With the latest update of IPFire, a new feature is available which helps to make OpenVPN connections more secure: OpenVPN Two-Factor Authentication (2FA). This post explains what Two-Factor Authentication is, what it is good for, and how to use it with IPFire and OpenVPN.
Hardening OpenVPN User-Authentication - Why?
In IPFire, OpenVPN is using certificates to authenticate any clients against the server. That is the most secure way, because it is virtually impossible to brute-force a certificate. For an attacker, it is much easier to guess usernames because they can be found in email addresses and on company websites and try out various passwords.
However, certificates do not come free of any disadvantages. For example, they can be stolen and so somebody else who is not authorised can use the certificate. It works just like the key to your front door.
In the real world, we have also learned this lesson from credit cards which now have a PIN. Previously, the person who had the card could use it to pay - but nowadays a PIN is required. Since the card can be stolen, the PIN is something that the card holder knows and never writes down. Therefore, the card is useless for the thief and the PIN can be seen as the second factor.
But aren't certificates password protected? Yes, they are - and it provides strong security, unless a weak password is being used - which is sadly too common as any network administrator who has hundreds of VPN connections will tell you. So, in many cases, someone can simply brute-force the password on a stolen certificate on their own computer without anyone noticing.
If someone tries this on a web login, any failed attempts per user or IP address can be logged and the user account can be disabled. Brute-forcing the certificate's password however goes unnoticed which is why we do not consider this as very strong protection.
This is where Two-Factor Authentication comes in. Authentication is being performed in two steps:
- The regular authentication using the certificate. That way, we have strong cryptographic means to identify the user that is trying to establish a VPN connection.
- After that, the user will be asked for a PIN which is being dynamically generated and constantly changing.
The PIN is usually being generated on a second device to make any theft more difficult. That device needs to be synchronised at the very beginning so that it will produce the correct PINs. Garnished with a static password on the certificate, this method provides strong authentication when being reasonably user-friendly at the same time.
How to set this up?
To get started with securing your OpenVPN client connections, you will need to follow these short steps:
- Go to the OpenVPN configuration page and either create a new Roadwarrior connection with OTP enabled, or enable OTP on an existing configuration. It is just one checkbox.
- You will then need to import the connection (or reimport if you changed an existing connection) into your OpenVPN client or your laptop or other device
- Next to the OpenVPN connection, you will now see a little icon with a QR code. Click on that and scan the code with a compatible app. You can find a list of those on the IPFire Wiki.
- When you now try to establish the VPN connection, you will be asked for your the number that the app is showing you.
That is all. It is very simple and quick to set up, but will massively improve the security of your VPN connections and reduce any potential damage to your network if a laptop with a certificate is being stolen.