Possible? OpenVPN server requiring both certificate- AND password-based login (via Tomato router firmware)

authentication openvpn tomato

Solution 1:

The OpenVPN feature you're looking for, which will allow the server to authenticate clients based on both their certificate and a credential, is auth-user-pass-verify. This feature allows the server to pass the username/password provided by the remote user to a script that performs the authentication. At that point you can validate the credentials against anything you want-- PAM, RADIUS, LDAP, smoke signals, etc.

I know nothing about the "Tomato" firmwares so I'm not even going to attempt to give you a step-by-step here. I did some quick searching and I suspect you could use the OpenVPN "Custom Configuration" option to include a auth-user-pass-verify reference. You'll need a script to perform the authentication.

Do some searching and I suspect you'll find "Tomato"-specific references.

Solution 2:

auth-user-pass-verify is the right thing todo. In addition you can force auth-user username has to be the certified CN you can also force openvpn to make only one connection each cert at a time.

That way an "mimic" has to have the right user compared to the certc CN and the right pass and he has to logon at a time the real owner doenst

In addition you may think about an IDS, depending which one you choose you can even narrow it down there like allowed external ip ranges, logon times and so on.

Any exposed cert should be revoked immediately. The signing server should be off net - transfer key by usb - then you have a real tight secure access.

and no you should not password a cert.

  1. Easy to bruteforce.
  2. You cannot lock an user (cert pass is offline only).
  3. People loose their passwords all the time forcing you to revoke and recreate a cert everytime - big risk of having a lot of certs out there where you maybe sometimes forget the revoke.

But if you really want you can use auth-user and cert password same time there will be no fallback or something.

First openvpn will use the cert password to decrypt the private key to establish a connection - then auth-user kicks in serversidly - if credentials are wrong you're out.

However if an attacker get the regular credentials you're already in trouble and chances are high he got the cert password too.

So I don't see real benefit here just a lot of downsides and a wrong feeling of more security.

Related

Is there a security reason not to use a wildcard cert other than manageability and exploitation if used on multiple servers?
/dev/mapper/VolGroup-lv_root has no more space left?
What are the best practices for service accounts?
How to debug memcached "SERVER HAS FAILED AND IS DISABLED UNTIL TIMED RETRY" errors?
Windows 2012: how to make power button work in every cases?
Root cause of "curl: (56) SSL read: errno -5961" errors
OpenSSH doesn't accept ECDSA keys
Change apache mpm to mpm-itk for CentOS7
How do I set default internet zone level with Group policy?
OpenVPN "rwRW" logging
Scale HAProxy for more than 64k websockets
Kerberos KDC has no support for encryption type while getting credentials