How to Prevent user from copying certificate from one openvpn to another

  • Is there any configuration that will allowed only one openvpn user per certificate in pfsense server?

  • Banned

    Yeah, there's this fine checkbox in the GUI. "Strict User/CN Matching"

  • I tried to install openvpn client from pfsense package from one pc1 likewise I install openvpn client from another pc2 but this time using downloaded installer from openvpn site..The problem is when I copy certificate from pc1 and paste it to pc2, it connects to my pfsense server..pc2 acts like pc1 because they have the same certificate..My question is, how to prevent it?..I already tried suggestion above but it doest work..

  • Banned

    Prevent what? Legit user with legit cert and legit password from connecting? Disable the server or revoke the certificate. Otherwise, kindly clarify what's your "problem".

  • LAYER 8 Global Moderator

    create different certs for all your users and have them use the correct cert..  Not sure what your issue is exactly?  Agree with dok - if user has valid cert, valid username and password why they not connect if I use those creds and certs on any computer, etc..

  • Banned

    In principle this self-signed cert nonsense is a hack of the intended security system of certs. I would like to use my qualified certificate and a safe card-reader to establish openVPN connection, but I didn't go for that yet.

    Is there some kind of tutorial?

    Does the openVPN client accept Windows middelware to access certificates?

  • Banned


    In principle this self-signed cert nonsense is a hack of the intended security system of certs. I would like to use my qualified certificate

    Uh.. So that anyone who gets a certificate issued by a CA that issues millions of certificates and who gets hold of someone's credentials could connect? That's a huge security improvement indeed. Not sure what to say…

    The rest has nothing to do with pfSense.

  • Banned

    Yeah! By far more secure to have the cert created (!) and stored in my obscure router box… Not sure how anyone should get the PIN for my qual. cert out of my head, but... maybe you are right, as usual!

    How to use a qual. certificate in pfSense has nothing to do with pfSense? As so often a very interesting perspective on the issue. But I should get used to that after so much time on this "forum"...

  • Banned

    Way to miss the point. To quote the fine OpenVPN docs:

    Important Note on the use of commercial certificate authorities (CAs) with OpenVPN
    It should be noted that OpenVPN's security model in SSL/TLS mode is oriented toward users who will generate their own root certificate, and hence be their own CA. In SSL/TLS mode, OpenVPN authenticates its peer by checking that the peer-supplied certificate was signed by the CA certificate specified in the –ca option. Like the SSL-based secure web, the security of OpenVPN's SSL/TLS mode rests on the infeasibility of forging a root certificate signature.

    This authentication procedure works perfectly well if you have generated your own root certificate, but presents a problem if you wish to use the root certificate of a commercial CA such as Thawte. If, for example, you specified Thawte's root certificate in the –ca option, any certificate signed by Thawte would now be able to authenticate with your OpenVPN peer -- certainly not what you would want.

    You should have damn good clue of what you are doing when using third-party CAs! However, apparently the OP has not even thought about checking the username against the certificate's CN. Ugh. Free for all VPN, anyone?  ::)

  • Rebel Alliance Developer Netgate

    Use your own CA, check Strict User/CN, don't allow duplicate connections, and be sure to setup a CRL and revoke any certificate that gets compromised.

  • I had the same problem, users copying the client certificate to each other.

    I have it set up in a different way. I use one OpenVPN client cert, which is valid for a very long time. If you want to connect it asks for your username and password, which is their default AD user/password combination. With those smartphone and tablet clients you can select to keep the password. So everyone can still share the same cert, but it uses their own account info. So when somebody is messing things up I can just set a new password on their AD account. Of course that user needs a couple of volts across the temples, but I can sort that out later.

  • Not really sure the issue with certificates with OpenVPN.  The  main purpose is to validate the connection between the user and server.  If you set up to require the user to put in the current password to be checked against RADIUS server I don't see what the issue is.

    I've set up the commercial OpenVPN AS server that way.  Long as the user have a valid and active account in Active Directory it doesn't matter.  It's really the administrator's responsibility to make sure any employee who are termed the accounts in AD are disabled.

    In this case with pfSense it's the same thing.  You still have to make sure the accounts in pfSense are disabled.

    Restricting the users to one connection is one way to make sure nobody is sharing the same certificate and user account password.

Log in to reply