OpenVPN - auth settings clarification

[martinr]

In the OpenVPN server settings (Advanced), there are 2 authentication settings. I'd like to clarify I understand them.

This is how I interpret it:

A username-password (U/P) pair can be used as a second factor, as well as certificates, to authenticate server to client and vice versa (U/P Auth ON; U/P Auth Only OFF). (I'm not sure if vice versa is true - auth of client to server - but that's a distraction.)

On the other hand, if U/P Auth Only is set to ON, no certificates are used, only the Username-password pair in what would then be single factor Auth. And if Username-password authentication is NOT selected, then ONLY certificates will be used, on their own, in single-factor authentication.

So the strongest authentication would be U/P Auth ON with U/P Auth Only OFF, that way certificates AND usernames-password pairs are needed.

Is my understanding correct?

 

[RMerlin]

That looks correct to me, tho I'm not 100% familiar with the username/pass support, as that was added by Asus on top of my code.

 

[cosmoxl]

This is interesting. I've never used the server but as a client VPN providers today typically use all 4 certs/keys and no user/pass. That may be so that somebody could share ovpn configs with friends/family but still not have to give away their password.

 

[RMerlin]

Purely key/certs based authentication is the "cleanest" implementation, each client having his own keypair.

Sent from my Nexus 9 using Tapatalk

 

[martinr]

That looks correct to me, tho I'm not 100% familiar with the username/pass support, as that was added by Asus on top of my code.

Many thanks, Merlin. After posting, I realised I could have delved deeper, so I generated 3 .ovpn config files to cover all username-password authentication (UPA) possibilities:

1. UPA only (UPA on; UPA Only on) i.e. no key pairs.

2. UPA together with key pairs (UPA on; UPA Only off).

3. No UPA, "just" key pairs (UPA off).

The config files confirm:

when authentication is only by username and password, only the Certificate Authority certificate (to verify the server to the client) is included.

In the other 2 cases, where key pairs are needed (no UPA, and UPA as well as key pairs), not only is the CA cert present in the config file, but also included are the client's certificate and the client's private key.

Whilst trying to make sense of this side of the crypto, I came across

http://security.stackexchange.com/q...n-require-securely-sharing-certs-with-clients

which was somewhat helpful:

CA cert: "Publicly disposable, this is the certificate for your VPN's certificate authority. It can be shared with anybody and allows the client to verify the VPN server."

Client cert: "This is a certificate identifying the client. It was signed by the client's private key and then that was signed by the CA's key."

Client private key: ".... it was generated on the server for convenience so that the client certificate could be signed by the key there and then signed by the CA key. The private key could be generated and kept on the client without the server ever seeing it, but that would make the process a lot more complex. "

[If anyone can recommend a good source on such crypto that assumes minimal prior knowledge - and with plenty of illustrative diagrams (a picture's worth a thousand words) - I'd be grateful to know of it.]

 

[User774]

Hello martinr,

If anyone can recommend a good source on such crypto that assumes minimal prior knowledge - and with plenty of illustrative diagrams (a picture's worth a thousand words) - I'd be grateful to know of it.

Depends what exactly you want/need..
As general crypto propose, I recommend some topics:

• PKI (to start, http://en.wikipedia.org/wiki/Public_key_infrastructure), it's important to learn about the use of CA/server/client's key/cert. (if you need a diagram, check this image: http://mkiuchi.org/diary/wp-content/110722_21.png)
• TLS: OpenVPN uses TLS to protect the tunnel (that uses PKI)
• Symmetric algorithm vs Asymmetric algorithm (when they are used).

If you use OpenVPN's user-pass auth, be sure to include the CA's cert on client configuration! Without the CA's cert you will be vulnerable to a man-in-the-middle attack! Because the client will not be able to confirm the server's cert.

Based on the OpenVPN's site (https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage), the user-pass auth uses a script to check the user/pass. I don't know if there is a brute-force protection (what will happens if someone try to authenticate using a brute-force attack or dictionary-attack?).

I recommend to (if the security topic is important for you):
1- Use the key pair to authenticate the client.
2- Protect the client's private key with a password (when the private key is protected/encrypted, the OpenVPN client GUI will request the password)

So the cliente will need have the key/cert AND a password to open the client's private key.