Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to Prevent user from copying certificate from one openvpn to another

    Scheduled Pinned Locked Moved OpenVPN
    12 Posts 7 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      secad000
      last edited by

      Is there any configuration that will allowed only one openvpn user per certificate in pfsense server?

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Yeah, there's this fine checkbox in the GUI. "Strict User/CN Matching"

        1 Reply Last reply Reply Quote 0
        • S
          secad000
          last edited by

          I tried to install openvpn client from pfsense package from one pc1 likewise I install openvpn client from another pc2 but this time using downloaded installer from openvpn site..The problem is when I copy certificate from pc1 and paste it to pc2, it connects to my pfsense server..pc2 acts like pc1 because they have the same certificate..My question is, how to prevent it?..I already tried suggestion above but it doest work..

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            Prevent what? Legit user with legit cert and legit password from connecting? Disable the server or revoke the certificate. Otherwise, kindly clarify what's your "problem".

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              create different certs for all your users and have them use the correct cert..  Not sure what your issue is exactly?  Agree with dok - if user has valid cert, valid username and password why they not connect if I use those creds and certs on any computer, etc..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • 2
                2chemlud Banned
                last edited by

                In principle this self-signed cert nonsense is a hack of the intended security system of certs. I would like to use my qualified certificate and a safe card-reader to establish openVPN connection, but I didn't go for that yet.

                Is there some kind of tutorial?

                Does the openVPN client accept Windows middelware to access certificates?

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned
                  last edited by

                  @2chemlud:

                  In principle this self-signed cert nonsense is a hack of the intended security system of certs. I would like to use my qualified certificate

                  Uh.. So that anyone who gets a certificate issued by a CA that issues millions of certificates and who gets hold of someone's credentials could connect? That's a huge security improvement indeed. Not sure what to say…

                  The rest has nothing to do with pfSense.

                  1 Reply Last reply Reply Quote 0
                  • 2
                    2chemlud Banned
                    last edited by

                    Yeah! By far more secure to have the cert created (!) and stored in my obscure router box… Not sure how anyone should get the PIN for my qual. cert out of my head, but... maybe you are right, as usual!

                    How to use a qual. certificate in pfSense has nothing to do with pfSense? As so often a very interesting perspective on the issue. But I should get used to that after so much time on this "forum"...

                    1 Reply Last reply Reply Quote 0
                    • D
                      doktornotor Banned
                      last edited by

                      Way to miss the point. To quote the fine OpenVPN docs:

                      Important Note on the use of commercial certificate authorities (CAs) with OpenVPN
                      It should be noted that OpenVPN's security model in SSL/TLS mode is oriented toward users who will generate their own root certificate, and hence be their own CA. In SSL/TLS mode, OpenVPN authenticates its peer by checking that the peer-supplied certificate was signed by the CA certificate specified in the –ca option. Like the SSL-based secure web, the security of OpenVPN's SSL/TLS mode rests on the infeasibility of forging a root certificate signature.

                      This authentication procedure works perfectly well if you have generated your own root certificate, but presents a problem if you wish to use the root certificate of a commercial CA such as Thawte. If, for example, you specified Thawte's root certificate in the –ca option, any certificate signed by Thawte would now be able to authenticate with your OpenVPN peer -- certainly not what you would want.

                      You should have damn good clue of what you are doing when using third-party CAs! However, apparently the OP has not even thought about checking the username against the certificate's CN. Ugh. Free for all VPN, anyone?  ::)

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        Use your own CA, check Strict User/CN, don't allow duplicate connections, and be sure to setup a CRL and revoke any certificate that gets compromised.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • S
                          SisterOfMercy
                          last edited by

                          I had the same problem, users copying the client certificate to each other.

                          I have it set up in a different way. I use one OpenVPN client cert, which is valid for a very long time. If you want to connect it asks for your username and password, which is their default AD user/password combination. With those smartphone and tablet clients you can select to keep the password. So everyone can still share the same cert, but it uses their own account info. So when somebody is messing things up I can just set a new password on their AD account. Of course that user needs a couple of volts across the temples, but I can sort that out later.

                          Hi, I'm Lance Boyle, and people often wonder if I'm real.

                          1 Reply Last reply Reply Quote 0
                          • D
                            Darkk
                            last edited by

                            Not really sure the issue with certificates with OpenVPN.  The  main purpose is to validate the connection between the user and server.  If you set up to require the user to put in the current password to be checked against RADIUS server I don't see what the issue is.

                            I've set up the commercial OpenVPN AS server that way.  Long as the user have a valid and active account in Active Directory it doesn't matter.  It's really the administrator's responsibility to make sure any employee who are termed the accounts in AD are disabled.

                            In this case with pfSense it's the same thing.  You still have to make sure the accounts in pfSense are disabled.

                            Restricting the users to one connection is one way to make sure nobody is sharing the same certificate and user account password.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.