Using Internal CA / Self-Signed Certificate for OpenVPN client

  • Hi, I have (hopefully) a basic/nagging question I can't seem to answer. Hoping y'all might be able to help. I'll try and put it as simply as I can.

    In this youtube video the uploader is setting up an OpenVPN client to connect pfSense to a VPN provider (PIA). What is confusing to me is in setting up the client, they created an internal CA (and then a self-signed certificate) which they then used for the "Client Certificate" option. Seen here.

    This is the only guide for setting up a PIA OpenVPN client (that I've seen) that uses an internal CA (self-signed certificate) and the "TLS Authentication" option. I'm not sure what this is doing/providing... It can't change how pfSense itself authenticates to PIA servers (still unencrypted, username/pass) right? Just because you generate a self-signed certificate and then set use TLS authentication, it doesn't change anything on PIA's side... Like you haven't shared your public key with them... So where is the TLS authentication being used?

    Alright, I'm going to quit speculating now. Any light shed would be greatly appreciated! Thank you!

    Edit: for clarity

  • Rebel Alliance Developer Netgate

    You're confusing site-to-site/remote access VPNs on pfSense (servers) with VPN service clients.

    A VPN server on pfSense would use a server certificate from a self-signed internal CA as its server certificate.

    A VPN client on pfSense would use a certificate provided by the server. If that's a VPN provider, the VPN provider would give you a certificate. (If it's something like PIA, that's up to them. If you are connecting to another pfSense, it would be a user certificate made on that remote pfSense server).

  • Thank jimp, and yes that makes sense, not sure why the creators of this video created an internal CA then... Yes it's a youtube guide/guy, but one of the smarter ones (in my experience). Anyway, thought I might be missing something here and wanted to check. Thank you @jimp.

  • Update:

    Found this youtube comment addressing this same question.

    "served no purpose. The VPN provider won't trust your client cert. It even says that in the drop-down, that you don't need a client cert if using username and password. The whole idea of the client cert is to authenticate the user. The user would have a cert from your CA that they have the private key to. What they did is meaningless and I'd bet if you look at the logs it is ignored." - Mark Lewis

Log in to reply