SSL/TLS + user auth / Openvpn two-factor authentication question

nikkopegmail.com · Nov 29, 2018, 7:35 PM

Hi. Is there a way to create openvpn server configuration with two factor authentication, SSL/TLS (cert) + username/password and export just one profile that could be used for all the users.
In other words, do I have to export an openvpn profile for each user separately, or could this be handled so that one profile suits for all the users (that have the proper cert in their profile)
Thanks in advance.

br, pete

Rico · Nov 29, 2018, 7:50 PM

You should create a separate User cert and Password for each of your user for best Security, not share anything.
If you give all Users the same certs and credentials...how would you handle the mess if some device gets compromised?

-Rico

jimp · Nov 29, 2018, 7:54 PM

Why bother to setup multiple factors of authentication only to nullify them?

If you want one installer for everyone, do not use per-user certificates. You can use authentication only, plus the default random TLS key, and that is OK. It's best to have per-user certificates, however.

There is always going to be a security vs convenience trade-off. If you want the best possible security, it takes the extra work to make it that way.

nikkopegmail.com · Feb 15, 2019, 10:42 AM

@jimp

Ok, Thanks Rico and Jimp !

/ br, pete