Hi,
I'd just like to document how we did it:
- Sophos UTM SG 230 running latest firmware:
- SSL VPN configured, multiple connections allowed, compression disabled
- Each device got a new local user account on the UTM with their machine name, e.g. "COMPUTER$"
- Each device got a password, uniquely per machine.
- Then, we manually export the certificates required to connect to our file server.
- File Server:
- The file server limits access: One SMB shared sub-folder per machine with ACL set to "COMPUTER$:readOnly" and all other ACL revoked. That ensures Windows domain machines can only read their own certificates and not other ones.
- Client machine:
- OpenVPN (with Service option) installed by MSI+MST (transform), version 2.5.3-I601.
- A batch script running under LocalSystem on boot uses the machine's (domain) account "COMPUTER$" to retrieve the certificate when the client is on-site and connected to the corporate network via cable.
- The retrieved machine cert is combined like this to a new OpenVPN profile, comprised of:
- OpenVPN profile
- CA cert (the same for all machines)
- Machine cert (different for each machine)
We use a full tunnel and also tunnel DNS fully to the corporate's DNS servers on the internal network.
This is the profile that allows for full Software/GPO deployment pre-logon on Windows 10.
C:\Program Files\OpenVPN\config-auto\COMPUTER.ovpn
clientdev tunproto udpremote vpn.company.com 443verify-x509-name "C=XXX, L=XXX, O=XXX, CN=vpn.company.com, emailAddress=XXX@company.com"route remote_host 255.255.255.255 net_gatewayresolv-retry infinitenobindpersist-keyauth SHA1comp-lzo noroute-delay 4verb 3reneg-sec 0data-ciphers AES-128-CBCpull-filter ignore "ping-restart "ping-restart 25pull-filter ignore "route "pull-filter ignore "redirect-gateway "redirect-gateway def1pull-filter ignore "dhcp-option DNS"dhcp-option DNS [TOFILL_CORPORATE_DNS_SERVER_1]dhcp-option DNS [TOFILL_CORPORATE_DNS_SERVER_2]register-dnsblock-outside-dnspull-filter ignore "dhcp-option DOMAIN"dhcp-option DOMAIN [TOFILL_CORPORATE_DOMAIN_TLD]auth-nocacheauth-user-pass [TOFILL_COMPUTERNAME].conf<ca>...[TOFILL_CA_CERT]...</ca><cert>...[TOFILL_MACHINE_CERT]...</cert><key>...[TOFILL_MACHINE_CERT_PRIVATE_KEY]...</key>
