Just wondering. In the process of setting up a test Ubuntu OpenVPN infra on my VM for my other VM to connect to and test different configs, directives etc
Normally you are to create a different cert for every VPN user with a different common name like client 1, client 2, client 3 etc etc
So my question is: In a business environment, how do you automate this process? No one’s going to bother manually pushing out 100’s of certs for all the VPN users. How do you do this via code so that 100’s of certs with different CNs will be pushed out to all the right clients at the same time?
Once you reach a certain scale, it’s almost always worth it to the business to cut support hours by using a purchasable product, especially if it ties into other utilized services and/or infrastructure.
Couple hundred users and tech time is going to cost a lot more than the per-user cost of something like AnyConnect, whatever the fuck Fortinet calls their VPN product, zScaler, Global Protect, or any number of other (often do-a-bunch-of-different-things-too) products run by providers an enterprise is already likely to use, like their networking brand of choice.
Usually better user experience as well. No scheduling time with a tech to get an update, or it just not working one day because you didn’t connect for a week so the automated push didn’t go through before your cert expired. Just punch in your SSO cred and it “just works”.
(Most of those “proprietary” products actually run on open/standard protocols, they just put their own special sauce into managing it)
You usually have a config management system like ansible, puppet, chef or you use GPOs in an AD to push scripts that execute the registration at the Issuing CA and configure the host. Or you use MECM/SCCM as alternative on windows.
And I bet I missed a dozen other tools for professional use that will cost a lot of money which corporations gladly pay to save on the backend with automation.
Most the time you also just don’t use open source but use some commercial product like GlobalProtect or Ivanti VPN. Even though you pay for them in the long run it may save a buck or two when your admins can call support and don’t need days to figure out an issue.
OpenVPN has professional tools for that, look up OpenVPN Access Server / CloudConnexa. The server can authenticate users against LDAP and issue certificates automatically.
Anyway you should consider Wireguard as it makes things way easier for everyone. Deployment in both cases can automated via things like scripts pushed via group policies and whatnot.
If you want something ready to go, then maybe Tailscale is better for you. It uses Wireguard an VPN protocol but integrates well with existing stuff.
most enterprise computers needs certificated for authentication, there are in some cases both computer certificates and user certificates. They are installed when the computer is image is deployed, or afterwards as a central service. For windows we use AD tools and for Linux we use puppet and some other special tools but your laptop if its ubuntu or windows will already have cers
Not really, it was a nice addition but not my reason.
In a wireguard mesh, you either have to effectively maintain an IP list or code some collision algorithm. Initially I wrote it to just re-assign the IPS when the playbook ran, which was ok at first. It’s less of an issue if all nodes are always reachable, but I was needing to update nodes/configs while up to half my nodes were unreachable. Now I have to elect a nodes config as the master and mark IPs as taken so new nodes don’t stomp on old. Etc… have to manually expire out addresses if I’m running low on space.
Then add wanting complex mini-mesh coordinations for specific purposes.
Now with tailscale or netbird, each node has an agent that maintains it’s respective relationship state at any point of time, and effectively a DHCP server. I just install a node, add the agent, add necessary tags, and the paths form automatically and accurately.
