Tie VPN user to a specific hardware
Posted: Thu Dec 13, 2018 6:51 am
Hi all
I'm using a SoftEther VPN Server to create "Always On" VPN connections for Windows Notebooks using certificate authentication on the virtual hub in combination with the "startup connection" feature. We setup a VPN user per Notebook (rather than per user who may work with the notebook) to be able to revoke the certificate e.g. if a Notebook gets stolen. The users on the notebook have normal user rights (no administrative rights) and are therefore not able to (easily) extract the configuration/certificate on the notebook to use it on another (e.g. home) machine which has to be prevented of course. But our security officer came up with the requirement to tie the VPN user to the machine, e.g. using the UUID of the machine or, even better, store the certificates for the VPN user in the TPM module of the Notebook, to make it impossible to use the configuration/certificate on another machine. As I have not found any hint in the documentation for this requirement nor found a proper forum post with an explanation how to set this up, I'd like to ask if there is a feature I'm missing or a different approach to meet this requirement?
Any hint will be very appreciated.
Thanks in advance!
Regards, Marco
I'm using a SoftEther VPN Server to create "Always On" VPN connections for Windows Notebooks using certificate authentication on the virtual hub in combination with the "startup connection" feature. We setup a VPN user per Notebook (rather than per user who may work with the notebook) to be able to revoke the certificate e.g. if a Notebook gets stolen. The users on the notebook have normal user rights (no administrative rights) and are therefore not able to (easily) extract the configuration/certificate on the notebook to use it on another (e.g. home) machine which has to be prevented of course. But our security officer came up with the requirement to tie the VPN user to the machine, e.g. using the UUID of the machine or, even better, store the certificates for the VPN user in the TPM module of the Notebook, to make it impossible to use the configuration/certificate on another machine. As I have not found any hint in the documentation for this requirement nor found a proper forum post with an explanation how to set this up, I'd like to ask if there is a feature I'm missing or a different approach to meet this requirement?
Any hint will be very appreciated.
Thanks in advance!
Regards, Marco