Serious login failure, security issue

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
gdur
OpenVpn Newbie
Posts: 3
Joined: Tue Sep 10, 2019 12:42 pm

Serious login failure, security issue

Post by gdur » Tue Sep 10, 2019 1:02 pm

I just discovered a weird login behavior by accident while setting up an OPNsense box. At first I thought this was an OPNsense issue but the same happens on a OpenBSD box which is in production since a while.
Issue found has also been reported on the OPNsense forum: https://forum.opnsense.org/index.php?topic=14152.0.
The issue is that I discovered that while using a user specific some_user.ovpn configuration (User A) to get VPN access, one is allowed to use the credentials of another user (User B).
Obviously this is not something I would expect. The user A config file does contain the personal cert and private key, so one would expect that only this user would be allowed to logon while using his own credentials.
I do consider this behavior as a security issue.
Any suggestions?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5920
Joined: Fri Jun 03, 2016 1:17 pm

Re: Serious login failure, security issue

Post by TinCanTech » Tue Sep 10, 2019 1:43 pm

gdur wrote:
Tue Sep 10, 2019 1:02 pm
Any suggestions?
Don't use OPNsense ..

gdur
OpenVpn Newbie
Posts: 3
Joined: Tue Sep 10, 2019 12:42 pm

Re: Serious login failure, security issue

Post by gdur » Tue Sep 10, 2019 2:01 pm

TinCanTech wrote:
Don't use OPNsense ..
That's not very helpful as the same goes for OpenVPN on OpenBSD!!! Don't tell me this is a BSD issue!

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5920
Joined: Fri Jun 03, 2016 1:17 pm

Re: Serious login failure, security issue

Post by TinCanTech » Tue Sep 10, 2019 2:43 pm

It is not an "issue" at all, it is simply a poor configuration by a third party.

If you learn how openvpn works then you don't need third party garbage at all.

gdur
OpenVpn Newbie
Posts: 3
Joined: Tue Sep 10, 2019 12:42 pm

Re: Serious login failure, security issue

Post by gdur » Tue Sep 10, 2019 3:00 pm

So what can be wrong in a configuration that leads to this behavior? Is any OS included in what you call garbage?
As I explained I have OpenVPN running on a OpenBSD box which was manually configured and I believe exactly how it should be and is behaving exactly the same as what you call the garbage box. Or do you prefer me to run Windows?
This is a straight forward "Remote Access (SSL/TLS + User Auth)" configuration including assigning a fixed IP address.
So I state, IT IS AN ISSUE!!! Just try it yourself.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5920
Joined: Fri Jun 03, 2016 1:17 pm

Re: Serious login failure, security issue

Post by TinCanTech » Tue Sep 10, 2019 3:25 pm

gdur wrote:
Tue Sep 10, 2019 3:00 pm
IT IS AN ISSUE!!! Just try it yourself
It is not an issue, it is due to following poor quality third party advise and settings.
gdur wrote:
Tue Sep 10, 2019 3:00 pm
So what can be wrong in a configuration that leads to this behavior?
The thread on OPNsense forum explains it, according to their own moderator ..

If you need help from me then please see:
viewtopic.php?f=30&t=22603#p68963

Post Reply