So my Windows work PC is connected to the company’s AD. VPN Connection is done with L2TP with PAP and a Yubikey.
I’d like to work from within a Linux environment if possible but need access to the files on the network drive and connect to a terminal server via VPN and RDP.
Is there a way to set this up? My first idea was, maybe a Linux VM could be configured to share the host PC’s external network adapter so from the outside it looks like the Windows machine is connected?
If there’s no other way, maybe WSL can be set up with a full screen X Server running on Windows (or is running Wayland in WSL somehow possible?)
I’m fishing for ideas here, and really just need some fitting terms to google, any help is appreciated.
Questions about violating company policy can be disregarded at the moment. If there is a way to set it up, I’ll ask my boss before implementing it, but it’s a small shop so the need hasn’t arisen for anyone else yet. To be clear, this is not about circumventing restrictions on computer use, just about working in an environment I’m more productive in.
Windows 11 has GUI capable WSL, that would be your easiest option. Alternatively, I’ve run an X11 server on Windows 10 and that works as well, though it lacks hardware acceleration. This will probably be the easiest solution.
A fully native AD connection should be possible (especially if it’s locally hosted rather than part of some cloud solution). L2TP and PAP work on Linux for sure (Strongswan does this, I think). VPN and RDP too (Reminna). Yubikey support for the VPN should work through PKCS11 but you may need to activate the VPN from the command line. Samba can connect to many Windows shares but if your network is set up securely (i.e. no old NTLM shit, no SMBv1, possibly no SMBv2) that may require a bit of tweaking to get right.
Getting any kind of integrated package out of this will be a challenge. I’m sure a bunch of scripting and maybe a few hooks here and there should be able to make things work relatively painlessly, but it’ll require some work.
It’s possible though nog strictly requires to join the domain from Linux, but I’m not sure what limitations there are on that.
Make sure to also read up on disk encryption possibilities (your company may want to make sure the drive is safe) and maybe consider using the TPM or even the Yubikey to enhance the disk protection to more than just your password. Of course you also need to store a backup key on some secure location. If they’re hesitant and you can answer their questions, knowing what is and isn’t possible helps.
If you’re using a modern laptop, don’t rely on the fingerprint reader,especially in Linux. Fingerprint readers as a whole are full of design flaws, but none that I know of use any kind of secure protocol with Linux.
Also consider antivirus. Yes, I know many Linux people believe they’re too smart for antivirus and that the execute bit makes Linux the only virus resistant operating system in the universe, but Linux machines do get infected, Linux viruses do exist, and companies do care about those. If your company is using an enterprise virus system (one that collects and monitors threads across the network) you may be restricted by the lack of Linux support. There are a bunch of enterprise virus scanners that’ll run fine on Linux, though.
If you hook up a Linux machine to a company network, you’ll want to have at least ClamAV running in the background, but that’s not the best AV out there. Check if the AV your company uses has a Linux equivalent, it may restrict distro choice.
Firewalls aren’t that difficult (though you need to watch out with Docker and other tools that add extra chains to nftables). There are plenty of open source firewalls and all of them are fine. I think UFW will suffice, but firewalld may be required for some more complex firewall management. Both have GUIs for you to use, of course.