discussions
discussions copied to clipboard
StreisandEffect
How to ensure clients are using different profiles?
Hi.
I've recently set up a Streisand server for use within a group of friends.
Am I right in that: a) Two clients can't use a single connection profile, and b) There is no way to ensure that different people using the server would use different profiles?
I think there's already been a couple minor accidents with people being kicked out of VPN sessions because of this, and I'm thinking about how to deal with this issue effectively.
Looking for ideas!
Note that some uses of Streisand do not want to have user identity information, so we shouldn't force it on all installs.
If you can live without enforcement: all users need to visit the gateway home page. We can put directions there.
- Log into the streisand server, and
cd /var/www/streisand. - Edit
index.html; insert this before<h2>Connection Instructions</h2>:
<p>When configuring, make sure you use your own profile name:</p>
<ul>
<li>Chris: poem-walk</li>
<li>Terry: custom-heart</li>
<li>Pat: door-coil</li>
<li>[email protected]: debris-vendor</li>
</ul>
It might be a nice option to allow installers to set their own "banner" information at install-time. That would let them write Markdown instructions instead.
Does that make sense?
Sorry guys but why is it limited to 20 clients ? I don't get it sorry...
Let's say I have 3 devices that have to connect simultaneously. I need a .conf for every device. Am I right?
I wrote up the reasons for the 20-client limit in https://github.com/StreisandEffect/streisand/pull/1404 .
@aeroweb340: Yeah, I believe that's the case for each protocol we support now, and unavoidable for WireGuard.
How can I generate more clients? The server is already installed with the max allowed (20)... Is there a scrip I can run?
There isn't a good way, aside from running Streisand from scratch. :-(
What this is telling me is that Streisand has a significant documentation issue--it should make clear up front what you'd need the profiles for, to avoid people getting stuck in this situation.
One exception that might help is that the limit is on concurrent logins with the same profile and the same protocol. You can use a poem-walk OpenConnect profile at the same time as the poem-walk WireGuard profile. (Some of the protocols don't need profiles, but you already knew that.)
If you want to make WireGuard profiles, and don't need them to show up in the online documentation, they're not that hard to generate, although it does involve some manual work. Are you using WG?
This reminds me: one thing we've talked about before is having some method for feedback on what protocols people are using and on what scale. Obviously, not everyone is in a position to comment, but something like a poll could help the community figure out on what kinds of use to focus on.
To be clear: you can edit the limit in playbooks/roles/validation/tasks/main.yml if you do re-run.
Ok thanks for your reply. I'm using both openvpn and wireguard. Is there a way to let's say accept concurrent logins with the same openvpn profile and limit the number to 5 ? Do I have to edit the server.conf and add duplicate-cn ?
Yeah, adding duplicate-cn is exactly it. I'm not sure how to set a limit then, but try it out and let us know if it's working for you.
It works but to be honest it would be great if I could generate extra clients on the html page, we need that option... also to monitor who is online and being also able to revoke certificate... I hope you will integrate these basics options on the next updates :)
It works but to be honest it would be great if I could generate extra clients on the html page, we need that option... also to monitor who is online and being also able to revoke certificate... I hope you will integrate these basics options on the next updates :)
You whant use StreisandEffect to build a VPN company? :question:
