[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] re: windows-client auth-user-pass from file

  • Subject: Re: [Openvpn-users] re: windows-client auth-user-pass from file
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Mon, 14 Mar 2005 12:02:19 +0100 (CET)

Please don't top-post.

On Mon, 14 Mar 2005, Benjamin Adler wrote:

On Sun, 13 Mar 2005 22:37:05 +0100, Benjamin Adler wrote:

But my vpn clients don't really need to be that secure, and since the
client is started as a windows-service, I need the credentials-from-file

If your clients don't need to be that secure, why are you requiring a separate username and password to be entered and not sticking to certificate-only authentication?

There are two reasons:

- If there was only one cert, it could be freely copied and I would not know
which user was the leak.

- With only one cert, I cannot use client-specific configurations stored in
the ccd. Thus, I couldn't assign fixed ip addresses.

The reasons you give is for why you shouldn't use ony ONE certificate for all users. I'm pretty sure Charles didn't mean that. He ment that you should use a certificate to authenticate the un-attended machine instead of username/password.

Unfortunally OpenVPN can't accept EITHER a certificate or username/password, so what I would do I were you is that I'd run two instances of OpenVPN on the server.

One that accepts un-attendend machines using certificates only, where you don't encrypt the private key so the client machine does not have to provide any passphrase. In this case you could even import the cert/key to the MS CryptoStore, which makes it harder for an intruder to just copy a file containing the secrets needed to establish the OpenVPN tunnel.

and a second instance accepting users authenticating with username/password.

Mathias Sundman                  (^)   ASCII Ribbon Campaign
OpenVPN GUI for Windows           X    NO HTML/RTF in e-mail
http://openvpn.se/               / \   NO Word docs in e-mail

Openvpn-users mailing list