Automating OpenVPN with Vault

[Eric]

Does anyone has experience or recommendations for using vault with OpenVPN (PKI backend seems like a potential candidate)? I'm hoping to automate VPN access using vault's auth system - eg: members of a github org's team (github auth backend) are able to connect to a server - and when they are removed from the org and/or team they will automatically lose access (doesn't have to be immediate). I _have_ found [an example](https://github.com/Luzifer/vault-openvpn) of doing something along those lines but that's about it. 

I was hoping to hear more first hand experiences to help me judge if trying to implement something like this was worth the time and effort. 

[Brian Lalor]

I did something like this with Strongswan.  Strongswan was configured to do authentication via client certificates, which is pretty straightforward.  If the connecting client has a valid certificate signed by a known authority (Vault) with an email address matching a particular pattern, access is granted.  No knowledge of users was needed ahead of time.  On the client side, a user would authenticate to Vault, retrieve a short-duration (24 hours) certificate, and that was pretty much it.  I had chosen Strongswan because macOS, iOS, and several other platforms are supported without third-party clients.  Configuring the VPN endpoints on the clients was pretty tedious, but I was able to wrap it up with a shell script that generated configuration profiles.  For a user, the flow was just authenticating to Vault and then running the script that would install the profile, which prompted for a password.  It was a fair bit of research and discovery up front (Strongswan’s docs aren’t great, docs on macOS profiles aren’t great) but the end result worked very well.

On Nov 19, 2017, at 6:19 PM, Eric <eric....@gmail.com> wrote:

Does anyone has experience or recommendations for using vault with OpenVPN (PKI backend seems like a potential candidate)? I'm hoping to automate VPN access using vault's auth system - eg: members of a github org's team (github auth backend) are able to connect to a server - and when they are removed from the org and/or team they will automatically lose access (doesn't have to be immediate). I _have_ found [an example](https://github.com/Luzifer/vault-openvpn) of doing something along those lines but that's about it. 

I was hoping to hear more first hand experiences to help me judge if trying to implement something like this was worth the time and effort. 

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/fa49c771-8782-4af8-b7e0-477a8901458f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

— 

Brian Lalor

bla...@bravo5.org