openvpn-client-export -> Sent to email
-
Hello everyone. Great plugin is openvpn-client-export, but can you have a feature for sending via email the certificate/config directly from pfsense. Just have a some window for some text,subject and the certificate for attachment. Can use some SMTP settings etc.
Best regards,
-
@yyovchev
That's what most people wind up doing, I guess.
It's also the most don-t-do-that if security counts. -
I would NEVER send a client-export file , "unprotected" by e-mail.
I usually ZIP Encrypt it with an ugly passwd , e-mail it , and send the pass via SMS or Teams or whatever OTHER transport methodBut ymmw ...
/Bingo
-
Hello all. Thanks for yours reply.
My VPN server use username/password authentication (connected to external authentication system via Radius ) + Certificates. So it's not a problem if somebody receive email with vpn config (including certs), because he don't know the username and password for authentication system and can't connect to the VPN server. In this case, the config files are useless and its not security issue.Best regards,
-
@yyovchev
If that's the way you look at your certificates , then i suppose you can just e-mail.I would pwesonally be more worried about an exposed cert , than a password.
And any exposed cert of mine, would end on CRL immediately.
But having read that a large CRL will not make pfSense GUI Cert performance "happy", i would like to keep the CRL short.But again ymmv
-
The security issues here would be somewhat less of a problem if OpenVPN didn't store the client certificate's private key in plain text in the config file
A possible modification to the OP's suggestion based on some responses here: an option to email the client config file as an encrypted, passworded zip file. After that it is on the VPN admin to ensure that the encrypted zip file's password is communicated by an alternative communications method.
