Identity management for WireGuard

Posted Oct 19, 2022 13:22 UTC (Wed) by mbunkus (subscriber, #87248)
In reply to: Identity management for WireGuard by donald.buczek
Parent article: Identity management for WireGuard

Yeah, so? If they care about these things they can easily edit the config after receiving it, removing "pull", adding the "route"s they actually do need and be done with it.

And if they don't have root, as you said, it should be easy enough for your admins to prevent them from importing arbitrary OpenVPN configs. That way they have to go through your admins, and they can vet & modify the OpenVPN config.

I don't see what you're arguing for, exactly.

Identity management for WireGuard

Posted Oct 20, 2022 5:55 UTC (Thu) by donald.buczek (subscriber, #112892) [Link]

> I don't see what you're arguing for, exactly.

So please let me try again: The solution you proposed (manually modify client config) is valid in view of what has been said before. However, it wouldn't fit our environment, because we have an additional constraint, which I didn't mention before: The vpn client machines are multiuser machines and it is, of course, not wanted, that the traffic of one user goes over the vpn connection of another user.

This is why your suggestion wouldn't work for us and why we need to run the specific applications of the specific user, which requires the vpn connection, in its own network namespace anyway. The security considerations are resolved along that way.