VPN before Windows logon

[LokoOn]

Is your feature request related to a problem? Please describe.
It's not uncommon for a Windows domain-joined device to be located outside of its home network.

Often, such a device will have an internet connection before a user logs in. If a VPN connection could be established prior to user login, settings, updates, and other configurations from the domain controller could be synchronized directly from the LAN, even without an active user session on the Windows device.

Additionally, with an established VPN connection, login credentials could be verified directly against the central directory. This would also enable users to log in to a Windows client for the first time, even if they had never previously logged in on that particular device.

The pre-login VPN connection should ask for a NetBird user authentication. This ensures that only an authorized user can create a VPN connection.
Using a setup key is not a viable solution, as it authenticates the machine rather than the user, allowing any user on the device to establish a NetBird connection. This could pose a security risk in the case of device loss

Describe the solution you'd like
A pre-login VPN connection at the User logon screen with the option to fill in Netbird SSO credentials.
Such as OpenVPN has implemented: https://support.openvpn.com/hc/en-us/articles/25415580917019-Access-Server-Configure-Start-Before-Logon-SBL-Pre-Logon-Access-Provider-PLAP-using-OpenVPN-GUI

[Lamera]

@LokoOn Is this not actually the case when you deploy netbird with a setup key?

[LokoOn]

@Lamera you are totally right. When using a setup key, than the VPN is established automatically on system start.
That's handy for container, server workloads.
I need to add some to the feature request.

There should be an option to establish a NetBird connection before the Windows login using user authentication. This ensures that only an authorized user can create a VPN connection. Using a setup key is not a viable solution, as it authenticates the machine rather than the user, allowing any user on the device to establish a NetBird connection. This could pose a security risk in the case of device loss

[snailzrus]

100% agree, this would be a really great addition for using Netbird for corporate devices so that they can auth the windows login against an Active Directory server elsewhere on Earth

[mlsmaycon]

Is this a limited connection mode where netbird would connect and give access to the AD for authentication only? What would be the security risk of that?

[snailzrus]

So Windows makes it possible to establish a VPN connection before Windows login has been completed. It presents authentication to the user, so there shouldn't be any additional risk. I think the biggest problem I can think of is how Windows allows that auth, which is that Windows likely won't allow a browser SSO auth before the user has logged in.

Here is the doc that Palo Alto has for this feature, though it's not using SSO auth:
https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-user-guide/globalprotect-app-for-windows/use-connect-before-logon-followed-by-the-authentication-method

[Gauss23]

I think using a setup key in combination with Bitlocker and a pre-boot password would be also an option. In case of device loss the the new owner is not able to do very much.