I started doing basic sysadmin/devops for a small company and they want company laptops (ARM Macbooks) to have a VPN to access certain resources, but they want the employee accounts to not have admin privileges and not have read access to the VPN credentials file. Is there an existing VPN client that would support this? It seems like to be able to turn on and off the VPN from the guest account, you would need read access to the file, but I’m no Mac expert.
It’s been a while, but I think strongSwan allowed this on Linux so I looked up mac support and it seems to be the case for that too. Doesn’t look like there’s ARM support though. IPSec IKEv2 is the best sort of VPN in my opinion as it’s secure and fast and all major OSs have built-in clients (Android needs an app, but it’s well-integrated). Only downside is that it’s not easy to set up.
Have you looked at ZeroTier? You should be able to do it with that. That is super-simple to set up too. Tailscale is similar, but I haven’t tried it and ZeroTier works on Layer 2 rather than 3, so…
one solution could be to have MDM managed devices and require SAML authentication from a MDM compliant device the user knows the credentials, but as the device is required to be complaint (managed), they cannot use a BYOD.
Hey u/OP, one solution for your requirement would be to have MDM managed devices.
With an MDM solution, you can:
=> Push VPN configurations to devices remotely without needing users to have admin privileges or direct access to the VPN credentials file.
=> Ensure that employees have the necessary permissions to use the VPN without being able to read or modify the VPN credentials.
=> Control and manage device settings, applications, and security policies from a centralized console.
There are several affordable MDM solutions available, including ManageEngine Mobile Device Manager Plus (the product I work for).
If you’re interested, ManageEngine offers a fully-functional 30-day free trial so you can see how it works for your organization.
For those interested, I just set up my own VPN server with strongSwan and then set the VPN client up with an admin user on the company Macbook, which cannot be used but not changed/accessed by the standard user profile.
Thanks for the info. ZeroTier sounds very interesting, but I can’t tell if this peer to peer thing all over their website is marketing-speak or a security concern. Going to do more investigation