• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN per-user authentication method ?

Scheduled Pinned Locked Moved OpenVPN
7 Posts 2 Posters 3.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    thewild
    last edited by Sep 12, 2011, 8:33 AM

    Hi all
    I have set-up OpenVPN with "SSL/TLS + user auth" authentication mode.
    I have a client that needs to connect automatically. Is it possible to have a specific configuration for this client to only use "SSL/TLS" without the user/login authentication ?
    Or will I have to setup another instance on OpenVPN on my pfSense installation ?
    Thanks a lot !

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Sep 12, 2011, 3:37 PM

      There is a way (though you'll have to look it up separately, since it's a security risk) to have the client save the username/password in a file, to be read at login.

      Failing that, you'd need to setup a separate OpenVPN instance for the automated login client. Be sure to use a separate CA and TLS key so that clients from the restricted setup can't connect to the one that does not require user auth.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • T
        thewild
        last edited by Sep 16, 2011, 9:15 AM

        @jimp:

        There is a way (though you'll have to look it up separately, since it's a security risk) to have the client save the username/password in a file, to be read at login.

        Failing that, you'd need to setup a separate OpenVPN instance for the automated login client. Be sure to use a separate CA and TLS key so that clients from the restricted setup can't connect to the one that does not require user auth.

        Thanks a lot for your help, and sorry for not acknowledging but I did not get a notification.

        I think I'll give the userpass file a go.
        In what way is it more risky to store this file on the client than to store the key files ?

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Sep 16, 2011, 12:44 PM

          If you store the password, then every piece of information needed to access the VPN is stored on the system and anyone could use it without any verification of who is actually logging in.

          With the password (assuming it's a secure password of course) you at least have an extra layer preventing someone from getting on even if they get ahold of the key files. AKA two factor authentication, something you have (certificate) + something you know (password).

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • T
            thewild
            last edited by Sep 19, 2011, 6:41 AM

            @jimp:

            If you store the password, then every piece of information needed to access the VPN is stored on the system and anyone could use it without any verification of who is actually logging in.

            With the password (assuming it's a secure password of course) you at least have an extra layer preventing someone from getting on even if they get ahold of the key files. AKA two factor authentication, something you have (certificate) + something you know (password).

            OK I get that, I was just thinking about "key files only" vs "key files + password stored in file".
            I wanted to be sure I was not misunderstanding something about key files (i.e. having them is enough to connect we don't use two factor authentication).
            So in any case, if I want an automatic setup, nothing is really safe.

            1 Reply Last reply Reply Quote 0
            • J
              jimp Rebel Alliance Developer Netgate
              last edited by Sep 19, 2011, 11:48 AM

              Yep, the classic Security vs. Convenience trade off.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • T
                thewild
                last edited by Sep 19, 2011, 1:26 PM

                @jimp:

                Yep, the classic Security vs. Convenience trade off.

                Indeed.  In my case I need some convenience, so I'll try to give the "stored credentials" a try.

                Thanks a lot for you help !

                1 Reply Last reply Reply Quote 0
                1 out of 7
                • First post
                  1/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received