• Best VPN
  • Research
  • Guides
  • News
  • VPN Reviews
    • Comparisons
  • Coupons
  • Contact
    • About us
  • EnglishEnglish
    • FrançaisFrançais
Facebook X (Twitter) Instagram
Facebook X (Twitter) Instagram
Your Trusted VPN Experts
  • Best VPN
  • Research
  • Guides
  • News
  • VPN Reviews
    • Comparisons
  • Coupons
  • Contact
    • About us
  • EnglishEnglish
    • FrançaisFrançais
Your Trusted VPN Experts
VPN technology

An Introduction to OpenVPN Part 2

Dan ParkerDan Parker
openvpn explained
Share
Facebook Twitter Pinterest Email

Authentication Mechanisms

Usually, the OpenVPN can be used in the two modes presented below:

  • Peer to Peer is used to connect together two sites where one site is used as a server and the other site as a client. This is usually done when we have a central location and would like to connect a remote location together with central location by using VPN.
  • Remote Access is used by desktop clients to connect to VPN.

No matter which server mode type we choose, there are different authentication modes that we can use and are presented below:

  • User Auth: when we want to connect to the OpenVPN server with username and password directly, we have to specify the auth-user-pass directive, which will instruct the OpenVPN to ask us for username/password when connecting to the VPN server and then sending those over the secure TLS channel.
  • Shared Key: instead of using username/password pairs, we’re using a shared key, which is used to establish a connection with the VPN server.
  • SSL/TLS: only public/private key pairs can be used to connect to the VPN server. This option is the most secure among the presented options.

Prevent Man in the Middle (MITM) Attacks

We should pay special attention to MITM attacks when connecting to the VPN server. Usually we can connect to the OpenVPN server without verifying whether the server’s certificate was signed by a CA certificate, but that would allow an attacker to perform a MITM (Man-In-The-Middle) attack.

This would consequently allow him to sniff all traffic between the OpenVPN client and server, which should be secure. This is possible because we’re not verifying the identity of the VPN server, and thus anyone can pretend to be our VPN server.

In order to prevent a MITM attack from being possible, we need to tell the client to check whether it’s connecting to the right VPN server. We can do that by one of the following options:

Must Read  An Introduction to OpenVPN Part 1

ns-cert-type server: Checks if the server certificate’s nsCertType field is set to ‘server’, which ensures that the client is actually connecting to the right VPN server.

tls-remote name: Accepts connections only from a host with x509 name name.

tls-verify cmd: Executes the cmd command to verify the authenticity of the server.

Using a Certificate Revocation List

The CRL is useful when we have a CA certificate, the server certificate and a bunch of trusted client certificates.

If one of the client certificates is no longer trusted, because the laptop containing that certificate was stolen, we need to revoke access to that certificate.

Remember that we don’t want to disable the whole PKI infrastructure, but rather disable just that certificate. To do that, we need to add the compromised certificate to the certificate revocation list (CRL). When that happens, the certificate is no longer able to connect to the VPN server, because it’s not trusted anymore.

To use that with OpenVPN, we have to specify the crl-verify option and pass the file in PEM format to it. That file contains all revoked certificates that are no longer valid.

Share. Facebook Twitter Pinterest LinkedIn Email
Previous ArticleAn Introduction to OpenVPN Part 1
Next Article Best VPN for School
Dan Parker

Dan is a technology reporter from San Jose, California, currently living right in the heart of Silicon Valley. Raised around tech, he's found interests in various gadgets and the companies that make them for years. When not blogging about tech, he can be found hunting for music, shredding the slopes in South Lake, or whipping up a dish for friends in the kitchen.

Related Posts

WireGuard VPN: everything you need to know about the fastest VPN protocol!

What is the Kill Switch function of a VPN?

End-to-end encryption explained

NordVPN Birthday sale is on!

NordBF banner

Latest posts
  • Watch The Forever Purge on Netflix in 2023 from Anywhere 11/30/2023
  • Made In Abyss: Exploring the Depths of a Captivating Anime Series 11/29/2023
  • The Truth About VPNs: Security, Myths, and Realities 11/29/2023
  • Top 3 fastest VPNs: complete and detailed analysis 03/31/2023
  • VPN without log: which are the best providers? 03/30/2023
Facebook X (Twitter) Instagram Pinterest
  • About us
  • Contact
  • Privacy Policy
  • Sitemap
  • English
  • Français
© 2023 Copyright VPN Creative

Type above and press Enter to search. Press Esc to cancel.