Feature Request: dynamically add/remove connections via ovpn files on USB stick

Suggestions/comments/criticisms are welcome here

devZer0

Posts: 2
Joined: Fri Mar 06, 2020 10:02 am

Post by devZer0 » Fri Mar 06, 2020 10:14 am
hello,

we plan using a concept in our fablab to provide openvpn configuration+certificate to each member on USB stick, so everybody can use any public pc in an isolated "guest" network for getting access to protected fablab ressources via VPN.

this concept works to some degree with the openvpn gui client, i.e. that one can dynamically load (and run connection) from configurable additional path.

we would find it a quite useful feature, if viscosity would scan external drive/usb stick for existance of .ovpn file and dynamically add it to the connection menu, so the user simply plugs hin his personal usb stick with his config/certificate, viscosity just finds .ovpn and adds that to the menu - then the user can connect with his personal password - and when he is done, he simply disconnects and unplugs his usb stick and keeps his certificate file safe/private....

we would like to support mac clients with this concept, so at least having such feature in osx would be very useful - anyhow i think it could be useful on windows client, too (as the original windows openvpn client does not handle this in a 100% perfect way, too)

think this feature alone would make viscosity valuable buing candidate for the fablab PCs

what do you think?

regards
roland

Eric

User avatar
Posts: 964
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Fri Mar 06, 2020 11:21 am
Hi Roland,

Thanks for the feature suggestion. We will add this to our feedback list as with all the feedback we receive, however this is quite a specific feature request that I doubt will be bumped up the list very quickly. Instead, may I offer an alternative solution you may wish to consider, this is a system used by many of our enterprise users already with hotdesk computers.

Our recommendation would be to instead store connections on each PC which uses a CA only, so no client certificates, and provide Two Factor Authentication for each user via a Yubikey. The user would then connect using a profile already on the system, enter their username and password, and then plug in their Yubikey, either using OTP or U2F as their second factor. We have example server configuration guides below if you'd like to take a look.

https://sparklabs.com/support/kb/articl ... viscosity/
https://sparklabs.com/support/kb/articl ... viscosity/

If you don't wish to provide your users with a Yubikey or other hardware token, there are other alternatives like Google Authentication or Duo Security which are apps that would install on the users phone and generate rolling 2FA codes as well.

Alternatively, if you'd like to stick with users having a certificate and key, you may wish to consider PKCS#11 hardware tokens which Viscosity also has full support for, again, the profiles would be stored on the PC but no identifying credentials would be.

https://sparklabs.com/support/kb/articl ... s-pkcs-11/

I hope this helps in some way.

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

devZer0

Posts: 2
Joined: Fri Mar 06, 2020 10:02 am

Post by devZer0 » Fri Mar 06, 2020 9:23 pm
we will have a look, thank you.

anyway - storing personal key on usb stick would be much simpler and cheaper approach , as it also does not add another layer of compexity - and it should be easy to implement.
3 posts Page 1 of 1