Tie VPN user to a specific hardware

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
mzi
Posts: 10
Joined: Thu Dec 13, 2018 6:25 am

Tie VPN user to a specific hardware

Post by mzi » Thu Dec 13, 2018 6:51 am

Hi all

I'm using a SoftEther VPN Server to create "Always On" VPN connections for Windows Notebooks using certificate authentication on the virtual hub in combination with the "startup connection" feature. We setup a VPN user per Notebook (rather than per user who may work with the notebook) to be able to revoke the certificate e.g. if a Notebook gets stolen. The users on the notebook have normal user rights (no administrative rights) and are therefore not able to (easily) extract the configuration/certificate on the notebook to use it on another (e.g. home) machine which has to be prevented of course. But our security officer came up with the requirement to tie the VPN user to the machine, e.g. using the UUID of the machine or, even better, store the certificates for the VPN user in the TPM module of the Notebook, to make it impossible to use the configuration/certificate on another machine. As I have not found any hint in the documentation for this requirement nor found a proper forum post with an explanation how to set this up, I'd like to ask if there is a feature I'm missing or a different approach to meet this requirement?

Any hint will be very appreciated.

Thanks in advance!

Regards, Marco

mzi
Posts: 10
Joined: Thu Dec 13, 2018 6:25 am

Re: Tie VPN user to a specific hardware

Post by mzi » Mon Dec 17, 2018 11:24 am

Hi all

Just wanted to ask again if somebody had the same requirement and was able to find a solution to implement it with SoftEther? Maybe a virtual smart card or something like this?

Any feedback would be highly appreciated.

Thanks in advance.

Regards, Marco

mzi
Posts: 10
Joined: Thu Dec 13, 2018 6:25 am

Re: Tie VPN user to a specific hardware

Post by mzi » Mon Dec 24, 2018 6:48 am

Hi all

In the meantime, I read in the documentation that a virtual smart card is not an option, as a connection which uses smart card cannot be set to reconnect automatically because of the PIN required to access the smart card (I was hoping that one can setup a virtual smart card with a third-party software without the need to enter a PIN to access the certificate).

Any other ideas? If not I guess I have to enter a Feature request…

Thanks in advance.

Regards, Marco

davidebeatrici
Posts: 33
Joined: Tue Aug 28, 2018 6:44 am

Re: Tie VPN user to a specific hardware

Post by davidebeatrici » Mon Dec 24, 2018 7:48 pm

Hi,

Please enter a feature request, I believe that it could be useful for many enterprise environments.

Best regards,
Davide

Post Reply