search

netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
11.05k stars 509 forks source link

VPN before Windows logon #2809

Open LokoOn opened 5 days ago

LokoOn commented 5 days ago

Is your feature request related to a problem? Please describe. It's not uncommon for a Windows domain-joined device to be located outside of its home network.

Often, such a device will have an internet connection before a user logs in. If a VPN connection could be established prior to user login, settings, updates, and other configurations from the domain controller could be synchronized directly from the LAN, even without an active user session on the Windows device.

Additionally, with an established VPN connection, login credentials could be verified directly against the central directory. This would also enable users to log in to a Windows client for the first time, even if they had never previously logged in on that particular device.

The pre-login VPN connection should ask for a NetBird user authentication. This ensures that only an authorized user can create a VPN connection. Using a setup key is not a viable solution, as it authenticates the machine rather than the user, allowing any user on the device to establish a NetBird connection. This could pose a security risk in the case of device loss

Describe the solution you'd like A pre-login VPN connection at the User logon screen with the option to fill in Netbird SSO credentials. Such as OpenVPN has implemented: https://support.openvpn.com/hc/en-us/articles/25415580917019-Access-Server-Configure-Start-Before-Logon-SBL-Pre-Logon-Access-Provider-PLAP-using-OpenVPN-GUI

Lamera commented 4 days ago

@LokoOn Is this not actually the case when you deploy netbird with a setup key?

LokoOn commented 4 days ago

@Lamera you are totally right. When using a setup key, than the VPN is established automatically on system start. That's handy for container, server workloads. I need to add some to the feature request.

There should be an option to establish a NetBird connection before the Windows login using user authentication. This ensures that only an authorized user can create a VPN connection. Using a setup key is not a viable solution, as it authenticates the machine rather than the user, allowing any user on the device to establish a NetBird connection. This could pose a security risk in the case of device loss

snailzrus commented 2 days ago

100% agree, this would be a really great addition for using Netbird for corporate devices so that they can auth the windows login against an Active Directory server elsewhere on Earth