How is the process of authentication in OpenVPN?

This forum is for general conversation and user-user networking.
Post Reply
maryam.saeidi2012
OpenVpn Newbie
Posts: 1
Joined: Tue Aug 14, 2012 7:49 pm

How is the process of authentication in OpenVPN?

Post by maryam.saeidi2012 » Tue Aug 14, 2012 8:01 pm

Can anybody explain the process of authentication in OpenVPN in sample config?
For example, is it right that at the first step, both sides send their public key for each other, and after that dh set the session key and ...?

dazo
OpenVPN Inc.
Posts: 136
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ irc.freenode.net

Re: How is the process of authentication in OpenVPN?

Post by dazo » Wed Aug 15, 2012 4:54 pm

I will here presume you are talking about TLS/SSL authentication, which requires a CA certificate and client + server keys and certificates.

This consists of 3 parties. The client which connects to a server, the server itself and a certificate authority (CA).

The purpose of the CA is to ensure the identity of clients and servers. The CA issues certificates, based on a Certificate Signing Request (CSR) from the client or server. This information is evaluated (usually by a person), and if found good, this request is signed and the result is a certificate. The contents of a certificate is a public key, information about who this certificate belongs to, an expiry date of this certificate and a signature from the CA.

To validate the authenticity of a client or server certificate, you need the CA certificate. As certificates contains a public key, you can then verify if the contents of the certificate is valid by using the public key from the CA certificate which signed the certificate and the signature in the certificate. If you get a match here, it is a valid signature. All this is tackled by the SSL implementation (like f.ex. OpenSSL)

So what happens when an OpenVPN client connects to an OpenVPN server? During the initial TLS/SSL handshake, the server and client exchanges certificates. The client sends its own client certificate to the server, and the server sends its cerrtificate to the client. Then each side will use the local copy of the CA certificate they have, and check the authenticity of the certificate they received. If this check proves that the certificate is valid, the connection continues to the next phases (such as exchanging/agreeing on temporary encryption keys).

Regarding the security here ... As long as each side can trust that the CA is to be trusted completely, then this is very safe. But if you cannot trust the CA, even if you just trust it 99%, then it is not a good starting point. So for OpenVPN, I recommend you to control your own CA, which you can ultimately trust. And keep all files related to the CA (and in particular the CA private key and its password) safe. Put these files on a flashdrive or an external harddrive which you only connect when you need to issue another certificate.

The files which are needed on the OpenVPN server, and needs to be configured in the openvpn config file are:
dh*.pem (dh parameters)
server.key (private server key file, must only be readable by openvpn when it starts)
server.crt (public server certificate, can be readable by anyone - but not writeable)
ca.crt (public CA certificate, used to check the authenticity of server and client certificates)

The files which are needed on the OpenVPN client and needs to be configured in the openvpn config file are:
client.key (private client key file, must only be readable by openvpn when it starts)
client.crt (public client certificate, can be readable by anyone - but not writeable)
ca.crt (public CA certificate, used to check the authenticity of server and client certificates)

Both the server.crt and client.crt files needs to be issued by the same CA, which can be checked via the ca.crt file. It is possible to do it more advanced, with multiple CAs and different CA levels - but I will not cover this scenario here. That's a far more advanced topic.

Post Reply