Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN - Roadwarrior Restricted / Unrestricted

    OpenVPN
    3
    7
    1326
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      erwintwr last edited by

      Hi guys

      I have to start my sentence with - I am very very new to setting up a secure VPN. But i really hope somebody can assist.
      Running pfsense 2.1.3-RELEASE (amd64).

      My goal is to setup OpenVPN connections where some users is allowed full access to the internal LAN, and some users partial access(eg some servers blocked). Using a few guides around, i ended up with the following configuration :

      • Two CA's with signed server certificates(lets call them Restricted CA and unrestricted CA

      • User certificates created, signed by either the restricted CA or unrestricted CA

      • Installed the OpenVPN client export utility

      • Created two OpenVPN servers using the wizard( using separate ports and CA certificates)

      • Each server gives a separate tunnel network/ subnet, as this allows me to create firewall rules blocking access from restricted network to the LAN

      • Using the client export wizard, i exported installation files for each user ( Restricted and Unrestricted)

      • So far so good. Installing the clients , and testing, gives me the results i was looking for

      But then the problem occurred. Since i was testing with both client installations on one pc, both sets of certificates was loaded, which showed me a possible loop hole.

      User2 ( Restricted), is able to use the OpenVPN configuration installed for User1, and login using User2's login details…... ouch

      Thus if User2(restricted) is able to obtain the installation files intended for a Restricted user ( or for that matter copy the OpenVPN config folder from an unrestricted pc, he will be able to log in onto the VPN without any restrictions.

      I know security is only as good as the access provided to the pc in question, but i was wondering if there was a way via configurations to make sure this doesn't happen? eg a local user should only be allowed to authenticate using his/her own certificate?

      If any details is needed specific to the configuration please let me know

      Thx guys!!

      Neo_X

      1 Reply Last reply Reply Quote 0
      • V
        viragomann last edited by

        I have to start my sentence with - I am very very new to setting up a secure VPN. But i really hope somebody can assist.

        You have a profound knowledge of OpenVPN as you are a Newbie. Congratulation!  :)

        User2 ( Restricted), is able to use the OpenVPN configuration installed for User1, and login using User2's login details…... ouch

        Thus if User2(restricted) is able to obtain the installation files intended for a Restricted user ( or for that matter copy the OpenVPN config folder from an unrestricted pc, he will be able to log in onto the VPN without any restrictions.

        Off course, if you only use certificate based authentication the user who have the proper certificate for a OpenVPN server is able to connect. So take care of your certificate and private key.

        However, you can use combined SSL + User auth and assign a password to each user. So users need a the password in addition to the certificate. The password is not be stored in several OpenVPN clients.

        1 Reply Last reply Reply Quote 0
        • E
          erwintwr last edited by

          @viragomann:

          I have to start my sentence with - I am very very new to setting up a secure VPN. But i really hope somebody can assist.

          You have a profound knowledge of OpenVPN as you are a Newbie. Congratulation!  :)

          User2 ( Restricted), is able to use the OpenVPN configuration installed for User1, and login using User2's login details…... ouch

          Thus if User2(restricted) is able to obtain the installation files intended for a Restricted user ( or for that matter copy the OpenVPN config folder from an unrestricted pc, he will be able to log in onto the VPN without any restrictions.

          Off course, if you only use certificate based authentication the user who have the proper certificate for a OpenVPN server is able to connect. So take care of your certificate and private key.

          However, you can use combined SSL + User auth and assign a password to each user. So users need a the password in addition to the certificate. The password is not be stored in several OpenVPN clients.

          thx for the compliments - still a learning stage though

          I am assuming you are talking about the server mode under openvpn?

          Mine is currently set to SSL/TLS + User Auth, with Backend as Local database.

          Users has been added under System(Didnt add them to a group or give effective priveleges though), but each has different  passwords.

          Only issue is that i am allowed to connect to the OpenVPN using User1's certificates and User2's login details. Yes user2 is not supposed to ever obtain user1's certificate.

          other option, although a slep, is to password protect the pkcs12 file when doing the client export. This gives an additional password prompt once the VPN connection is initiated, which is guess is a better protection for the certificates as well should the laptop be compromised.

          Just thought that there will be tighter relation between the certificate used, and the user authentication provided.

          any other ideas why this could be happening?

          thx

          1 Reply Last reply Reply Quote 0
          • V
            viragomann last edited by

            Only issue is that i am allowed to connect to the OpenVPN using User1's certificates and User2's login details. Yes user2 is not supposed to ever obtain user1's certificate.

            That's right. Unfortunately.
            I have never checked this out before.

            I think, the only workaround will be, to force a client to a specific tunnel network by setting up a "Client Specific Override" rule for each user.
            So the client will be able to connect anyway, but will get the tunnel IP intended to have the correct privileges.

            1 Reply Last reply Reply Quote 0
            • Derelict
              Derelict LAYER 8 Netgate last edited by

              Is this on?

              Strict CN/User matching: When authenticating users, enforce a match between the common name of the client certificate and the username given at login.

              It's in the OpenVPN server settings.

              1 Reply Last reply Reply Quote 0
              • V
                viragomann last edited by

                @Derelict:

                Strict CN/User matching

                Yeah! I don't know, why I haven't set this option before. I think I did not want to care that the CN in cert equals the username.
                Thanks.

                1 Reply Last reply Reply Quote 0
                • E
                  erwintwr last edited by

                  @Derelict:

                  Is this on?

                  Strict CN/User matching: When authenticating users, enforce a match between the common name of the client certificate and the username given at login.

                  It's in the OpenVPN server settings.

                  EUREKA!!!

                  Yes thank you -just tested, and is working as described.

                  …

                  In other news, i need to go and have my eyes tested - cant believe that i missed the setting  :o

                  Thx Derelict / Guys :)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post

                  Products

                  • Platform Overview
                  • TNSR
                  • pfSense
                  • Appliances

                  Services

                  • Training
                  • Professional Services

                  Support

                  • Subscription Plans
                  • Contact Support
                  • Product Lifecycle
                  • Documentation

                  News

                  • Media Coverage
                  • Press
                  • Events

                  Resources

                  • Blog
                  • FAQ
                  • Find a Partner
                  • Resource Library
                  • Security Information

                  Company

                  • About Us
                  • Careers
                  • Partners
                  • Contact Us
                  • Legal
                  Our Mission

                  We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                  Subscribe to our Newsletter

                  Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                  © 2021 Rubicon Communications, LLC | Privacy Policy