I just discovered a weird login behavior by accident while setting up an OPNsense box. At first I thought this was an OPNsense issue but the same happens on a OpenBSD box which is in production since a while.
Issue found has also been reported on the OPNsense forum: https://forum.opnsense.org/index.php?topic=14152.0.
The issue is that I discovered that while using a user specific some_user.ovpn configuration (User A) to get VPN access, one is allowed to use the credentials of another user (User B).
Obviously this is not something I would expect. The user A config file does contain the personal cert and private key, so one would expect that only this user would be allowed to logon while using his own credentials.
I do consider this behavior as a security issue.
Any suggestions?
Serious login failure, security issue
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Sep 10, 2019 12:42 pm
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Sep 10, 2019 12:42 pm
Re: Serious login failure, security issue
That's not very helpful as the same goes for OpenVPN on OpenBSD!!! Don't tell me this is a BSD issue!TinCanTech wrote:
Don't use OPNsense ..
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Serious login failure, security issue
It is not an "issue" at all, it is simply a poor configuration by a third party.
If you learn how openvpn works then you don't need third party garbage at all.
If you learn how openvpn works then you don't need third party garbage at all.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Sep 10, 2019 12:42 pm
Re: Serious login failure, security issue
So what can be wrong in a configuration that leads to this behavior? Is any OS included in what you call garbage?
As I explained I have OpenVPN running on a OpenBSD box which was manually configured and I believe exactly how it should be and is behaving exactly the same as what you call the garbage box. Or do you prefer me to run Windows?
This is a straight forward "Remote Access (SSL/TLS + User Auth)" configuration including assigning a fixed IP address.
So I state, IT IS AN ISSUE!!! Just try it yourself.
As I explained I have OpenVPN running on a OpenBSD box which was manually configured and I believe exactly how it should be and is behaving exactly the same as what you call the garbage box. Or do you prefer me to run Windows?
This is a straight forward "Remote Access (SSL/TLS + User Auth)" configuration including assigning a fixed IP address.
So I state, IT IS AN ISSUE!!! Just try it yourself.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Serious login failure, security issue
It is not an issue, it is due to following poor quality third party advise and settings.
The thread on OPNsense forum explains it, according to their own moderator ..
If you need help from me then please see:
viewtopic.php?f=30&t=22603#p68963