Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Migrating from Shared Key to SSL/TLS

    Scheduled Pinned Locked Moved
    OpenVPN
    2
    9
    764
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Aseknet
      last edited by Aseknet

      Hi All,

      Have a OpenVPN Remote Client Access setup using "Shared Key" that stopped working in the 2.7.0 update.
      Any good guides how to convert this old setup out there?

      Thanks,
      Ase

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Aseknet
        last edited by

        @Aseknet switch it to tls mode, and issue new opvn files - it really should be that simple..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.03 | Lab VMs 2.7.2, 24.03

        A 1 Reply Last reply Reply Quote 0
        • A
          Aseknet @johnpoz
          last edited by Aseknet

          @johnpoz , Changing the Server Mode from "Remote Access ( SSL +TLS ) + (User Auth)" to "Remote Access ( SSL +TLS )" made the tunnel start working, progress!
          But I still would like the user to authenticate using user name and password (Also using FreeRADIUS server with "Google Authenticator" for this).
          Any ideas?

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @Aseknet
            last edited by

            @Aseknet were they doing that in shared key mode? ;)

            You can for sure use + user auth if you so desire.

            So we are on the same page.. You want a user to actually use this, so they auth with cert supplied to them by you. And then they also need a username and password, and you also want them to do google auth token number like .. 103405 that changes every 30 seconds?

            Or is your goal to make it such a PITA to vpn in, that nobody does? ;)

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.03 | Lab VMs 2.7.2, 24.03

            A 1 Reply Last reply Reply Quote 0
            • A
              Aseknet @johnpoz
              last edited by Aseknet

              @johnpoz, Thanks for your fast replyes!
              Yes that is correct, I had it working like this before. "OTP PIN + Google Authenticator Code".
              This is for pure "Admin Access" so is has to be secure and it is OK to be this hard.

              A johnpozJ 2 Replies Last reply Reply Quote 0
              • A
                Aseknet @Aseknet
                last edited by

                Also tried to sync the "Google Authenticaror" App again to see if that was off sync, but not the case :(

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @Aseknet
                  last edited by johnpoz

                  @Aseknet said in Migrating from Shared Key to SSL/TLS:

                  This is for pure "Admin Access"

                  How do you think all of that makes it more secure? Do you think someone is going to get access to the cert?

                  All google auth code does is make it harder when the password could be compromised or guessed.. If only your "admin(s)" have a cert? How would it be compromised?

                  Use of cert to auth + username password = something they HAVE, and something they know.. So even if they stole your admins laptop and had the cert.. They still wouldn't be able to get in because they do not have the username and password.. You could also put a password on the cert they have..

                  If I want to get to something, someone might guess say my username (email address, not a very secret thing) and guess my password. The google auth or OTP is something I have - say my phone..

                  When you use cert to auth, and also username and password.. The username password is something someone could guess and the laptop with the cert on it is something they have..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.03 | Lab VMs 2.7.2, 24.03

                  A 1 Reply Last reply Reply Quote 0
                  • A
                    Aseknet @johnpoz
                    last edited by Aseknet

                    @johnpoz , Cert leak could happen as I see it, but you are right with the username and password should be enough. Still the extra layer of "OTP PIN" and "Google Authenticator Code" seems resonable and the 30 second window I think is good. The discussion regarding this is healthy/good and very valid!
                    I have not been struggeling my self with this type of sign-in in because this is not a daily thing.

                    I think I narrowed down the issue to be the OTP, everything works fine with a static password.
                    Trying to setup the OTP again, but still failing.

                    1 Reply Last reply Reply Quote 0
                    • A
                      Aseknet
                      last edited by

                      Anyone else struggeling with OTP after 2.7.0 update?

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post