Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VPN pre-login possible? #195

Open
Lukas-UAUX opened this issue Jun 9, 2022 · 7 comments
Open

VPN pre-login possible? #195

Lukas-UAUX opened this issue Jun 9, 2022 · 7 comments
Assignees
@rozmansi
Labels
enhancement

Comments

@Lukas-UAUX
Copy link

Lukas-UAUX commented Jun 9, 2022
edited
Loading

Would it be possible to get eduVPN to connect pre login (Windows)?

Maybe similar to the way that Cisco AnyConnect (SBL) provides? If this module is installed, you get an additional icon next to the regular network-icon at the login screen. If you click on it the vpn app shows up, and you can connect to your network.

This would be a really nice feature, for example to have an active connection to the ActiveDirectory at login, for example for a new user or if the mobile account expired - and GPO of course...
@rozmansi rozmansi self-assigned this Jun 9, 2022
@rozmansi
Copy link
Member

rozmansi commented Jun 9, 2022

I'm afraid this is not possible with the classic Windows VPN clients. However, your feature suggestion makes sense and I will investigate possibilities. See if there is a chance to implement it.

@Lukas-UAUX
Copy link
Author

I have a very, very faint memory, that Cisco AnyConnect does it via a "login provider" (or is it credential provider?) Maybe that would be the trick

@efef
Copy link

efef commented Jun 14, 2022
edited
Loading

We are actually working on pre-provisioning. The work done so far is documented here: https://github.com/FlorisHendriks98/eduVPN-provisioning
In this page we describe how to leverage MS AD (and PKI) to do pre-provisioning. However at the moment we are working on another path:
use MS intune in combination with an new eduVPN server API call to pre-provisioning Windows and macOS devices.

If you like to be involved @Lukas-UAUX please email us: [email protected]

@Lukas-UAUX
Copy link
Author

Lukas-UAUX commented Jun 14, 2022
edited
Loading

That sadly doesn't look like it would fit our use case or environment. For one thing the user must be able to control the vpn and we have multiple networks/profiles that can not be tied to a machine identity but user only. Additionally eduroam which is considerably important at a university is a user-config network that starts after login - which would result in a lot of errors

@ghost
Copy link

ghost commented Jun 14, 2022

Just to clarify, are you talking about "managed devices", or "bring your own" devices? We only consider "managed devices" as it seems (too) invasive to require users to subject their personal devices to this kind of control by their organization.

For one thing the user must be able to control the vpn and we have multiple networks/profiles that can not be tied to a machine identity but user only.

The way we saw this working is to take a "layered" approach. For example, the "system VPN" can only reach the AD server(s). A "user VPN", i.e. the eduVPN client. can later be used to choose a specific profile for a user and have additional MFA if so desired.

Additionally eduroam which is considerably important at a university is a user-config network that starts after login - which would result in a lot of errors

But how can you reach your AD server when there is no network connectivity at all? Having a VPN client available before login can't do anything if there's no network?

@Lukas-UAUX
Copy link
Author

Of course managed devices, students and private devices of staff would have no use for pre-login.

The way we saw this working is to take a "layered" approach. For example, the "system VPN" can only reach the AD server(s). A "user VPN", i.e. the eduVPN client. can later be used to choose a specific profile for a user and have additional MFA if so desired.

Ouch that would kill VPN for any connection below 16 Mbits, to accommodate that much headers either fragmentation would kill it (TCP only, UDP would just stop working) or the MSS/MTU would be to low for any reasonable performance.

But how can you reach your AD server when there is no network connectivity at all?

They don't - the devices use a wired connection most of the time. A connection is only necessary when we change GPOs that require to be pulled on login or a new user logs in.

The pre-login is intended for HomeOffice or "emergency" scenarios, where the user has no possibility to use a wired connection at least sometimes.

@ghost
Copy link

ghost commented Jun 15, 2022

Ouch that would kill VPN for any connection below 16 Mbits, to accommodate that much headers either fragmentation would kill it (TCP only, UDP would just stop working) or the MSS/MTU would be to low for any reasonable performance.

Do you mean this occurs when you run one VPN over another VPN? That was not exactly what I meant. With the "system VPN" you only send traffic to the AD over the VPN, with the "user VPN" you can send additional traffic over the VPN, or all traffic if so desired.

By the way, this is one possible approach, but perhaps @rozmansi has ideas on how to make it work more like what you describe.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rozmansi rozmansi

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@efef @rozmansi @Lukas-UAUX