Migrating from Shared Key to SSL/TLS

Aseknet

Hi All,

Have a OpenVPN Remote Client Access setup using "Shared Key" that stopped working in the 2.7.0 update.
Any good guides how to convert this old setup out there?

Thanks,
Ase

johnpoz

@Aseknet switch it to tls mode, and issue new opvn files - it really should be that simple..

Aseknet

@johnpoz , Changing the Server Mode from "Remote Access ( SSL +TLS ) + (User Auth)" to "Remote Access ( SSL +TLS )" made the tunnel start working, progress!
But I still would like the user to authenticate using user name and password (Also using FreeRADIUS server with "Google Authenticator" for this).
Any ideas?

johnpoz

@Aseknet were they doing that in shared key mode? ;)

You can for sure use + user auth if you so desire.

So we are on the same page.. You want a user to actually use this, so they auth with cert supplied to them by you. And then they also need a username and password, and you also want them to do google auth token number like .. 103405 that changes every 30 seconds?

Or is your goal to make it such a PITA to vpn in, that nobody does? ;)

Aseknet

@johnpoz, Thanks for your fast replyes!
Yes that is correct, I had it working like this before. "OTP PIN + Google Authenticator Code".
This is for pure "Admin Access" so is has to be secure and it is OK to be this hard.

Aseknet

Also tried to sync the "Google Authenticaror" App again to see if that was off sync, but not the case :(

johnpoz

@Aseknet said in Migrating from Shared Key to SSL/TLS:

This is for pure "Admin Access"

How do you think all of that makes it more secure? Do you think someone is going to get access to the cert?

All google auth code does is make it harder when the password could be compromised or guessed.. If only your "admin(s)" have a cert? How would it be compromised?

Use of cert to auth + username password = something they HAVE, and something they know.. So even if they stole your admins laptop and had the cert.. They still wouldn't be able to get in because they do not have the username and password.. You could also put a password on the cert they have..

If I want to get to something, someone might guess say my username (email address, not a very secret thing) and guess my password. The google auth or OTP is something I have - say my phone..

When you use cert to auth, and also username and password.. The username password is something someone could guess and the laptop with the cert on it is something they have..

Aseknet

@johnpoz , Cert leak could happen as I see it, but you are right with the username and password should be enough. Still the extra layer of "OTP PIN" and "Google Authenticator Code" seems resonable and the 30 second window I think is good. The discussion regarding this is healthy/good and very valid!
I have not been struggeling my self with this type of sign-in in because this is not a daily thing.

I think I narrowed down the issue to be the OTP, everything works fine with a static password.
Trying to setup the OTP again, but still failing.

Aseknet

Anyone else struggeling with OTP after 2.7.0 update?