) by intelfx (subscriber, #130118) [Link]

I'm sorry for your users... this just reeks security theater.

Identity management for WireGuard

Posted Oct 19, 2022 10:13 UTC (Wed) by bof (subscriber, #110741) [Link] (3 responses)

If you are concerned about that, just don't put the statements into the openVPN client config that permit the remote server config info to be acted upon (--pull). It is not on by default. There is also --pull-filter, giving you flexible control to express what server pushed info to accept, or not.

I run a few of my clients exactly that way, instead of believing the server, running a local "up" script to configure stuff my way.

Identity management for WireGuard

Posted Oct 19, 2022 11:47 UTC (Wed) by donald.buczek (subscriber, #112892) [Link] (2 responses)

Yes, but the users get the config from the other organization.

I also should mention, that the (client) systems, I am talking about, are multi-user systems. Neither have the users root nor do you want to tunnel the traffic of all users over the vpn, one user activated with his credentials. That is another reason, the openVPN client has to run in a network/user namespace.

Identity management for WireGuard

Posted Oct 19, 2022 13:22 UTC (Wed) by mbunkus (subscriber, #87248) [Link] (1 responses)

Yeah, so? If they care about these things they can easily edit the config after receiving it, removing "pull", adding the "route"s they actually do need and be done with it.

And if they don't have root, as you said, it should be easy enough for your admins to prevent them from importing arbitrary OpenVPN configs. That way they have to go through your admins, and they can vet & modify the OpenVPN config.

I don't see what you're arguing for, exactly.

Identity management for WireGuard

Posted Oct 20, 2022 5:55 UTC (Thu) by donald.buczek (subscriber, #112892) [Link]

> I don't see what you're arguing for, exactly.

So please let me try again: The solution you proposed (manually modify client config) is valid in view of what has been said before. However, it wouldn't fit our environment, because we have an additional constraint, which I didn't mention before: The vpn client machines are multiuser machines and it is, of course, not wanted, that the traffic of one user goes over the vpn connection of another user.

This is why your suggestion wouldn't work for us and why we need to run the specific applications of the specific user, which requires the vpn connection, in its own network namespace anyway. The security considerations are resolved along that way.