SSL/TLS + user auth / Openvpn two-factor authentication question



  • Hi. Is there a way to create openvpn server configuration with two factor authentication, SSL/TLS (cert) + username/password and export just one profile that could be used for all the users.
    In other words, do I have to export an openvpn profile for each user separately, or could this be handled so that one profile suits for all the users (that have the proper cert in their profile)
    Thanks in advance.

    br, pete


  • Rebel Alliance

    You should create a separate User cert and Password for each of your user for best Security, not share anything.
    If you give all Users the same certs and credentials...how would you handle the mess if some device gets compromised?

    -Rico


  • Rebel Alliance Developer Netgate

    Why bother to setup multiple factors of authentication only to nullify them?

    If you want one installer for everyone, do not use per-user certificates. You can use authentication only, plus the default random TLS key, and that is OK. It's best to have per-user certificates, however.

    There is always going to be a security vs convenience trade-off. If you want the best possible security, it takes the extra work to make it that way.