OpenVPN - Radius Question



  • Hello,
    I am setting up an OpenVPN server and im going to use Radius.

    I am following this guide: https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory

    In the attached screen shot is a section of the above guide.
    My question is those methods of Authentication "MSCHAP-V2, MSCHAP". Aren't these protocols already been broken and hacked ?

    So I am setting up a secure OpenVPN server but when the client sends the creds through the tunnel it will be using these above protocols to authenticate ?
    Do I not need to worry about this since the OpenVPN tunnel is using an AES-256 encryption algorithm ?

    Or do I have the wrong thinking ?
    Thank You
    ![pfsense Picture.jpg](/public/imported_attachments/1/pfsense Picture.jpg)
    ![pfsense Picture.jpg_thumb](/public/imported_attachments/1/pfsense Picture.jpg_thumb)



  • Hate to do it.

    Bump…


  • Rebel Alliance Developer Netgate

    In this case your worry is not with OpenVPN itself, that would still encrypt the authentication, but with the traffic between pfSense and the RADIUS server since RADIUS is sent in the clear. If that leg is secure you shouldn't have much to worry about.

    The way MSCHAPv2 is used by PPTP and WAP2-Enterprise makes it easy to compromise those protocols, but OpenVPN is a much different animal.