• Best VPN
  • Tests
  • Coupons
  • English
    • About Us
  • Français
Facebook Twitter Instagram
Facebook Twitter Instagram
Your Trusted VPN Experts
  • Best VPN
  • Tests
  • Coupons
  • English
    • About Us
  • Français
Your Trusted VPN Experts
VPN technology

An Introduction to OpenVPN Part 2

Dan ParkerBy Dan ParkerOctober 11, 2019Updated:October 21, 2022No Comments3 Mins Read
openvpn explained
Share
Facebook Twitter Pinterest Email
NordBF banner

Authentication Mechanisms

Usually, the OpenVPN can be used in the two modes presented below:

  • Peer to Peer is used to connect together two sites where one site is used as a server and the other site as a client. This is usually done when we have a central location and would like to connect a remote location together with central location by using VPN.
  • Remote Access is used by desktop clients to connect to VPN.

No matter which server mode type we choose, there are different authentication modes that we can use and are presented below:

  • User Auth: when we want to connect to the OpenVPN server with username and password directly, we have to specify the auth-user-pass directive, which will instruct the OpenVPN to ask us for username/password when connecting to the VPN server and then sending those over the secure TLS channel.
  • Shared Key: instead of using username/password pairs, we’re using a shared key, which is used to establish a connection with the VPN server.
  • SSL/TLS: only public/private key pairs can be used to connect to the VPN server. This option is the most secure among the presented options.

Prevent Man in the Middle (MITM) Attacks

We should pay special attention to MITM attacks when connecting to the VPN server. Usually we can connect to the OpenVPN server without verifying whether the server’s certificate was signed by a CA certificate, but that would allow an attacker to perform a MITM (Man-In-The-Middle) attack.

This would consequently allow him to sniff all traffic between the OpenVPN client and server, which should be secure. This is possible because we’re not verifying the identity of the VPN server, and thus anyone can pretend to be our VPN server.

In order to prevent a MITM attack from being possible, we need to tell the client to check whether it’s connecting to the right VPN server. We can do that by one of the following options:

Must Read  VPN not working nor connecting? Here are a few fixes

ns-cert-type server: Checks if the server certificate’s nsCertType field is set to ‘server’, which ensures that the client is actually connecting to the right VPN server.

tls-remote name: Accepts connections only from a host with x509 name name.

tls-verify cmd: Executes the cmd command to verify the authenticity of the server.

Using a Certificate Revocation List

The CRL is useful when we have a CA certificate, the server certificate and a bunch of trusted client certificates.

If one of the client certificates is no longer trusted, because the laptop containing that certificate was stolen, we need to revoke access to that certificate.

Remember that we don’t want to disable the whole PKI infrastructure, but rather disable just that certificate. To do that, we need to add the compromised certificate to the certificate revocation list (CRL). When that happens, the certificate is no longer able to connect to the VPN server, because it’s not trusted anymore.

To use that with OpenVPN, we have to specify the crl-verify option and pass the file in PEM format to it. That file contains all revoked certificates that are no longer valid.

Share. Facebook Twitter Pinterest LinkedIn Email
Previous ArticleAn Introduction to OpenVPN Part 1
Next Article Best VPN for School
Dan Parker

Dan is a technology reporter from San Jose, California, currently living right in the heart of Silicon Valley. Raised around tech, he's found interests in various gadgets and the companies that make them for years. When not blogging about tech, he can be found hunting for music, shredding the slopes in South Lake, or whipping up a dish for friends in the kitchen.

Related Posts

What is the Kill Switch function of a VPN?

October 31, 2022

End-to-end encryption explained

October 13, 2022

Discover and understand brute force attacks

October 12, 2022

Comments are closed.

Do not miss out on the biggest sale of the year!

NordBF banner

Latest posts
  • What Is A VPN Used For? Top 5 reasons in 2023 January 16, 2023
  • DuckDuckGo app wants to make you invisible on Android December 27, 2022
  • What is the best VPN for Mac in 2023? November 30, 2022
  • 3 reasons to take advantage of NordVPN’s low cost BF offer November 30, 2022
  • StrongVPN review: an average VPN with limited features November 30, 2022
Facebook Twitter Instagram Pinterest
© 2023 Copyright VPN Creative

Type above and press Enter to search. Press Esc to cancel.