Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN - Roadwarrior Restricted / Unrestricted

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 3 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      erwintwr
      last edited by

      Hi guys

      I have to start my sentence with - I am very very new to setting up a secure VPN. But i really hope somebody can assist.
      Running pfsense 2.1.3-RELEASE (amd64).

      My goal is to setup OpenVPN connections where some users is allowed full access to the internal LAN, and some users partial access(eg some servers blocked). Using a few guides around, i ended up with the following configuration :

      • Two CA's with signed server certificates(lets call them Restricted CA and unrestricted CA

      • User certificates created, signed by either the restricted CA or unrestricted CA

      • Installed the OpenVPN client export utility

      • Created two OpenVPN servers using the wizard( using separate ports and CA certificates)

      • Each server gives a separate tunnel network/ subnet, as this allows me to create firewall rules blocking access from restricted network to the LAN

      • Using the client export wizard, i exported installation files for each user ( Restricted and Unrestricted)

      • So far so good. Installing the clients , and testing, gives me the results i was looking for

      But then the problem occurred. Since i was testing with both client installations on one pc, both sets of certificates was loaded, which showed me a possible loop hole.

      User2 ( Restricted), is able to use the OpenVPN configuration installed for User1, and login using User2's login details…... ouch

      Thus if User2(restricted) is able to obtain the installation files intended for a Restricted user ( or for that matter copy the OpenVPN config folder from an unrestricted pc, he will be able to log in onto the VPN without any restrictions.

      I know security is only as good as the access provided to the pc in question, but i was wondering if there was a way via configurations to make sure this doesn't happen? eg a local user should only be allowed to authenticate using his/her own certificate?

      If any details is needed specific to the configuration please let me know

      Thx guys!!

      Neo_X

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        I have to start my sentence with - I am very very new to setting up a secure VPN. But i really hope somebody can assist.

        You have a profound knowledge of OpenVPN as you are a Newbie. Congratulation!  :)

        User2 ( Restricted), is able to use the OpenVPN configuration installed for User1, and login using User2's login details…... ouch

        Thus if User2(restricted) is able to obtain the installation files intended for a Restricted user ( or for that matter copy the OpenVPN config folder from an unrestricted pc, he will be able to log in onto the VPN without any restrictions.

        Off course, if you only use certificate based authentication the user who have the proper certificate for a OpenVPN server is able to connect. So take care of your certificate and private key.

        However, you can use combined SSL + User auth and assign a password to each user. So users need a the password in addition to the certificate. The password is not be stored in several OpenVPN clients.

        1 Reply Last reply Reply Quote 0
        • E
          erwintwr
          last edited by

          @viragomann:

          I have to start my sentence with - I am very very new to setting up a secure VPN. But i really hope somebody can assist.

          You have a profound knowledge of OpenVPN as you are a Newbie. Congratulation!  :)

          User2 ( Restricted), is able to use the OpenVPN configuration installed for User1, and login using User2's login details…... ouch

          Thus if User2(restricted) is able to obtain the installation files intended for a Restricted user ( or for that matter copy the OpenVPN config folder from an unrestricted pc, he will be able to log in onto the VPN without any restrictions.

          Off course, if you only use certificate based authentication the user who have the proper certificate for a OpenVPN server is able to connect. So take care of your certificate and private key.

          However, you can use combined SSL + User auth and assign a password to each user. So users need a the password in addition to the certificate. The password is not be stored in several OpenVPN clients.

          thx for the compliments - still a learning stage though

          I am assuming you are talking about the server mode under openvpn?

          Mine is currently set to SSL/TLS + User Auth, with Backend as Local database.

          Users has been added under System(Didnt add them to a group or give effective priveleges though), but each has different  passwords.

          Only issue is that i am allowed to connect to the OpenVPN using User1's certificates and User2's login details. Yes user2 is not supposed to ever obtain user1's certificate.

          other option, although a slep, is to password protect the pkcs12 file when doing the client export. This gives an additional password prompt once the VPN connection is initiated, which is guess is a better protection for the certificates as well should the laptop be compromised.

          Just thought that there will be tighter relation between the certificate used, and the user authentication provided.

          any other ideas why this could be happening?

          thx

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            Only issue is that i am allowed to connect to the OpenVPN using User1's certificates and User2's login details. Yes user2 is not supposed to ever obtain user1's certificate.

            That's right. Unfortunately.
            I have never checked this out before.

            I think, the only workaround will be, to force a client to a specific tunnel network by setting up a "Client Specific Override" rule for each user.
            So the client will be able to connect anyway, but will get the tunnel IP intended to have the correct privileges.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Is this on?

              Strict CN/User matching: When authenticating users, enforce a match between the common name of the client certificate and the username given at login.

              It's in the OpenVPN server settings.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • V
                viragomann
                last edited by

                @Derelict:

                Strict CN/User matching

                Yeah! I don't know, why I haven't set this option before. I think I did not want to care that the CN in cert equals the username.
                Thanks.

                1 Reply Last reply Reply Quote 0
                • E
                  erwintwr
                  last edited by

                  @Derelict:

                  Is this on?

                  Strict CN/User matching: When authenticating users, enforce a match between the common name of the client certificate and the username given at login.

                  It's in the OpenVPN server settings.

                  EUREKA!!!

                  Yes thank you -just tested, and is working as described.

                  …

                  In other news, i need to go and have my eyes tested - cant believe that i missed the setting  :o

                  Thx Derelict / Guys :)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.