VPN Server - OpenVPN multiple users/profiles
Just installed Firewalla Gold Plus and so far Firewalla is working well with great features but hard to believe it lacks a key feature that could be a potential security issue.
There is no option or ability to create user based VPN profile & custom passwords - allowing individual user credentials in the VPN servers... This was a shock coming from another "Free" firewall device that had the facility to create individual OpenVPN users/profiles.
Currently you can only have one profile with a default/standard password....wow
I would really hope this can be looked into and the ability to create named/multiple/user based VPN profile - It is easy to do on Centos/Linux with OpenVPN but obviously this needs to be tied in with the app.
With this, there should be an option to enable/disable the vpn user individually rather then deleting the profile or turning off the entire VPN server (again I am coming from a firewall that had this OpenVPN feature implemented)
-
Can you use WireGuard instead? There are some difficulties working with OpenVPN to make it per user. WireGuard should work nicely with 'users'. see https://help.firewalla.com/hc/en-us/articles/1500004087521-WireGuard-VPN-Server-
-
I did setup WireGaurd, but the WireGaurd VPN clinet app lacks basic features/options that OpenVPN client app provides.
When running WireGaurd, the app does not notify if the VPN has been established or not, you can't determine if the VPN is working or disconnected unless you do "other" tests, no battery saver option, App Autominimise, DNS fallback, Connection Timeout, Auto-reconnect etc etc.
WireGaurd APP lacks these features
-
Unfortunately, Wireguard also is not FIPS 140-2 compliant. As such, any work done for the US government is precluded from using it. However, US government compliance also requires individual accountability, such as separate access information for information system users, including VPN access. If there were a way to setup a RADIUS server or Active Directory username/password, that would solve all of my issues with the OpenVPN usage. As is, I'm going to have to manually make changes to the configuration in SSH if I wish to be FIPS compliant, and I would really rather not do that. Multiple passwords and/or certificates would also solve the issue. Any chance that can be added?
-
I hope we aren't using Firewalla as the primary security for official work. For a home office and telework that extra layer is great, but official work should be done on a government provided machine with in-built security solutions.
But to the main point, my old Asus had the ability for individual users/passwords and vote for a similar capability. In fact, I'm surprised that the default password seems to be so insecure, at least make it complex.
But for my purposes, I do use Wireguard which works fine and tends to be more lightweight and efficient on system and network resources. -
As a former Untanle/NG Firewall user that recently converted over to Firewalla (they recently made their own product cost prohibitive, even for long-time users), I am a bit disappointed in the OpenVPN implementation in Firewalla. Having the ability to create multiple accounts is a pretty basic feature. Please add this.
Other than that, Firewalla has been amazing and I really don't miss Untangle all that much!
-
Joe, I ended up setting up the OpenVPN server through the interface and then connected through SSH to use the easyRSA tools to set up OpenVPN server the old way. It's all in there to the extent that I was even able to write an even easier, single run script to add new users (with appropriately expiring certificates, of course). Internally the Firewalla is just another Linux server. So long as you have enough space left and are comfortable with the linux terminal, you can probably get anything running on it. Note that Firewalla likely only supports the app functionality for warranty service and support, though.
Please sign in to leave a comment.
Comments
7 comments