• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Secure protocol for distributing OpenVPN login credentials and .ovpn config with

Scheduled Pinned Locked Moved OpenVPN
5 Posts 3 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    pixelrebel
    last edited by May 10, 2017, 5:45 PM

    With enterprise firewalls, there is usually an option to prompt the VPN user to change his/her password upon first login. With OpenVPN on pfsense, there isn't an interface for that. So how should I distribute the username/password and PKI keys/certs to a remote user? GPG would be great, but most users don't have the technical capacity for that. Email a password encrypted ZIP file? Then call the person with the password? I'm not too fond of using a less secure method (password-based encryption) to transport strong credentials. Is there a protocol for this sort of thing?

    1 Reply Last reply Reply Quote 0
    • I
      isolatedvirus
      last edited by May 10, 2017, 6:50 PM

      if you dont want to email the credentials, you can set up a password only vpn profile. You can change the password as often as you like, or disable the profile when it isnt needed.

      Then users can VPN in to download the credentials and import them.

      1 Reply Last reply Reply Quote 0
      • J
        johnpoz LAYER 8 Global Moderator
        last edited by May 10, 2017, 7:32 PM

        For an enterprise setup why would you not tie the vpn to your radius/ldap auth?  So why would the username password be different then their normal info?

        Also in an enterprise would they not already have secure access to corp email?  Via their corp laptop or https interface?  Wouldn't most users get the vpn setup on their laptops while at the office?

        You might have a few remote work from home types?  How are they accessing the corp network now?  I am a bit confused at the scenario were would have to distribute anything over public internet email or such except for say the smallest of smb startups..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • I
          isolatedvirus
          last edited by May 10, 2017, 8:17 PM May 10, 2017, 8:12 PM

          @johnpoz:

          …why would you not tie the vpn to your radius/ldap auth?...

          this.

          you can deploy a radius / ldap / active directory server in minutes, and auth against it.

          This is just my case, but i figure i'd throw out how I do it, just to give another example:
          I dont distribute user certs because I dont need to verify the user. I DO distribute the ovpn and server certs, but through a google drive shared folder.
          The reason I dont need to auth the users, is because of OTP usage. My auth looks like:

          VPN User -> PFSense -> LinOTP <-> Active directory.

          My users have to enter their username, their static 'pin' and then their passcode that changes every 30 seconds (using google authenticator, personally i use Authy.)

          Edit:
          Corrected a wording mistake.

          Edit 2:
          Here is the popup they see…
          https://snag.gy/Bqcawp.jpg

          1 Reply Last reply Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator
            last edited by May 10, 2017, 8:18 PM

            ^ good example, if your not using user certs to validate user as 2FA then there is really nothing that can not be publicly published.

            And you don't have to worry about the certs because your using a different OTP as your 2FA..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            2 out of 5
            • First post
              2/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received