4

Im curious about how secure a OpenVPN setup that uses a single cert/key to authenticate against the server, compared to a OpenVPN setup that uses a separate cert/key combination for each OpenVPN client.

The OpenVPN server configuration has a section that says I shouldn't be doing this, but is OpenVPN warning about potential security issues, or is the warning something OpenVPN specific?

The setup currently uses a client/server key setup along with ta.key.

TearsOnTheMoon
  • 58
  • 4

2 Answers2

1

There is no way of knowing who is connecting to your server. There's no attribution associated. If someone logs in and does something bad you'll have no way of knowing who it was, or narrow down where the security breach started.

Worse, you won't know if someone else steals the certificate, and accesses your server without your knowledge. With attribution you can at least notice, "Well user2 rarely logs in at 0200". Then you can follow up with the user, and narrow down the breach.

I guess the bottom line is: if you only have one client authentication certificate why have one at all?

RoraΖ
  • 12,457
  • 4
  • 52
  • 84
  • 1
    Additionally, after user X loses their certificate and key and you have to regenerate, now EVERY user has to install new certs and keys. If every user has their own, only the one user's cert gets put on the Certificate Revocation List, and only that one user gets a new key (or just doesn't get access again, depending). – Anti-weakpasswords Jan 16 '15 at 07:29
0

You are basically narrowing your security to the username and password because your cert is single point of failure (if obtained it can be provided with any authorized credentials). Other thing you should take in consideration is impact of certificate revocation on your organization. Let's say you've found out that somebody is causing harm to your organization throughout VPN so you've decided to directly revoke the cert to stop them. The problem is that now nobody will be able to use the VPN before you put up new cert and redistribute it. Even worse you don't know the point where your certificate has leaked because it is not bound to a specific user so even if u put up a new cert it may be directly obtained the way old one was obtained and you have no way to close the gap. I think that the best solution is to use user specific certificates and enforce cert user/username binding with minimum concurrent connection number needed to operate. The warning in OpenVPN is purely due to security reasons, otherwise you wouldn't be provided this option (nobody gives "break it" button for their users). Single cert solution may have some use cases where you want users to be less secure but more private by providing anonymity. Other use case is when you have bot-net and you want zombies to connect through VPN you can then use it without credentials with cert only.

nethero
  • 500
  • 2
  • 6