0

I'm curious what is Your opinion on openvpn client crt/key security

In most cases (tutorials), the clients key/crt are generated on the same openvpn server, and no one cares about the future. This is secure, as long as someone gets into the server :)

There are many scenarios of how this can be a thread. I'd like to prevent 'client spoofing' - where privilege person/admin (inside attack) steel user credentials (key/crt) directly from the server, and use them connect as someone else.

I guess, the only way to prevent this:

  1. Generate key/crt on the server
  2. Deliver them to client
  3. Remove key from server (keep crt do You can revoke it)

Drawback: if user ask for key again - Sorry - You don't have it, You need to generate new key/crt pair (and revoke the old one!)

What would You think about that?

Some topic: https://security.stackexchange.com/questions/66948/openvpn-storage-location-and-creation-of-keys-certificates

Community
  • 1
sirkubax
  • 121
  • 1
  • 7
  • This is one reason why multi-factor authentication is a thing. Cert+user/pass or cert+user/pass+TOTP. – EEAA May 12 '16 at 00:22
  • Sure I'm using: https://github.com/evgeny-gridasov/openvpn-otp But still - if You break in to Server, You can get the 'OTP base key' :/ – sirkubax May 12 '16 at 07:35

0 Answers0