[eduVPN-deploy] Fixed IP - ccd

Frank Weis Frank.Weis at cgie.lu
Tue Jul 26 15:00:27 CEST 2022 

Hi François,

yes, I think we really want very fine grained control of what users can access.

So what you propose there would probably be perfect for our purpose. We do have this kind of service in place, which would have to be modified for this but that is no big issue. The firewall that does the actual filtering is based on PF, the rules can be static but use tables that are filled and emptied when users connect and disconnect.

I'm not sure about all the implications of using wireguard only (apart from superior bandwidth and better scalability :-) ). It seems to work out of the box on Android, Linux and Windows 10, I guess it will be the same for Apple operating systems.

Is ToDo#82 something to hold one's breath for, or is it further away still?

Thanks and have a nice day,

Frank


On 26.07.22 11:56, François Kooman wrote:

ⓘ This message was sent from external user !
Please do not click links or open attachments unless you recognise the source of this email and know the content is safe.

________________________________

On 25.07.22 15:40, Frank Weis wrote:
Hi François,

Hi Frank!

Reading your explanations, I think fixed IPs is probably not the best
idea, so we are back in a scenario where something needs to happen when
the tuple (username, clientIP) is known. Either automatically (the nasty
way) by having eduVPN call a custom connect/disconnect script, or, by
having trigger something like we do with 'our own' users. We would very
much prefer to avoid the latter, as forcing the user to perform two
different steps is a lot harder to communicate and support.

So, it seems you are set on modifying firewall rules *per user*, i.e.
have dynamic firewall changes on user connect / disconnect. I still
don't think this is a good idea, and having broader user groups with the
same access would be much better, simpler and more reliable. But yeah,
sometimes you want what you want ;-)

We do have something in the works that could be repurposed for your
case. This assumes that you already have a service, e.g. a HTTP service
that can be called (asynchronously) with User ID and VPN IPs to trigger
firewall changes.

https://todo.sr.ht/~eduvpn/server/82

So as soon as a VPN client calls the API on "/connect" (and WireGuard is
used) a callback could be triggered and call your HTTP service that then
in turn modifies the firewall. On the "/disconnect" API call, those
rules would be undone.

Do you have such a service? I guess you do for the "our own" users
scenario. This could potentially be used.

I'd like to avoid making our VPN service also a firewall management
system (as we prefer to service bulk usage scenarios). We *could* do
something like this, but that would be a separate project that is for
example based on firewalld and called through dbus or something.

What are your thoughts on this?

Regards,
François
--

Frank Weis
Conseiller informaticien

LE GOUVERNEMENT DU GRAND-DUCHÉ DE LUXEMBOURG
Ministère de l’Éducation nationale, de l’Enfance et de la Jeunesse
Centre de gestion informatique de l’éducation

eduPôle - Walferdange
Route de Diekirch, L-7220 Walferdange
Adresse postale : B.P. 98, L-7201 Bereldange

Tél. Helpdesk: (+352) 247-85999 . Tél. Secrétariat: (+352) 247-85970 .Fax : (+352) 247-85174
E-mail : Frank.Weis at cgie.lu<mailto:Frank.Weis at cgie.lu>
www.cgie.lu<http://www.cgie.lu/>
www.men.lu<http://www.men.lu/>
www.gouvernement.lu<http://www.gouvernement.lu>
[cid:part1.udCXvSx0.5TX0usLi at cgie.lu]
Ce message et toutes pièces jointes sont établis à l'intention exclusive de ses destinataires. Ils peuvent contenir des informations confidentielles. Si vous recevez ce message par erreur, merci de le détruire et d'en avertir immédiatement l'expéditeur. Toute utilisation de ce message non conforme à sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. Ce message a fait l'objet d'un traitement anti-virus.

Le contenu de ce message et des pièces jointes ne pourrait engager la responsabilité du ministère que s'il a été émis par une personne dûment habilitée agissant dans le strict cadre des fonctions auxquelles elle est employée et à des fins non étrangères à ses attributions.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20220726/f3907128/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pBnfxYO4JcY1w4U8.png
Type: image/png
Size: 48587 bytes
Desc: pBnfxYO4JcY1w4U8.png
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20220726/f3907128/attachment-0001.png>

More information about the eduVPN-deploy mailing list