OpenVPN - Roadwarrior Restricted / Unrestricted



  • Hi guys

    I have to start my sentence with - I am very very new to setting up a secure VPN. But i really hope somebody can assist.
    Running pfsense 2.1.3-RELEASE (amd64).

    My goal is to setup OpenVPN connections where some users is allowed full access to the internal LAN, and some users partial access(eg some servers blocked). Using a few guides around, i ended up with the following configuration :

    • Two CA's with signed server certificates(lets call them Restricted CA and unrestricted CA

    • User certificates created, signed by either the restricted CA or unrestricted CA

    • Installed the OpenVPN client export utility

    • Created two OpenVPN servers using the wizard( using separate ports and CA certificates)

    • Each server gives a separate tunnel network/ subnet, as this allows me to create firewall rules blocking access from restricted network to the LAN

    • Using the client export wizard, i exported installation files for each user ( Restricted and Unrestricted)

    • So far so good. Installing the clients , and testing, gives me the results i was looking for

    But then the problem occurred. Since i was testing with both client installations on one pc, both sets of certificates was loaded, which showed me a possible loop hole.

    User2 ( Restricted), is able to use the OpenVPN configuration installed for User1, and login using User2's login details…... ouch

    Thus if User2(restricted) is able to obtain the installation files intended for a Restricted user ( or for that matter copy the OpenVPN config folder from an unrestricted pc, he will be able to log in onto the VPN without any restrictions.

    I know security is only as good as the access provided to the pc in question, but i was wondering if there was a way via configurations to make sure this doesn't happen? eg a local user should only be allowed to authenticate using his/her own certificate?

    If any details is needed specific to the configuration please let me know

    Thx guys!!

    Neo_X



  • I have to start my sentence with - I am very very new to setting up a secure VPN. But i really hope somebody can assist.

    You have a profound knowledge of OpenVPN as you are a Newbie. Congratulation!  :)

    User2 ( Restricted), is able to use the OpenVPN configuration installed for User1, and login using User2's login details…... ouch

    Thus if User2(restricted) is able to obtain the installation files intended for a Restricted user ( or for that matter copy the OpenVPN config folder from an unrestricted pc, he will be able to log in onto the VPN without any restrictions.

    Off course, if you only use certificate based authentication the user who have the proper certificate for a OpenVPN server is able to connect. So take care of your certificate and private key.

    However, you can use combined SSL + User auth and assign a password to each user. So users need a the password in addition to the certificate. The password is not be stored in several OpenVPN clients.



  • @viragomann:

    I have to start my sentence with - I am very very new to setting up a secure VPN. But i really hope somebody can assist.

    You have a profound knowledge of OpenVPN as you are a Newbie. Congratulation!  :)

    User2 ( Restricted), is able to use the OpenVPN configuration installed for User1, and login using User2's login details…... ouch

    Thus if User2(restricted) is able to obtain the installation files intended for a Restricted user ( or for that matter copy the OpenVPN config folder from an unrestricted pc, he will be able to log in onto the VPN without any restrictions.

    Off course, if you only use certificate based authentication the user who have the proper certificate for a OpenVPN server is able to connect. So take care of your certificate and private key.

    However, you can use combined SSL + User auth and assign a password to each user. So users need a the password in addition to the certificate. The password is not be stored in several OpenVPN clients.

    thx for the compliments - still a learning stage though

    I am assuming you are talking about the server mode under openvpn?

    Mine is currently set to SSL/TLS + User Auth, with Backend as Local database.

    Users has been added under System(Didnt add them to a group or give effective priveleges though), but each has different  passwords.

    Only issue is that i am allowed to connect to the OpenVPN using User1's certificates and User2's login details. Yes user2 is not supposed to ever obtain user1's certificate.

    other option, although a slep, is to password protect the pkcs12 file when doing the client export. This gives an additional password prompt once the VPN connection is initiated, which is guess is a better protection for the certificates as well should the laptop be compromised.

    Just thought that there will be tighter relation between the certificate used, and the user authentication provided.

    any other ideas why this could be happening?

    thx



  • Only issue is that i am allowed to connect to the OpenVPN using User1's certificates and User2's login details. Yes user2 is not supposed to ever obtain user1's certificate.

    That's right. Unfortunately.
    I have never checked this out before.

    I think, the only workaround will be, to force a client to a specific tunnel network by setting up a "Client Specific Override" rule for each user.
    So the client will be able to connect anyway, but will get the tunnel IP intended to have the correct privileges.


  • LAYER 8 Netgate

    Is this on?

    Strict CN/User matching: When authenticating users, enforce a match between the common name of the client certificate and the username given at login.

    It's in the OpenVPN server settings.



  • @Derelict:

    Strict CN/User matching

    Yeah! I don't know, why I haven't set this option before. I think I did not want to care that the CN in cert equals the username.
    Thanks.



  • @Derelict:

    Is this on?

    Strict CN/User matching: When authenticating users, enforce a match between the common name of the client certificate and the username given at login.

    It's in the OpenVPN server settings.

    EUREKA!!!

    Yes thank you -just tested, and is working as described.

    In other news, i need to go and have my eyes tested - cant believe that i missed the setting  :o

    Thx Derelict / Guys :)


Log in to reply