Open VPN in Asus RT-AC1900P

[dieter]

Hello,

The advanced settings for Open VPN has an option which says:

Username / Password Auth. Only: YES or NO

What authentication exists if one selects NO for this option?

Thanks,
Dieter

 

[RMerlin]

SSL client certificates + username and password - both will be required.

Sent from my Nexus 5X using Tapatalk

 

[dieter]

SSL client certificates + username and password - both will be required.

Sent from my Nexus 5X using Tapatalk

This is more secure, right?

 

[RMerlin]

This is more secure, right?

Yes, as brute forcing would require them to brute force a SSL certificate on top of a username and a password - technically virtually impossible to do. It however requires you to manually generate a certificate to use for your clients, so it's more complex to use.

 

[dieter]

Yes, as brute forcing would require them to brute force a SSL certificate on top of a username and a password - technically virtually impossible to do. It however requires you to manually generate a certificate to use for your clients, so it's more complex to use.

When exporting "client.ovpn" from my router's VPN server and then installing that file into the client, does that not contain the certificate needed by the client? Anyway, that is what I did and it seems to work.

 

[dieter]

RMerlin, is DD-WRT the same as the Asus Merlin firmware?

 

[L&LD]

RMerlin, is DD-WRT the same as the Asus Merlin firmware?

No. Asus RMerlin firmware is (closely) based on Asus' releases.

DD-WRT's most notable difference is that it uses third party wireless drivers that may be substantially less performant than stock (or RMerlin's firmware), which uses the official Broadcom (closed source) drivers.

 

[dieter]

I get it. Thanks.

 

[RMerlin]

When exporting "client.ovpn" from my router's VPN server and then installing that file into the client, does that not contain the certificate needed by the client? Anyway, that is what I did and it seems to work.

If you set it to username/password only, then your config file will only contain a public CA, which will validate your server - it won't authenticate your clients. That CA is actually a public certificate, not a private one.

If you disable "username/password only", then the router will generate a single client certificate, that will be reused by all your clients. That means that if a user must have his access removed (or if someone else gets a copy of that certificate), you will have to generate a new client certificate, and provide it to every users. You could just rely on the username/password to prevent a stolen certificate from being used, but that's compromising a large portion of the security measures you have in place then, and making your security just as bad as if you were relying on username and password only.

In summary, you have the following options:

User/pass = no: each client will require a separate client certificate
User/pass = yes, user/pass ONLY = yes: Only the username/pass is used to authenticate
User/pass = yes, user/pass ONLY = no: each client will require a username/password AND a certificate

Best security is option 3, provided you generate different certificates for each client.

 

[dieter]

Thanks RMerlin.
The only question which was not answered is:
Does exporting the client.ovpn file from the Asus VPN server and installing it in the client, also include the certificate?

 

[RMerlin]

Thanks RMerlin.
The only question which was not answered is:
Does exporting the client.ovpn file from the Asus VPN server and installing it in the client, also include the certificate?

If you use the built-one generated by the router, yes.

If you don't use username/password authentication, then you might need to create these yourself, and paste them in the specific fields in the ovpn file.

So, it depends on your configuration.

 

[dieter]

I understand now...