[G-Stress]

I'm running a 2k3 Domain Controller specifically for a few services to hopefully securely configure them. My setup is as follows:

Modem

Linksys RVS4000 VPN GB Router (Providing DHCP) 10.10.0.x/24

Media Server hosting Adito (OpenVPN-als) SSL VPN and other media services.

Domain Controller

The SSL VPN is what I'm most concerned about, adito runs as it's own service, what I'm wanting to do is restrict access to each client's home lan. I don't want them accessing the VPN outside of their lan. Now Adito does provide IP Restrictons which work wonderfully, but my clients are all using Dynamic IP's and are not going to switch to static.

What I'm wondering is once I join the media server to the domain, what would be the best method to restrict access? For now accessing adito they just point their web browser at my ip and access it, but I'm going to set it up so they have to VPN into the domain first, but even then they can access it from other locations or give out account info to friends.

What I'm thinking is if there is a way to add restriction based off the mac address of their router's or some other form of restriction?

[Septerra]

Why not just restrict them at the VPN level if youare forcing them to VPN into the domain first? There, you can restrict access either at the user level, VPN group level, or if your VPN software is linked to your AD, then restrict based on AD groups.

Not sure if that gives you another solution.

[G-Stress]

I've thought about all those possibilities. Problem is they can always set a vpn connection up at a "friends" house, give their friends their account info and tell me their ip has changed. Now I know I could always research and find out if their ip really changed, but I'm looking for in a sense an administrative-less solution.

It seems pretty much impossible, but the different methods and steps I've used trying to implement it have been fun.

[Septerra]

Your getting into a scenario where you want it to be from the client's system but yet know its actually them on their system, rather then at a friends place.

The problem with that is, there are appliances by the major vendors that could possibly do that (Juniper, Cisco, Sonicwall), but if you are going to be using an open source product then the only way to restrict them access would be as you said...MAC Address.

Thats not to say that the ethernet adapter fries and then you would need to know that information and reconfigure your SSL VPN to allow the new MAC address...if you know what I mean.

[G-Stress]

True, even then mac addresses can always be cloned, but I couldn't think of a better way. I do however plan on getting some sort of cisco device that will have most options that I need in the near future.

[avisitor]

See the problem is that MAC addresses are on the ethernet level, they doesn't traverse the internet at all.

The only option that I can think of would be to write client software that will send a unique identifier, such as the serial number of the computer's HD or some other unique identifier when establishing the connection.

[G-Stress]

Yes that sounds like a good idea. I just wish I was a programmer. Hmmm... I'm sure I'll come up with something. If I do I will definitely post exactly what I did.