Certificates and Openvpn
-
@johnpoz I have tried two things
- User/pass + certificate
Changing password does not help - as long as certificate is supplied user can login. Common name comes correctly from the certificate.
- User/Pass only - then common name comes as
UNDEF username e.g "UNDEF test"
That with Mikrotik.
With normal VPN client(e.g OpenVPN under windows) common name comes correctly as username e.g "test"Any ideas ?
-
@peterzy said in Certificates and Openvpn:
as long as certificate is supplied user can login. Common name comes correctly from the certificate.
Not sure what your doing there - but that makes no sense, and would mean the whole point of the setting is pointless. If that is not working should prob put in a redmine, since clearly if the username/password is not known or password was changed they shouldn't be able to log in, even if the cert is valid.
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configure-server-mode.html#mode-configuration
Not saying to use this for your routers that need to connect, just create multiple instances of openvpn server on pfsense. One used for your users, other used for these routers that do not support the mode, etc.
-
Yes it seems kind of bug.
My setup:
- VPN Server1 - certificate only
- VPN Server2 - certificate(same certificate as with server1) + user
- VPN Server3 - user
Servers are on different ports. I have three servers just for the sake of test purposes.
Client: RouterOS 6
Server1 - works like charm
Server2 - connects even with wrong password. I even put username "any" and was till accepted . However client overrides do not kick in.
Server3 - wrong common if client is Mikrotik.So definitely some bugs somewhere :-)
Peter
P.S TLS verify is not an option as it is not supported by MTK -
@peterzy yeah that is too bad about the TLK key.. stupid they do not support that.. Found a thread from 2015 asking for ;) and still not available.
But reading this
https://help.mikrotik.com/docs/display/ROS/OpenVPN
limitations:
authentication without username/passwordThe way I read that you have to use a username/password even if your using cert..
If I get a chance later today I will try and duplicate you saying that wrong username/password when using tls + user auth not working, and look in redmine if already known, etc.
-
@johnpoz Thank you :)
For without user/pass: You just put any username in the field username e.g word "any" and it works like charm with certificate only if Pfsense is in certificate only mode. However when Pfsense is certificate + user mode it still works, but then client specific override does not work, so I guess common name is changed or something.
My exact versions are: RouterOS 6.49.7 (stable), Pfsense is 2.6.0 -
If you have a CSO for every user you could have invalid settings in the main config so anyone connecting would be unable to actually access anything. They would still be connected though.
-
@stephenw10 yep, this is what I was thinking also. However I am not sure how secure it it is if i put dummy local and remote networks by default.
-
Not very. A connected client can always add their own routes to access remote resources. They can't have a subnet behind them. But if you add fixed IPs for each client and block everything else then they would not be able to connect. The client can't specify the IP address they use in a SSL/TLS tunnel. Or shouldn't be able to at least. Still nowhere near as good as revoking the cert.
-
If you really don't want to rely on user auth + strict user+CN matching, then you could make a CSO for the special
DEFAULTuser with the Connection Blocking option checked, then define a CSO for each other valid certificate CN.Don't rely on IP address assignment/routing/firewall rules alone because if they can still connect, the client can influence some traffic on their own, so it's not as secure. Even if the server pushes some invalid settings the client can be set to ignore those.
All that said, if you really don't trust the old admin, changing out the whole CA structure after they leave would be warranted.
-
@jimp Thanks :-) Ideas looks great :) BTW I do want to user + certificate but in that case when I changed password I was still able to login with just certificate(case 2 above).
