Cert. management and authentication questions (Stunnel/OpenVPN noob)

  • I need to get to grips with OpenVPN and Stunnel (for remote access and web server SSL-ing). I understand most of the setup but a couple of basic areas still confuse me. I want to understand the practical implications of their certificate management and server-client authentication a bit better.

    My system:
    Simple pfSense router ( with a few Windows 8.1 LAN clients on an unmanaged switch, and a public static /28 subnet.  Currently using IPv4 only.  There are no domains, no VLANs, and no WINS or DNS services, the only network services are pfSense's DHCP server, Windows file/printer sharing, and a lightweight HTTP based web server on one machine.  Neither the public nor private IPs use DNS registration or dynamic DNS, I'm comfortable just using pure DHCP and IPs, apart from client host names for LAN file sharing. These are the areas I would like to ask for help understanding - sorry if it's a muddle!

    • What exact certificates, keys, and CAs do I need to set up, where do I store each, and what vulnerabilities are exposed by these different types of certificate or key, if improperly obtained.

    • I've come across a "signing key", I think, but where does that fit in?

    • What are the appropriate "good practices and precautions" for managing these certificates and CAs.  Meaning, which ones are stored "plain" on a public facing server or my laptop, which are stored "plain" using standard FreeBSD/pfSense security (if they are obtained it means router security was already compromised), and which ones do I store offline on a USB stick or dedicated non-networked laptop.

    • Should any be encrypted as well as in a secure location?  Would I have to enter the decryption passphrase every session, every boot, or only rarely?  (I'm partly thinking of practicality + convenience, as I move between networks or close the laptop for 30 mins and then resume; do I need to reauthenticate or re-enter the password each time?)

    • Do I have to specify exact IP address(es) on any certificates? I don't need end-points checked against a "valid" list, since I will already know what IP I entered, provided that the traffic between end-points is reasonably secure against sniffing/logging/MITM, and the matching certs confirm I'm actually connected to the endpoint intended and not some fake Wifi spoofing its IP :)

    • I'm pretty hazy on how the end-points actually validate the (self-signed) cert chain generally.  I'm also hazy about how the self-created CA is used and how it fits into this.  I'm connecting directly to an endpoint IP in this case rather than a domain.  Wouldn't mere possession of the two matching certificates (by the router/client) combined with a connection passphrase, be sufficient for 2 factor validation? What does the self-created CA add to it?  Do I need to install any self-created root authority on the client laptop, for the certificates I'm creating, so the laptop can directly authenticate the cert used to sign incoming traffic?

    Thank you, the help and time is very appreciated!  I need to get VPN and Stunnel working before going away for Christmas, and after much Googling, this what's left :)

Log in to reply