OpenVPN Providers - User/Pass Authentication - A Problem?

Most of the OpenVPN providers that are out there and being discussed often around here, typically use only username and password authentication, which OpenVPN says is less secure.

So the questions:

1. How less secure is using an OpenVPN provider out there that is only offering username and password authentication, that only provides you a CA cert and config file?

2. For those that are really concerned about their privacy and safety is it best to steer clear of all OpenVPN providers that do not offer certification authentication and only offer user/pass authentication?


THANKS

 

There are three issues if you use just username/pass:

1) Authentication: If your vpn provider didn't provide keys/certs, you can't verify you are really speaking to them or a MITM / imposter.

2) Authorization: if they do not encrypt the authentication channel, you are exposing your credentials (username & password)

3) Plaintext Disclosure: If they aren't using a key, then you probably don't have Perfect Forward Secrecy. This means that your previous traffic streams can be decrypted if either endpoint is compromised in the future.

Anyone claiming security or anonymity, without using key authentication and certs, should be disregarded.

 

Thanks Steve...

 

Something I forgot to ask, looking back now at Steve's reply to number 1; 'didn't provide keys/certs'...

I've seen at times some VPN providers give you one or the other, or provide both, so for a VPN service where you only get a config file and key is this ok? Or if you only get a config file and a ca.crt cert is this ok? Or should we really be on the look out for a service that is giving us a config, key and cert? Then when we say cert, just the ca.crt cert, or what about the client.crt?

THANKS

 

That was a delayed response of the first order. Six months!

 

I forgot about it, anyhow it would be nice to get some clarification on this.


THANKS

 

I would not use any VPN service that didn't use certificates to mutually authenticate servers and clients. Servers use certificate authority to issue client certificate ("client.crt") and key ("client.key"). Clients use server certificate ("ca.crt") to authenticate communications from servers, and they use their certificates to sign communications to servers.

Username and password provide second layer of client authentication to servers. While such two factor authentication is crucial for gmail etc, here it mainly prevents unauthorized use.

Some providers also issue keys ("ta.key") for TLS authentication. That helps protect servers from DoS attacks, in that unsigned packets are simply dropped.

See OpenVPN manual.

 

I'm chatting as we speak to one of OpenVPN's support engineers on this, trying to really get some closure on all this mess, with what should be the accepted standard when using a VPN service and I think I'm just about there...

My bad I use to think there was only one key, ok so two keys, client.key and ta.key. Is the client.key the static key, info found here on it?;

http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html

Here I see the info for the ta.key;

http://openvpn.net/index.php/open-source/documentation/howto.html#security

When I look inside the key I have called vpn.key I see this; (So looks like the static/client.key)

#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
d079c0de2e69e6b668f39c55b334owo
oeweowionxc97393ns9328jsudnsjm84


THANKS

 

Cool.

Actually, "static key" is different, third kind - simpler alternative to certificate authority with client-specific certificates/keys.

Both SSL "static.key" and tls-auth "ta.key" have that header. Client keys have header "-----BEGIN RSA PRIVATE KEY-----".

 

Well we're finally getting some where on this, the OpenVPN engineer said this;

The conf and 3 files (ca, cert, key) are a must

So I'm not sure, out of the 3 keys, "static.key" and tls-auth "ta.key" and client, which one he's referring to.

I'm waiting for a reply back on that...


THANKS

 

He's referring to three files: server certificate authority ("ca.crt"), client-specific certificate ("client.crt") and the key for "client.crt" ("client.key") which allows clients to sign traffic to servers. Servers have key for their certificates ("ca.key") which allows them to sign traffic to clients.

Using SSL static keys, both servers and clients have same keys, which they use to sign traffic to each other.

 

Ok so I take it the key I was given is the correct one? Seems odd to give a key and no certs...


THANKS

 

After rereading this thread, I am unsure what you were given. What files did you get?

If you got just config files and a key, and no certificates, it likely was the static key discussed here: -http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html

 

Yep just a config and key, so it's probably as you said the static key. Either way it's still not good without the certs...


THANKS