OpenVPN proposal

ivica.glavocic

Using VPN access without 2FA is insecure, most users save their user and password saved on computers, if that leaks (everything is on one place, including client certificate), we have scenario for a disaster.

2FA is obligatory by law in EU (GDPR, NIS2).

From what I can see, OpenVPN with proper 2FA is not working in user friendly way using official documentation https://www.netgate.com/blog/freeradius-on-pfsense-for-2fa

User can't authenticate from OpenVPN Connect when using a saved user/pass (PIN) plus OTP prompt (static-challenge "Enter OTP" 1), because the client sends PIN + OTP and freeradius server expects OTP + PIN.

In my opinion, those problems should be fixed because:

• PIN (4-8 numbers) instead of password is not secure enough.
• Radius server expects OTP + PIN, clients send PIN + OTP, connection cannot be made.
• Only way to connect is without static-challenge when user enters PIN + OTP, not user friendly.

The other product (we won't say which one) has a good solution that works - native Google TOTP access server and OTP seed in User Manager, that's practically the only thing I have seen that is better. But, OpenVPN implementation on pfSense could be a deal breaker and turn people to choose that other product.

viragomann

@ivica.glavocic said in OpenVPN proposal:

User can't authenticate from OpenVPN Connect when using a saved user/pass (PIN) plus OTP prompt (static-challenge "Enter OTP" 1), because the client sends PIN + OTP and freeradius server expects OTP + PIN.

I use OpenVPN GUI on Windows. It sends OTP + PW to the server in this order.
The password can be saved, so you have only to enter the OTP.

If you use the Network Manager on Linux, which has no OTP option, I have to state the OTP + password in the PW field.

ivica.glavocic

FreeRADIUS server is installed and configured on pfSense firewall according to the official documentation https://www.netgate.com/blog/freeradius-on-pfsense-for-2fa
Here is a description of the problem without my conclusions.

When I authenticate on pfSense from OpenVPN Connect client:

• On pfSense Diagnostics - Authentication when I enter my username and PIN + OTP in password, I am authenticated.
• In OpenVPN Connect client, if I authenticate only with password (static-challenge "Enter OTP" 1 NOT PUSHED to client) and enter PIN + OTP in password field, connection is made.
• In OpenVPN Connect client, if I authenticate with static-challenge PUSHED to client, PIN as password and OTP entered in an additional window, the connection is rejected, authentication failed.

ivica.glavocic

I got help from Netgate support regarding this issue, as a result, new feature request is opened: https://redmine.pfsense.org/issues/16558
Thanks to everyone in Netgate support, specially mr. Lev Prokofev, their response, explanation and help was excellent.
Issue with PIN and security still remains, I hope the rest will be resolved soon.

viragomann

@ivica.glavocic said in OpenVPN proposal:

When I authenticate on pfSense from OpenVPN Connect client:

On pfSense Diagnostics - Authentication when I enter my username and PIN + OTP in password, I am authenticated.

So Freeradius expects PIN + OTP.

In the initial post you wrote it the other way round, so I was confused:

@ivica.glavocic said in OpenVPN proposal:

and freeradius server expects OTP + PIN.

This is the order how OpenVPN connect sends it.

But this is nothing, which can be changed in the OpenVPN server, as its best in the client.
The client send a hash of both to the server and OpenVPN frowards it to Freeradius for verification. OpenVPN itself doesn't see the PIN and OTP.

Hence there should be an option either in Freeradius or in the VPN client software to change the order.

ivica.glavocic

Actually my conclusion was wrong (I thought the order is wrong), this is the explanation from Netgate support:
When you have a static-challenge option, it means that the user sends a password => PIN only, and response => OTP only.
With basic config from our guide, the Radius expects to see just the password, so PIN+OTP in one response.
With FreeRADIUS on pfSense, static-challenge from OpenVPN Connect will FAIL by default, because FreeRADIUS never combines the static-challenge OTP with the password automatically.

ivica.glavocic

This is bad. I just connected to OpenVPN with freeRADIUS 2FA using only PIN + OTP, without user certificate.

viragomann

@ivica.glavocic
If "strict cn-matching" is echecked in the server settings, the server should reject this connection attempt.

ivica.glavocic

Strict User-CN Matching is checked (Enforce match).
Client Certificate Key Usage Validation is checked (Enforce key usage).
OpenVPN service is restarted.

Client certificate is deleted from pfSense, I can still connect with PIN + OTP.

viragomann

@ivica.glavocic
Deleting the client certificate from pfSense does nothing at all, if the client is still sending the cert to the server. The OpenVPN server just verifies if the client cert is signed by the assigned CA.

If you want to disable a client certificate you have to revoke it and assign the CRL to the server.