Authentication Mechanisms
Usually, the OpenVPN can be used in the two modes presented below:
- Peer to Peer is used to connect together two sites where one site is used as a server and the other site as a client. This is usually done when we have a central location and would like to connect a remote location together with central location by using VPN.
- Remote Access is used by desktop clients to connect to VPN.
No matter which server mode type we choose, there are different authentication modes that we can use and are presented below:
- User Auth: when we want to connect to the OpenVPN server with username and password directly, we have to specify the auth-user-pass directive, which will instruct the OpenVPN to ask us for username/password when connecting to the VPN server and then sending those over the secure TLS channel.
- Shared Key: instead of using username/password pairs, we’re using a shared key, which is used to establish a connection with the VPN server.
- SSL/TLS: only public/private key pairs can be used to connect to the VPN server. This option is the most secure among the presented options.
Prevent Man in the Middle (MITM) Attacks
We should pay special attention to MITM attacks when connecting to the VPN server. Usually we can connect to the OpenVPN server without verifying whether the server’s certificate was signed by a CA certificate, but that would allow an attacker to perform a MITM (Man-In-The-Middle) attack.
This would consequently allow him to sniff all traffic between the OpenVPN client and server, which should be secure. This is possible because we’re not verifying the identity of the VPN server, and thus anyone can pretend to be our VPN server.
In order to prevent a MITM attack from being possible, we need to tell the client to check whether it’s connecting to the right VPN server. We can do that by one of the following options:
ns-cert-type server: Checks if the server certificate’s nsCertType field is set to ‘server’, which ensures that the client is actually connecting to the right VPN server.
tls-remote name: Accepts connections only from a host with x509 name name.
tls-verify cmd: Executes the cmd command to verify the authenticity of the server.
Using a Certificate Revocation List
The CRL is useful when we have a CA certificate, the server certificate and a bunch of trusted client certificates.
If one of the client certificates is no longer trusted, because the laptop containing that certificate was stolen, we need to revoke access to that certificate.
Remember that we don’t want to disable the whole PKI infrastructure, but rather disable just that certificate. To do that, we need to add the compromised certificate to the certificate revocation list (CRL). When that happens, the certificate is no longer able to connect to the VPN server, because it’s not trusted anymore.
To use that with OpenVPN, we have to specify the crl-verify option and pass the file in PEM format to it. That file contains all revoked certificates that are no longer valid.