1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

OpenVPN - auth settings clarification

Discussion in 'Asuswrt-Merlin' started by martinr, Jun 5, 2015.

  1. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,208
    Location:
    Manchester, United Kingdom
    In the OpenVPN server settings (Advanced), there are 2 authentication settings. I'd like to clarify I understand them.

    This is how I interpret it:

    A username-password (U/P) pair can be used as a second factor, as well as certificates, to authenticate server to client and vice versa (U/P Auth ON; U/P Auth Only OFF). (I'm not sure if vice versa is true - auth of client to server - but that's a distraction.)

    On the other hand, if U/P Auth Only is set to ON, no certificates are used, only the Username-password pair in what would then be single factor Auth. And if Username-password authentication is NOT selected, then ONLY certificates will be used, on their own, in single-factor authentication.

    So the strongest authentication would be U/P Auth ON with U/P Auth Only OFF, that way certificates AND usernames-password pairs are needed.

    Is my understanding correct?
     
    Last edited: Jun 5, 2015
  2. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,333
    Location:
    Canada
    That looks correct to me, tho I'm not 100% familiar with the username/pass support, as that was added by Asus on top of my code.
     
    martinr likes this.
  3. cosmoxl

    cosmoxl Senior Member

    Joined:
    Jul 16, 2014
    Messages:
    221
    This is interesting. I've never used the server but as a client VPN providers today typically use all 4 certs/keys and no user/pass. That may be so that somebody could share ovpn configs with friends/family but still not have to give away their password.
     
  4. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,333
    Location:
    Canada
    Purely key/certs based authentication is the "cleanest" implementation, each client having his own keypair.

    Sent from my Nexus 9 using Tapatalk
     
    martinr likes this.
  5. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,208
    Location:
    Manchester, United Kingdom
    Many thanks, Merlin. After posting, I realised I could have delved deeper, so I generated 3 .ovpn config files to cover all username-password authentication (UPA) possibilities:

    1. UPA only (UPA on; UPA Only on) i.e. no key pairs.

    2. UPA together with key pairs (UPA on; UPA Only off).

    3. No UPA, "just" key pairs (UPA off).

    The config files confirm:

    when authentication is only by username and password, only the Certificate Authority certificate (to verify the server to the client) is included.

    In the other 2 cases, where key pairs are needed (no UPA, and UPA as well as key pairs), not only is the CA cert present in the config file, but also included are the client's certificate and the client's private key.

    Whilst trying to make sense of this side of the crypto, I came across

    http://security.stackexchange.com/q...n-require-securely-sharing-certs-with-clients

    which was somewhat helpful:

    CA cert: "Publicly disposable, this is the certificate for your VPN's certificate authority. It can be shared with anybody and allows the client to verify the VPN server."

    Client cert: "This is a certificate identifying the client. It was signed by the client's private key and then that was signed by the CA's key."

    Client private key: ".... it was generated on the server for convenience so that the client certificate could be signed by the key there and then signed by the CA key. The private key could be generated and kept on the client without the server ever seeing it, but that would make the process a lot more complex. "

    [If anyone can recommend a good source on such crypto that assumes minimal prior knowledge - and with plenty of illustrative diagrams (a picture's worth a thousand words) - I'd be grateful to know of it.]
     
    Last edited: Jun 7, 2015
  6. User774

    User774 New Around Here

    Joined:
    Jun 1, 2015
    Messages:
    5
    Hello martinr,

    Depends what exactly you want/need..
    As general crypto propose, I recommend some topics:

    If you use OpenVPN's user-pass auth, be sure to include the CA's cert on client configuration! Without the CA's cert you will be vulnerable to a man-in-the-middle attack! Because the client will not be able to confirm the server's cert.

    Based on the OpenVPN's site (https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage), the user-pass auth uses a script to check the user/pass. I don't know if there is a brute-force protection (what will happens if someone try to authenticate using a brute-force attack or dictionary-attack?).

    I recommend to (if the security topic is important for you):
    1- Use the key pair to authenticate the client.
    2- Protect the client's private key with a password (when the private key is protected/encrypted, the OpenVPN client GUI will request the password)

    So the cliente will need have the key/cert AND a password to open the client's private key.
     
    Last edited: Jun 7, 2015
    martinr likes this.