Access key per device or one session per access key

[baseloo]

Hello All,

is there anyway even third party solution to restrict access key per device or to have one session per access key .

[swimmer2910]

This is the most common feature. I'm waiting too.

[fortuna]

We are working on it. I'm hoping to release a version of this in January.

[parsalotfy]

Can't wait for it :heart_eyes: I hope this release this month

[ercxar]

I know this feature request is complex, but I have a suggestion. @fortuna Is it possible to instead add a feature to when a new access key is created we could give it a limited availability, like only valid for 30 mins. After that the device that connected to the server during that 30 minutes window will be authorized to use that access key but any new devices during or after that time frame get automatically rejected.

[rsun-jhg]

2 years passed, any progress on it ?

[Mandofskii]

Is it completed?

[hosseinnoob]

Whats Going On ? Im Waiting 4 This Feture Too But Nothing Happen And I Know Some One Make Limit On ip Connection But I Dont Khow How

[parsalotfy]

we need this feature sooner than government find a way to block it :|

[kakajan373]

Hello, I would like to know when you will add this feature, we have been waiting for years. Thank you.

[Mandofskii]

@hosseinnoob I know how to limit 1 IP per access key but I want limit 1 connection per access key

[Mandofskii]

@fortuna You are a big lier ((((:

[parsalotfy]

What is happening with this feature??☹️

[mcharyyev]

please add this feature

[krakazyabra]

The easiest way to restrict multiple using - collect mac of device and put it into key model. client can send this info on first connection.

[alexlii1971]

Anyway to limit Bandwidth per key?

[bemasc]

@alexlii1971 Yes (see here). This feature request is instead about restricting each key to a single device, not necessarily limiting the amount of data used by each key.

[torabkheslat]

any news guys?

[fortuna]

The main development here is the introduction of Dynamic Keys/Online Config: https://www.reddit.com/r/outlinevpn/wiki/index/dynamic_access_keys/

That can enable providers provide a different key in every session. This way sharing a key will effectively break it.

[sobhan-m94]

is there any release date for this feature ?

[daniellacosse]

It's out!

[hamidmayeli]

It's out!

Hi @daniellacosse, Where? which version number? I cannot see it!

[daniellacosse]

Check out the wiki: https://www.reddit.com/r/outlinevpn/wiki/index/dynamic_access_keys/

[sobhan-m94]

@daniellacosse @fortuna Using the dynamic access key isn't a good idea to prevent sharing access keys or restrict keys per devices,since user can open dynamic urls as http(s) url and generate static access key based on json output.

[sobhan-m94]

any news ?

[Beniamiiin]

Hey, guys. Could someone tell me how can restrict access key per device via dynamic keys? I've implemented dynamic keys feature for my clients but I don't understand how to restrict access key per one connection.

[daniellacosse]

Hey @Beniamiiin - you'd effectively have to write a service that calls our Management API to generate a static key and returns it for each user that connects to your dynamic key service. In that service you'd need to store a mapping of IPs/User Agents to keys generated somewhere to avoid regenerating keys for the same client.

I know that's a lot of work, but the end result is you now have one key that you can give everyone.

[Beniamiiin]

@daniellacosse thanks for the response. But how does this help me solve the issue of people buying one key and then using it on multiple devices? I thought dynamic keys can help with it.

Also, I tried to get user ip and user agent from the request and I got the same result despite the fact that requests for connections to vpn were made from different devices (iPhone).

[daniellacosse]

@Beniamiiin do you mind sending the request headers you're getting from the different devices?

[Beniamiiin]

@daniellacosse I made a mistake when I told you that I got the same information from the both connections. I tried one more time and got the expected result. But this information unfortunately don't help me to restrict of sharing one key or I don't understand something.

[daniellacosse]

@Beniamiiin so upon further reflection I suppose it doesn't restrict access in the hard sense - however the idea is that you can use the management API to generate keys at connection time and associate them with a client fingerprint in your dynamic key service. The underlying static key information is not exposed to the user graphically so it's difficult for them to share it, but you could also regularly rotate the static key associated with each client should you want to discourage sharing further.

The server doesn't support verifying that a key belongs to a given client and implementing such a feature could prove difficult as it might result in traffic that would make the VPN detectable by network analysis or probing, since it would either need to communicate somehow with the dynamic key service to get the latest information on which key belongs to whom, or have a service talk to it to update some local data store. Further deliberation would be needed for this specific functionality

[fortuna]

@sobhan-m94 , if you implement a web server that creates a new static access key and revokes the previous one every time the dynamic key is requested, then you end up with a session key. Starting a new session cancels the previous one, so sharing would make the key mostly unusable, since you won't be able to have two sessions simultaneously.

[Beniamiiin]

Guys thanks for your response.

@daniellacosse yeah, you are right that the user can not share the static key but can share the dynamic key. Everybody who can have a link to a dynamic key can get a static key. In my case request for a dynamic key makes with userId.

The @fortuna idea's seems good, but I don't understand one thing.

Let's agree that my service support only 2 connections per key.

Making vpn connection from Phone 1. Check the user's list of created static keys. Create a key and put it on the list. The list count is 1. Return the key to the user. Connection successfully.

Making VPN connection from Phone 2. Check the user's list of created static keys. Create a key and put it on the list. The list count is 2. Return the key to the user. Connection successfully.

Disconnect on Phone 2. Making a new VPN connection from Phone 2. Check the user's list of created static keys. Create a key and put it on the list. The list count is 3. Remove the first key from the list and remove it(deactivate) from the outline manager. Return the key to the user. Connection successfully.

In this case, connection on Phone 1 will be broken.

Do you have any idea how can I figure it out?

[daniellacosse]

@Beniamiiin So your service has different endpoints for different dynamic keys, right? Is it all possible to build an allowlist specifically for each endpoint in the first 48-ish hours after the dynamic key is created? So, the idea is:

Dynamic key is accessed for the first time from client #1. The client fingerprint is added to the endpoint and the "lockdown timer" is started.

12 hours later, dynamic key is access from client #2 is added to the endpoint.

48 hours later, "lockdown timer" is over and an allowlist for all the clients that accessed the key in the first 48 hours (#1 and #2) go into effect. The dynamic key is no longer usable on other clients.

[davidss0n]

@sobhan-m94 , if you implement a web server that creates a new static access key and revokes the previous one every time the dynamic key is requested, then you end up with a session key. Starting a new session cancels the previous one, so sharing would make the key mostly unusable, since you won't be able to have two sessions simultaneously.

Hi, could you, please, explain more in detail how this option can be implemented, especially how to track that the dynamic key was requested?

Thanks a lot in advance!

[Panuchi]

any news?

[khamsolt]

Any news?

[SonicNorg]

Hey @Beniamiiin - you'd effectively have to write a service that calls our Management API to generate a static key and returns it for each user that connects to your dynamic key service. In that service you'd need to store a mapping of IPs/User Agents to keys generated somewhere to avoid regenerating keys for the same client.

I know that's a lot of work, but the end result is you now have one key that you can give everyone.

Could you please point me to the documentation or manual which helps to do this? Thank you very much.

[khamsolt]

Hey @Beniamiiin - you'd effectively have to write a service that calls our Management API to generate a static key and returns it for each user that connects to your dynamic key service. In that service you'd need to store a mapping of IPs/User Agents to keys generated somewhere to avoid regenerating keys for the same client. I know that's a lot of work, but the end result is you now have one key that you can give everyone.

Could you please point me to the documentation or manual which helps to do this? Thank you very much.

I think that's the link you need

[khamsolt]

Dynamic key is accessed for the first time from client #1. The client fingerprint is added to the endpoint and the "lockdown timer" is started.

@daniellacosse

Hi!

Please tell me what to use as a user or device fingerprint. I just still haven't looked at what parameters different devices (ios/android/desktop) send when getting a key via dynamic link. Thanks!

[daniellacosse]

Dynamic key is accessed for the first time from client #1. The client fingerprint is added to the endpoint and the "lockdown timer" is started.

@daniellacosse

Hi!

Please tell me what to use as a user or device fingerprint. I just still haven't looked at what parameters different devices (ios/android/desktop) send when getting a key via dynamic link. Thanks!

You can start with the IP address and the User-Agent header!

[khamsolt]

@daniellacosse But there is a problem IP-address can be different owner for the same device, and User-Agent can be the same owner for the same device - it would be great if client application has its own unique key, like UUID or ULID. Which, for example, would be passed in the X-DEVICE-KEY header. Don't you think so?

[daniellacosse]

@daniellacosse But there is a problem IP-address can be different owner for the same device, and User-Agent can be the same owner for the same device - it would be great if client application has its own unique key, like UUID or ULID. Which, for example, would be passed in the X-DEVICE-KEY header. Don't you think so?

Yep! We've talked about this internally as well. Feel free to make a PR!

[topisun]

So, till now, no option to set 1 key for 1 client only?

[Kostya415]

Hey, guys. Could someone tell me how can restrict access key per device via dynamic keys? I've implemented dynamic keys feature for my clients but I don't understand how to restrict access key per one connection.

Hi! Did you solve the problem?

[Kostya415]

@sobhan-m94 , if you implement a web server that creates a new static access key and revokes the previous one every time the dynamic key is requested, then you end up with a session key. Starting a new session cancels the previous one, so sharing would make the key mostly unusable, since you won't be able to have two sessions simultaneously.

@fortuna do you have some news about this?

[dante-zhan]

Been waiting for good news.

[Artem-Mit]

Hey, guys. Any news about this?

[fortuna]

Currently, our focus is on adding WebSocket support, so we are unable to prioritize this request at the moment. Additionally, this functionality can be built on top of Outline without requiring any changes to the core product. It’s something a third party could develop and provide to the community.

Our team is concentrating on features that require direct implementation, leaving room for extensions like this to be developed externally.