Possible? OpenVPN server requiring both certificate- AND password-based login (via Tomato router firmware)
Solution 1:
The OpenVPN feature you're looking for, which will allow the server to authenticate clients based on both their certificate and a credential, is auth-user-pass-verify
. This feature allows the server to pass the username/password provided by the remote user to a script that performs the authentication. At that point you can validate the credentials against anything you want-- PAM, RADIUS, LDAP, smoke signals, etc.
I know nothing about the "Tomato" firmwares so I'm not even going to attempt to give you a step-by-step here. I did some quick searching and I suspect you could use the OpenVPN "Custom Configuration" option to include a auth-user-pass-verify
reference. You'll need a script to perform the authentication.
Do some searching and I suspect you'll find "Tomato"-specific references.
Solution 2:
auth-user-pass-verify is the right thing todo. In addition you can force auth-user username has to be the certified CN you can also force openvpn to make only one connection each cert at a time.
That way an "mimic" has to have the right user compared to the certc CN and the right pass and he has to logon at a time the real owner doenst
In addition you may think about an IDS, depending which one you choose you can even narrow it down there like allowed external ip ranges, logon times and so on.
Any exposed cert should be revoked immediately. The signing server should be off net - transfer key by usb - then you have a real tight secure access.
and no you should not password a cert.
- Easy to bruteforce.
- You cannot lock an user (cert pass is offline only).
- People loose their passwords all the time forcing you to revoke and recreate a cert everytime - big risk of having a lot of certs out there where you maybe sometimes forget the revoke.
But if you really want you can use auth-user and cert password same time there will be no fallback or something.
First openvpn will use the cert password to decrypt the private key to establish a connection - then auth-user kicks in serversidly - if credentials are wrong you're out.
However if an attacker get the regular credentials you're already in trouble and chances are high he got the cert password too.
So I don't see real benefit here just a lot of downsides and a wrong feeling of more security.