geffers
Posts: 386
Joined: Sun Jun 24, 2012 6:25 am
Location: UK
Contact: Website

Pi-VPN Security

Wed Jun 28, 2017 9:40 pm

Folks,

I've got Pi-VPN installed and it is working fine with an Android phone and Netpad. I want to expand this to a remote desktop but am having difficulty understanding the security.

Pi-VPN can create .ovpn files for each client, this file contains certificate and secret key details so am assuming if this .ovpn file was copied anyone could use it to log in, if so it is only as secure as the password protecting it. Or am I understanding this wrongly?

Geffers

Heater
Posts: 14428
Joined: Tue Jul 17, 2012 3:02 pm

Re: Pi-VPN Security

Wed Jun 28, 2017 10:01 pm

That is how it is.
Memory in C++ is a leaky abstraction .

pi_everalm
Posts: 33
Joined: Thu Apr 20, 2017 11:44 am

Re: Pi-VPN Security

Thu Jun 29, 2017 8:46 am

Security is as strong as its weakest link.

The OpenVPN solution underlying PiVPN is a strong and robust mechanism which will secure the communication path between the two end points. So long as you treat the .ovpn files securely then you will be as reasonably safe as you can expect to be.

One option might be to keep the files on removable media and only connect when required
Another might be to encrypt/decrypt the ovpn files using something like VeraCrypt on a demand basis
Another would be to add 2 Factor Authentication to the VPN module such as Authy or Google Authenticator

It comes down to your level of paranoia or risk tolerance

geffers
Posts: 386
Joined: Sun Jun 24, 2012 6:25 am
Location: UK
Contact: Website

Re: Pi-VPN Security

Thu Jun 29, 2017 6:45 pm

What I don't quite understand about openvpn is the various security options.

Secret key I understand, then there is Certificates, certificate authorities, diffie-hellman etc. All these, apart from diffie-hellman, are stored on the client machine.

What extra security does a certificate give one if it is the password that protects it all?

Geffers

NotRequired
Posts: 196
Joined: Sat Apr 29, 2017 10:36 am
Location: Denmark

Re: Pi-VPN Security

Thu Jun 29, 2017 7:09 pm

The certificate is used to identify "someone" (eg. a machine / a server) and the certificate authority is used to verify the certificate. A VPN (TLS/SSL) connection is established by (simplified):

1) Client requests servers certificate.
2) Client verifies the certificate using a certificate authority.
3) Clients requests the servers public key (*).
4) Client uses the servers public key to encrypt and send a secret key to server.
5) Server uses the clients secret key to encrypt the connection.

(*) Encryption using public & private key pairs is referred to as asymmetric encryption. This means that one key is used for encryption and another key is used for decryption. So a public key can be considered a "lock" and the private key (stored securely on the server) is the key to open the lock. You cannot open the lock with the lock it self (reverse engineer). This is why TLS / SSL can be both secure and password free as long as the servers private key remains private.

More info:
https://en.wikipedia.org/wiki/Certificate_authority
https://en.wikipedia.org/wiki/Transport_Layer_Security
https://en.wikipedia.org/wiki/Public-key_cryptography
Please do not ask questions in private messages, they will not help others.

geffers
Posts: 386
Joined: Sun Jun 24, 2012 6:25 am
Location: UK
Contact: Website

Re: Pi-VPN Security

Sat Jul 01, 2017 8:05 am

Notrequired,

Thank you for detailed explanation.

I think I was thinking of the security the wrong way round; it seems to be more about confirming the server is genuine to the client rather than confirming to the server that the client is genuine.

Geffers

magstax
Posts: 1
Joined: Thu Jun 29, 2017 1:28 pm

Re: Pi-VPN Security

Sat Jul 01, 2017 11:51 am

pi_everalm wrote: One option might be to keep the files on removable media and only connect when required
Another might be to encrypt/decrypt the ovpn files using something like VeraCrypt on a demand basis
http://headphonepit.com/
Another would be to add 2 Factor Authentication to the VPN module such as Authy or Google Authenticator
https://kitchenlola.com/
Thanks for the helpful tips for securing ovpn files. I think a combination of encryption and removable media will provide a robust mechanism for my security needs.

Return to “General discussion”