0

I would like to set up a VPN-Server for our users that allows them to authenticate with every key in ~/.ssh/authorized_keys.

  • I know that wireguard uses SSH-keys as well, but how can I tell it to accept the user's authorized_keys? Querying all possible public keys each time a user changes his authorized_keys is not an option.
  • Openvpn has auth-user-pass, but that's uncomfortable.
  • Also, OpenVPN's certs are basically the same like SSH keys, but they need to be signed from OpenVPN's CA.
    Can I somehow tell OpenVPN to accept unsigned certificates if they reside in some database?

Do you have any idea how to sove this properly?

Ola Ström
  • 177
  • 1
  • 1
  • 6
Hoeze
  • 101
  • 3
  • You seem to have a few misconceptions - OpenVON certs are different to SSH puclic keys. Also, have you looked at shuttle? (It may be what you want if you can live with the OS restrictions. I've vever used it) – davidgo Dec 25 '19 at 17:39
  • OpenVPN certs are similar to signed SSH key pairs as far as I know. What is shuttle? Do you mean https://sshuttle.readthedocs.io/en/stable/manpage.html ? – Hoeze Dec 25 '19 at 17:55
  • Sorry, yes, sshuttle (cellphone autocorrect...). OpenVPN uses X509 keys, but SSH (out the box) uses an entirely different format - and I don't believe you can convert between the two. Relevantly, Out the box, SSH does not use a CA system. – davidgo Dec 25 '19 at 19:28
  • OpenVPN certs are similar to browser certs. SSH keys are not signed. That is why you are asked to accept the fingerprint when connecting the first time. There is no signing authority - each server has a set of keys (as well as each client), so its mutual authentication. – davidgo Dec 25 '19 at 19:31
  • OK, I see. In other words, OpenVPN is out of scope. Thanks for the explanation. I know sshuttle, but I'm not that comfortable with it - I had quite some usability problems with it in the past. Also, I cannot control it as an administrator. => The best option would be Wireguard with running a lookup script whenever a client tries to connect... – Hoeze Dec 26 '19 at 00:44
  • Instead of using openvpn and try to use the public SSH to get access to it, have you thought of using the SSH command to open a SOCKS5 proxy to it? `ssh -D 8888 -q -C -N user@server` then you can set `localhost:8888` as a SOCKS server to the web browser or any application that supports it – Emad Elsaid Oct 02 '20 at 23:32
  • Yes, the issue with this is that SSH tunnels only TCP traffic. This way, you end up in the TCP-over-TCP trap and UDP traffic can only be transferred using tricks like netcat. – Hoeze Oct 22 '20 at 15:55

0 Answers0