Page 1 of 1

Serious login failure, security issue

Posted: Tue Sep 10, 2019 1:02 pm
by gdur
I just discovered a weird login behavior by accident while setting up an OPNsense box. At first I thought this was an OPNsense issue but the same happens on a OpenBSD box which is in production since a while.
Issue found has also been reported on the OPNsense forum: https://forum.opnsense.org/index.php?topic=14152.0.
The issue is that I discovered that while using a user specific some_user.ovpn configuration (User A) to get VPN access, one is allowed to use the credentials of another user (User B).
Obviously this is not something I would expect. The user A config file does contain the personal cert and private key, so one would expect that only this user would be allowed to logon while using his own credentials.
I do consider this behavior as a security issue.
Any suggestions?

Re: Serious login failure, security issue

Posted: Tue Sep 10, 2019 1:43 pm
by TinCanTech
gdur wrote:
Tue Sep 10, 2019 1:02 pm
Any suggestions?
Don't use OPNsense ..

Re: Serious login failure, security issue

Posted: Tue Sep 10, 2019 2:01 pm
by gdur
TinCanTech wrote:
Don't use OPNsense ..
That's not very helpful as the same goes for OpenVPN on OpenBSD!!! Don't tell me this is a BSD issue!

Re: Serious login failure, security issue

Posted: Tue Sep 10, 2019 2:43 pm
by TinCanTech
It is not an "issue" at all, it is simply a poor configuration by a third party.

If you learn how openvpn works then you don't need third party garbage at all.

Re: Serious login failure, security issue

Posted: Tue Sep 10, 2019 3:00 pm
by gdur
So what can be wrong in a configuration that leads to this behavior? Is any OS included in what you call garbage?
As I explained I have OpenVPN running on a OpenBSD box which was manually configured and I believe exactly how it should be and is behaving exactly the same as what you call the garbage box. Or do you prefer me to run Windows?
This is a straight forward "Remote Access (SSL/TLS + User Auth)" configuration including assigning a fixed IP address.
So I state, IT IS AN ISSUE!!! Just try it yourself.

Re: Serious login failure, security issue

Posted: Tue Sep 10, 2019 3:25 pm
by TinCanTech
gdur wrote:
Tue Sep 10, 2019 3:00 pm
IT IS AN ISSUE!!! Just try it yourself
It is not an issue, it is due to following poor quality third party advise and settings.
gdur wrote:
Tue Sep 10, 2019 3:00 pm
So what can be wrong in a configuration that leads to this behavior?
The thread on OPNsense forum explains it, according to their own moderator ..

If you need help from me then please see:
viewtopic.php?f=30&t=22603#p68963