VPN to server from public computer with cert in USB drive?
I just got an OpenVPN server set up on my PfSense box at home and clients set up on my laptop and phone. This is really cool.
Now, let's say that I don't want to take my laptop to school one day, and use one of the public Windows 7 computers. I am not willing to switch the server to password-only. Is there any way I can put my certificate into a USB drive and be able to plug into the public computer to get access to my server?
…Or is the only solution to log in with a username and password from a public computer?
Giving any public computer access to your credentials - either by typing them or by letting it have access to the private key file(s) or both is a dicey proposition no matter how you do it. Multiple factors can help mitigate the risk, but who wants their password and private key out there?
The safest option - if you absolutely must - is probably rebooting into a live CD with multi-factor enabled on the OpenVPN server. Or using your smart phone (another trusted device).
I don't know if the (presumably windows) OpenVPN client has a thumb-drive mode. Sort of doubt it.
That's what I was thinking. But I am wondering how military people are able to use their smart cards (which have certificates loaded on) to access certain websites on any computer? I'd like to see if there is a way to do something like that.
…Or I can just take my laptop with me... :P
A "smart card" never lets the private key out. It performs the crypto operations onboard. The host has no access to the key.
With your typical OpenVPN installation, your private key is just a file. Perhaps password protected, but in-the-clear for the host to snag when connecting.
The problem with the tokens/smart cards is operating system support. You can get it working but it usually requires drivers, client support, etc. It's really a downer the industry couldn't cooperate and come up with something universal and open.