Results 1 to 7 of 7
  1. #1
    Master Untangler
    Join Date
    Jan 2009
    Posts
    119

    Default Creating a Username/Password for the OpenVPN Client

    We are using the OpenVPN module on Untangle and it works fine. However, when we send the client to a user, and it is installed, all they have to do is right click the client and they can connect to our OpenVPN server.

    While it does appear that the user can right click, configure the option to add their own username/pass, is there a way to do this ahead of time, before sending them a client? We are coming from a Cisco VPN background where we could do this and it added an extra layer of security for us in case the client system was ever compromised.

    Thanks!

  2. #2
    Master Untangler
    Join Date
    Jan 2011
    Posts
    785

    Default

    When you set a password, it actually encrypts the host's ssl key file with that password. So it's not just a matter of changing an option in the .ovpn config file that gets sent out with the client (for which I presume there is a template somewhere on the server that could be modified). To implement a password prior to sending out the client would require a change to Untangle's code so that it provides the password to openssl when generating the client key, and you'd also need UI changes to provide a means to enter the password.

    In other words, no.

    Untangle guys would have to comment on whether that's an enhancement that might be added in the future. As Untangle seems to adhere to the KISS model, I suspect they've already considered and rejected the idea.

    (oh, and by the way, I just discovered that if you set a password on a key file using OpenVPN Gui, you can't unset it... you can change it, but you can't go back to having no password. I'm sure there's an openssl command to decrypt a key file, but I don't play with openssl often enough to recall how to do it. easier just to re-download the client config from my box.)
    Last edited by johnsonx42; 03-01-2012 at 08:27 PM.

  3. #3
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    4,466

    Default

    Here is a Old thread that i Have.
    http://forums.untangle.com/hacks/160...ct-client.html

    You need to upload the nsis dialog module and then add a Section to the openvpn-gui.nsi file.

    Section "Password Protect .key file (Recomended)" SecPwd
    Looppwd:
    Dialogs::InputBox "Password Protect .Key File" "Please Enter a Password for your .key file.$\r$\nThis Password will be used everytime you start$\r$\nthe VPNtunnel!" "OK" "Skip" "0" ${VAR_R2}
    StrCmp $R2 "" Skip Ok

    Skip:
    DetailPrint "No Password will be set for ${SITE_NAME}-${COMMON_NAME}.key File."
    goto Exitpwd

    Ok:
    MessageBox MB_YESNO|MB_ICONEXCLAMATION 'Press "Yes" to set $R2 as Password$\r$\nPress "No" to change it or skip.' IDYES GOPWD IDNO Looppwd

    GOPWD:
    nsExec::Exec 'cmd /C "$INSTDIR\bin\openssl.exe rsa -passout pass:$R2 -in $INSTDIR\config\untangle-vpn\${SITE_NAME}-${COMMON_NAME}.key -des3 -out $INSTDIR\config\untangle-vpn\${SITE_NAME}-${COMMON_NAME}.key"'
    DetailPrint "Setting Password $R2 to ${SITE_NAME}-${COMMON_NAME}.key"
    goto Exitpwd

    Exitpwd:
    SectionEnd

  4. #4
    Master Untangler
    Join Date
    Jan 2011
    Posts
    785

    Default

    you know, before I posted, I was thinking "I'll bet WebFool would know, maybe he's already done it", but then I decided to weigh in anyway. It turns out I was right that changes were needed, and kudos to WebFool for already having done so!

    edit: oh, I see, I was wrong, you've made the client installer do it at install time. It didn't occur to me that it could be done that way. That still leaves it in control of the user though... I presume if you wanted to force the user to put password you simply could eliminate the "Skip" option from the dialog?
    Last edited by johnsonx42; 03-02-2012 at 08:07 AM.

  5. #5
    Master Untangler
    Join Date
    Jan 2009
    Posts
    119

    Default

    Thanks for that information. This seems to be strangely missing in the Untangle app itself as it is common practice to have VPN clients use a password before initializing. I know, I know, its free etc etc, but you may as well deploy it the way it was meant to be me thinks.

    Thanks for the info on this, much appreciated as always.

  6. #6
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    4,466

    Default

    OpenVPN is not designe to use username and password.
    It use certs and key file.

    If ju want a username and password based vpn just install a pptp server on a local windows or linux server.

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    18,051

    Default

    Besides all that, your VPN available resources are "more trusted" than public access but shouldn't be "trusted". You still use username authentication for windows resources just like you do on your LAN.

    So what is your risk here? Someone leaving a laptop unattended at a starbucks while connected? Ok sure the attacker there would have access to your LAN thanks to the windows credentials on the laptop already. So say they see OpenVPN and snag the certificates and reconfigure a new machine to use them in their client.

    They then connect... at this point if they don't have a username / password pair they should still be locked out. And it's your duty as an admin to audit the connection logs every so often looking for oddities. The firewall module aids in this task immensely.

    You see Untangle's version of OpenVPN works around IP reservations. So you're free to make firewall rule sets based on that reserved IP, that reserved IP will stick with that VPN client for the rest of time. If a certificate set is breached, regenerate it. But that client shouldn't have access to resources beyond what it needs access to in the meantime.

    Security through layers, but not layers that do nothing but annoy your users. I could see using an RFID system for an extra layer for high security environments. But using a pass-phrase to encrypt the OpenVPN key sequence doesn't provide any additional security than you have by default. And it takes a point and click VPN solution into something that annoys users with yet another username / password pair to keep track of on a sticky note, that will be attached to the palm rest on the very same laptop, sitting on the very same table, in the proverbial Starbucks.
    Rob Sandling, BS:SWE, MCP
    Intouch Technology
    Phone: 480-272-9889
    NexgenAppliances.com
    Phone: 866-794-8879

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2