OpenVPN per-user authentication method ?

thewild · Sep 12, 2011, 8:33 AM

Hi all
I have set-up OpenVPN with "SSL/TLS + user auth" authentication mode.
I have a client that needs to connect automatically. Is it possible to have a specific configuration for this client to only use "SSL/TLS" without the user/login authentication ?
Or will I have to setup another instance on OpenVPN on my pfSense installation ?
Thanks a lot !

jimp · Sep 12, 2011, 3:37 PM

There is a way (though you'll have to look it up separately, since it's a security risk) to have the client save the username/password in a file, to be read at login.

Failing that, you'd need to setup a separate OpenVPN instance for the automated login client. Be sure to use a separate CA and TLS key so that clients from the restricted setup can't connect to the one that does not require user auth.

thewild · Sep 16, 2011, 9:15 AM

@jimp:

There is a way (though you'll have to look it up separately, since it's a security risk) to have the client save the username/password in a file, to be read at login.

Failing that, you'd need to setup a separate OpenVPN instance for the automated login client. Be sure to use a separate CA and TLS key so that clients from the restricted setup can't connect to the one that does not require user auth.

Thanks a lot for your help, and sorry for not acknowledging but I did not get a notification.

I think I'll give the userpass file a go.
In what way is it more risky to store this file on the client than to store the key files ?

jimp · Sep 16, 2011, 12:44 PM

If you store the password, then every piece of information needed to access the VPN is stored on the system and anyone could use it without any verification of who is actually logging in.

With the password (assuming it's a secure password of course) you at least have an extra layer preventing someone from getting on even if they get ahold of the key files. AKA two factor authentication, something you have (certificate) + something you know (password).

thewild · Sep 19, 2011, 6:41 AM

@jimp:

If you store the password, then every piece of information needed to access the VPN is stored on the system and anyone could use it without any verification of who is actually logging in.

With the password (assuming it's a secure password of course) you at least have an extra layer preventing someone from getting on even if they get ahold of the key files. AKA two factor authentication, something you have (certificate) + something you know (password).

OK I get that, I was just thinking about "key files only" vs "key files + password stored in file".
I wanted to be sure I was not misunderstanding something about key files (i.e. having them is enough to connect we don't use two factor authentication).
So in any case, if I want an automatic setup, nothing is really safe.

jimp · Sep 19, 2011, 11:48 AM

Yep, the classic Security vs. Convenience trade off.

thewild · Sep 19, 2011, 1:26 PM

@jimp:

Yep, the classic Security vs. Convenience trade off.

Indeed. In my case I need some convenience, so I'll try to give the "stored credentials" a try.

Thanks a lot for you help !