OpenVPN road warrior



  • Hi,

    I have implemented a road warrior config against my pfSense installation succesfully. I am nor a security expert but if someone is able to copy the config folder of my openVPN client, this person will be able to have access to my LAN. Am I wrong or there is some way to avoid it?

    Regards,



  • didn't you have a password setup with the certificate ?



  • There are three possibilities for an OpenVPN client to connect to your OpenVPN server:

    • Just an username and password combination (User Auth)

    • Just a OpenVPN client certificate

    • A combination of client certificate and username/password

    So if you just have a client certificate and someone else got this certificate he is able to connect to your VPN. If you know that someone lost his certificate or someone has stolen a certificate you can put this certificate on a so called "Certificate Revocation List" which means that connections with this cert will be blocked.

    So best thing would be that you think about a username/password and certificate combination.

    A more secure possibility would be a certificate + username and one-time-password combination. This can be done in less steps with the freeradius2 package in combination with your OpenVPN Server.
    http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#Enable_Mobile-One-Time-Password_.28OTP.29_support


Log in to reply