Secure protocol for distributing OpenVPN login credentials and .ovpn config with
With enterprise firewalls, there is usually an option to prompt the VPN user to change his/her password upon first login. With OpenVPN on pfsense, there isn't an interface for that. So how should I distribute the username/password and PKI keys/certs to a remote user? GPG would be great, but most users don't have the technical capacity for that. Email a password encrypted ZIP file? Then call the person with the password? I'm not too fond of using a less secure method (password-based encryption) to transport strong credentials. Is there a protocol for this sort of thing?
if you dont want to email the credentials, you can set up a password only vpn profile. You can change the password as often as you like, or disable the profile when it isnt needed.
Then users can VPN in to download the credentials and import them.
For an enterprise setup why would you not tie the vpn to your radius/ldap auth? So why would the username password be different then their normal info?
Also in an enterprise would they not already have secure access to corp email? Via their corp laptop or https interface? Wouldn't most users get the vpn setup on their laptops while at the office?
You might have a few remote work from home types? How are they accessing the corp network now? I am a bit confused at the scenario were would have to distribute anything over public internet email or such except for say the smallest of smb startups..
…why would you not tie the vpn to your radius/ldap auth?...
you can deploy a radius / ldap / active directory server in minutes, and auth against it.
This is just my case, but i figure i'd throw out how I do it, just to give another example:
I dont distribute user certs because I dont need to verify the user. I DO distribute the ovpn and server certs, but through a google drive shared folder.
The reason I dont need to auth the users, is because of OTP usage. My auth looks like:
VPN User -> PFSense -> LinOTP <-> Active directory.
My users have to enter their username, their static 'pin' and then their passcode that changes every 30 seconds (using google authenticator, personally i use Authy.)
Corrected a wording mistake.
Here is the popup they see…
^ good example, if your not using user certs to validate user as 2FA then there is really nothing that can not be publicly published.
And you don't have to worry about the certs because your using a different OTP as your 2FA..