Rod - KC7AAD
That out of the way...
Cort, I agree that by DMR ID would be the better way. It's easy enough to blacklist (or remove from whitelist) if a user shares his ID with others.
I do agree that administratively the user issue is tough to control. We have a few folks in our group that seem to flaunt that they push the line. Even after outright banning a user, they still continue to try and push. This is no different.
We will change the passwords at intervals, and that takes care of them for a while, until someone leaks it out.
We have around 70 users connecting to 8 servers up here in the PNW. 1 of which we allow "public" access and do share those credentials. The others have specific talkgroups allowed through them.
The VPN solution might work, though to make it seamless, it would require some work on the pi-star device and / or the openspot device. Neither of those options are easy to implement, if even possible.
I have thought about standing up instances for each user, then they could 'auth' to their own. We are using Docker to run multiple instances on one VM, varying them by UDP ports and passwords. The problem becomes how much administration would there be of this, and could the user dynamically change his own TG group? Or do we just give him one set? I'd be interested to see how Brandmeister does their setup for each hotspot being able to set up its own TG deck lineup, and having hundreds (thousands?) or users!
Regardless, Cort.. thanks for your work. I think that making a black / white list approach makes sense, barring any better way to do this without changes here as well as to the hotspots, too. That coordinated effort might not be easy.
Rod / KC7AAD