Are OpenVPN certificates hardware-hard-coded ?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Are OpenVPN certificates hardware-hard-coded ?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Are OpenVPN certificates hardware-hard-coded ?
Are OpenVPN certificates hardware-hard-coded ?
2024-02-24 16:40:00 - last edited 2024-02-26 02:26:42
Model: ER7206 (TL-ER7206)  
Hardware Version: V2
Firmware Version: 2.1.1 Build 20240110 Rel.42816

Hi,

 

Regarding OpenVPN. Once I give .ovpn file with certificates to someone so that he can connect.

If, later, I stop trusting him/her, is it possible revoke them ?

 

I tried to create two various OpenVPN connections, they seem to share the certificates regardless they have different configurations.

 

Is this intended to be used with username/password auth but once "leaked" certificates cannot be unleaked?

 

Is there a way how to reset OpenVPN certs only in some emergency situation, or does even factory reset change the server certs or they are hardware - hard -related ?

 

Thank you

  0      
  0      
#1
Options
1 Accepted Solution
Re:Are OpenVPN certificates hardware-hard-coded ?-Solution
2024-02-26 01:24:07 - last edited 2024-02-26 02:26:42

Hi @Filip009

Thanks for posting in our business forum.

By adding the username and password, or deleting the OVPN and generating a new server can both achieve what you ask for.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#2
Options
6 Reply
Re:Are OpenVPN certificates hardware-hard-coded ?-Solution
2024-02-26 01:24:07 - last edited 2024-02-26 02:26:42

Hi @Filip009

Thanks for posting in our business forum.

By adding the username and password, or deleting the OVPN and generating a new server can both achieve what you ask for.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#2
Options
Re:Are OpenVPN certificates hardware-hard-coded ?
2024-02-26 11:24:10

  @Filip009 

Hi Clive_A

deleting the VPN server.... I do not think it applies, maybe bug, maybe misunderstanding

 

I had

 1. OpenVPN server port lets say 661 named "firstTunnel"

I generated .ovpn file - used it successfully

 

so I created

  2. OpenVPN server port lets say 662 named "secondTunnel"

 

   1. "firstTunnel" changed the port to 666, disabled

    2. "secondTunnel" changed to 661 enabled

 

now, the second tunnel, as you suggest, shall have its own certs.

but surprisingly, the original .ovpn file  that was generated for "firstTunnel"  works for "secondTunnel" (momentarily at port 661)  also

 

it however shall NOT work

because I'd think that it must have different set of certs

 

So this experiment was why I even asked the question. Because I'd expect every tunnel has its own certificate set.

 

From my experiment it seems that ALL the tunnels share the certs?

 

And I am afraid if I give my cert to anyone, I will be doomed forever and there will be no way how to restrict him.

 

  0  
  0  
#3
Options
Re:Are OpenVPN certificates hardware-hard-coded ?
2024-03-03 10:05:54

  @Filip009 

 

I tried to remove and re-create the tunnel and still the same.

I use ol .ovpn and still get connected.

 

I wonder,

I suspect,

 

             all the TP-Link routers share the same key ?

 

I have no way to prove it since I have no more devices.

 

But if all the tunnels I create share the same keys, I am a bit scared of what the feature really looks like under cover.

 

Is there a way hot to re-generate "master" key to invalidate old tunnels ?

  0  
  0  
#4
Options
Re:Are OpenVPN certificates hardware-hard-coded ?
2024-03-26 09:18:10

Hi @Filip009 

Thanks for posting in our business forum.

Filip009 wrote

  @Filip009 

 

I tried to remove and re-create the tunnel and still the same.

I use ol .ovpn and still get connected.

 

I wonder,

I suspect,

 

             all the TP-Link routers share the same key ?

 

I have no way to prove it since I have no more devices.

 

But if all the tunnels I create share the same keys, I am a bit scared of what the feature really looks like under cover.

 

Is there a way hot to re-generate "master" key to invalidate old tunnels ?

So, you bring it up in the Reddit? I came across this today. Someone replied something similar to my answer that is not possible and not a problem with the router?

 

Since I have had some models from the warehouse recently. Tested on ER605 V2 with very old firmware. It does not have the same hash value.

Generated 1 server and export, delete. Generate the second one. Different name. It is another set of hash values.

 

Every time you create a server, it is a different set of hash values. I don't think it is possible to have a bug like this.

 

You can paste your first two lines of the cert which you can find from the .ovpn. With the screenshots, put both notepad windows in the same place. Mosaic the rest of the parts.

I should see the first two lines of your cert. Your file names.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#5
Options
Re:Are OpenVPN certificates hardware-hard-coded ?
2024-03-26 09:52:49

  @Clive_A 

good coincidence you found my post at reddit :-)

I was hoping someone could know the answer

I am worried, after making OpenVPN work, to share the key to someone, after I found the key works also for other created tunnels, not just the one. This experiment is very simple to do.

 

During experiment, I did not test to change the name to some different. I rather used the same tunnel name even for new created tunnel. If it behaves like "for the same name--->generate same key-cert" that would be possible explanation but I have to test it.

 

I also could not believe there would be some bug like this. But my experiments proved that the sinlge .ovpn worked for other tunnles. This scared me a little and made me ask the questions.

 

I will repeat said bunch of experiments when I have some time and let you know.

  0  
  0  
#6
Options
Re:Are OpenVPN certificates hardware-hard-coded ?
2024-03-27 03:40:40 - last edited 2024-03-27 03:43:36

Hi @Filip009 

Thanks for posting in our business forum.

Filip009 wrote

@Clive_A 

good coincidence you found my post at reddit :-)

I was hoping someone could know the answer

I am worried, after making OpenVPN work, to share the key to someone, after I found the key works also for other created tunnels, not just the one. This experiment is very simple to do.

 

During experiment, I did not test to change the name to some different. I rather used the same tunnel name even for new created tunnel. If it behaves like "for the same name--->generate same key-cert" that would be possible explanation but I have to test it.

 

I also could not believe there would be some bug like this. But my experiments proved that the sinlge .ovpn worked for other tunnles. This scared me a little and made me ask the questions.

 

I will repeat said bunch of experiments when I have some time and let you know.

So I did it again. Same in every parameter. I don't think you are correct on this matter. I think you did not compare the whole cert.

I mosaiced some parts. Highlighted parts are different. Blank parts are identical.

This is the partial and I am showing you the certificate for the encryption. The private keys are different as well. But the identification cert is the same.

 

Is that part what you referring to as hardware coded? As long as the private and encryption cert are different, they should not connect to your VPN server as they will fail at these key exchange phases.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#7
Options