Do You Need All These Certs & Keys?

[DasFox]

A lot of VPN Providers that are all over the web, many of them I have used have only given a ca.crt and a .opvn/.config file is all and the VPN seems to work fine.

Now I wanted to test out a GUI in Linux and the developer told me that on OpenVPN's site

According to the OpenVPN website I've been told you need these certs and keys to make it work:
ca.crt , client1.crt , client1.key...

If I'm suppose to use all 3 then why are VPN services I'm using, seem to be working fine without all of them and only the ca.crt?


THANKS

[janjust]

A "normal" OpenVPN setup uses both client and server certificates. Both client and server certificates need to be signed by a CA . In order to set up a fully trusted connection you need (on the client) the client certificate and key, as well as the CA certificate that was used to sign the server certificate: client.crt, client.key + ca.crt.


It is possible to not use client-side certificates (use 'client-cert-not-required' on the server) and fall back to username+password authentication, but this is considered less secure. In that case the client only needs to have the ca.crt file present. A lot of VPN providers work this way.

[DasFox]

Well the thing is, most of the OpenVPN providers you find all across the web offering VPN service, are just user/pass authentication only, so how less secure is this really and should we be really concerned and steer clear of providers like this and only look for certification authentication?


THANKS

[janjust]

username+password authentication can be secure, if the passwords are strong enough ; I'd worry about providers that don't enforce strong password policies.
If you want to be really paranoid I'd choose a provider that supplies client side certs as well, but as far as OpenVPN is concerned the connection is secure without as well.

PPTP VPNs without certs (or VERY strong password policies) are fundamentally insecure

[DasFox]

A professional in the industry told me this;


There are three issues if you use just username/pass:

1) Authentication: If your vpn provider didn't provide keys/certs, you can't verify you are really speaking to them or a MITM / imposter.

2) Authorization: if they do not encrypt the authentication channel, you are exposing your credentials (username & password)

3) Plaintext Disclosure: If they aren't using a key, then you probably don't have Perfect Forward Secrecy. This means that your previous traffic streams can be decrypted if either endpoint is compromised in the future.

Anyone claiming security or anonymity, without using key authentication and certs, should be disregarded.

[maikcat]

hi there,

maybe this a little off topic but

i can give you a SINGLE ovpn config file with *ALL* certs included.

it may seem to you that you get only config file but in reality i actually
give you config+certs alltogether...

just my 2 cents..

Michael