OpenVPN road warrior
-
Hi,
I have implemented a road warrior config against my pfSense installation succesfully. I am nor a security expert but if someone is able to copy the config folder of my openVPN client, this person will be able to have access to my LAN. Am I wrong or there is some way to avoid it?
Regards,
-
didn't you have a password setup with the certificate ?
-
There are three possibilities for an OpenVPN client to connect to your OpenVPN server:
-
Just an username and password combination (User Auth)
-
Just a OpenVPN client certificate
-
A combination of client certificate and username/password
So if you just have a client certificate and someone else got this certificate he is able to connect to your VPN. If you know that someone lost his certificate or someone has stolen a certificate you can put this certificate on a so called "Certificate Revocation List" which means that connections with this cert will be blocked.
So best thing would be that you think about a username/password and certificate combination.
A more secure possibility would be a certificate + username and one-time-password combination. This can be done in less steps with the freeradius2 package in combination with your OpenVPN Server.
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#Enable_Mobile-One-Time-Password_.28OTP.29_support -