Identity management for WireGuard

Posted Oct 19, 2022 11:47 UTC (Wed) by donald.buczek (subscriber, #112892)
In reply to: Identity management for WireGuard by bof
Parent article: Identity management for WireGuard

Yes, but the users get the config from the other organization.

I also should mention, that the (client) systems, I am talking about, are multi-user systems. Neither have the users root nor do you want to tunnel the traffic of all users over the vpn, one user activated with his credentials. That is another reason, the openVPN client has to run in a network/user namespace.

Identity management for WireGuard

Posted Oct 19, 2022 13:22 UTC (Wed) by mbunkus (subscriber, #87248) [Link] (1 responses)

Yeah, so? If they care about these things they can easily edit the config after receiving it, removing "pull", adding the "route"s they actually do need and be done with it.

And if they don't have root, as you said, it should be easy enough for your admins to prevent them from importing arbitrary OpenVPN configs. That way they have to go through your admins, and they can vet & modify the OpenVPN config.

I don't see what you're arguing for, exactly.

Identity management for WireGuard

Posted Oct 20, 2022 5:55 UTC (Thu) by donald.buczek (subscriber, #112892) [Link]

> I don't see what you're arguing for, exactly.

So please let me try again: The solution you proposed (manually modify client config) is valid in view of what has been said before. However, it wouldn't fit our environment, because we have an additional constraint, which I didn't mention before: The vpn client machines are multiuser machines and it is, of course, not wanted, that the traffic of one user goes over the vpn connection of another user.

This is why your suggestion wouldn't work for us and why we need to run the specific applications of the specific user, which requires the vpn connection, in its own network namespace anyway. The security considerations are resolved along that way.