Are OpenVPN certificates hardware-hard-coded ?
Hi,
Regarding OpenVPN. Once I give .ovpn file with certificates to someone so that he can connect.
If, later, I stop trusting him/her, is it possible revoke them ?
I tried to create two various OpenVPN connections, they seem to share the certificates regardless they have different configurations.
Is this intended to be used with username/password auth but once "leaked" certificates cannot be unleaked?
Is there a way how to reset OpenVPN certs only in some emergency situation, or does even factory reset change the server certs or they are hardware - hard -related ?
Thank you
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @Filip009
Thanks for posting in our business forum.
By adding the username and password, or deleting the OVPN and generating a new server can both achieve what you ask for.
- Copy Link
- Report Inappropriate Content
Hi @Filip009
Thanks for posting in our business forum.
By adding the username and password, or deleting the OVPN and generating a new server can both achieve what you ask for.
- Copy Link
- Report Inappropriate Content
Hi Clive_A
deleting the VPN server.... I do not think it applies, maybe bug, maybe misunderstanding
I had
1. OpenVPN server port lets say 661 named "firstTunnel"
I generated .ovpn file - used it successfully
so I created
2. OpenVPN server port lets say 662 named "secondTunnel"
1. "firstTunnel" changed the port to 666, disabled
2. "secondTunnel" changed to 661 enabled
now, the second tunnel, as you suggest, shall have its own certs.
but surprisingly, the original .ovpn file that was generated for "firstTunnel" works for "secondTunnel" (momentarily at port 661) also
it however shall NOT work
because I'd think that it must have different set of certs
So this experiment was why I even asked the question. Because I'd expect every tunnel has its own certificate set.
From my experiment it seems that ALL the tunnels share the certs?
And I am afraid if I give my cert to anyone, I will be doomed forever and there will be no way how to restrict him.
- Copy Link
- Report Inappropriate Content
I tried to remove and re-create the tunnel and still the same.
I use ol .ovpn and still get connected.
I wonder,
I suspect,
all the TP-Link routers share the same key ?
I have no way to prove it since I have no more devices.
But if all the tunnels I create share the same keys, I am a bit scared of what the feature really looks like under cover.
Is there a way hot to re-generate "master" key to invalidate old tunnels ?
- Copy Link
- Report Inappropriate Content
Hi @Filip009
Thanks for posting in our business forum.
Filip009 wrote
I tried to remove and re-create the tunnel and still the same.
I use ol .ovpn and still get connected.
I wonder,
I suspect,
all the TP-Link routers share the same key ?
I have no way to prove it since I have no more devices.
But if all the tunnels I create share the same keys, I am a bit scared of what the feature really looks like under cover.
Is there a way hot to re-generate "master" key to invalidate old tunnels ?
So, you bring it up in the Reddit? I came across this today. Someone replied something similar to my answer that is not possible and not a problem with the router?
Since I have had some models from the warehouse recently. Tested on ER605 V2 with very old firmware. It does not have the same hash value.
Generated 1 server and export, delete. Generate the second one. Different name. It is another set of hash values.
Every time you create a server, it is a different set of hash values. I don't think it is possible to have a bug like this.
You can paste your first two lines of the cert which you can find from the .ovpn. With the screenshots, put both notepad windows in the same place. Mosaic the rest of the parts.
I should see the first two lines of your cert. Your file names.
- Copy Link
- Report Inappropriate Content
good coincidence you found my post at reddit :-)
I was hoping someone could know the answer
I am worried, after making OpenVPN work, to share the key to someone, after I found the key works also for other created tunnels, not just the one. This experiment is very simple to do.
During experiment, I did not test to change the name to some different. I rather used the same tunnel name even for new created tunnel. If it behaves like "for the same name--->generate same key-cert" that would be possible explanation but I have to test it.
I also could not believe there would be some bug like this. But my experiments proved that the sinlge .ovpn worked for other tunnles. This scared me a little and made me ask the questions.
I will repeat said bunch of experiments when I have some time and let you know.
- Copy Link
- Report Inappropriate Content
Hi @Filip009
Thanks for posting in our business forum.
Filip009 wrote
good coincidence you found my post at reddit :-)
I was hoping someone could know the answer
I am worried, after making OpenVPN work, to share the key to someone, after I found the key works also for other created tunnels, not just the one. This experiment is very simple to do.
During experiment, I did not test to change the name to some different. I rather used the same tunnel name even for new created tunnel. If it behaves like "for the same name--->generate same key-cert" that would be possible explanation but I have to test it.
I also could not believe there would be some bug like this. But my experiments proved that the sinlge .ovpn worked for other tunnles. This scared me a little and made me ask the questions.
I will repeat said bunch of experiments when I have some time and let you know.
So I did it again. Same in every parameter. I don't think you are correct on this matter. I think you did not compare the whole cert.
I mosaiced some parts. Highlighted parts are different. Blank parts are identical.
This is the partial and I am showing you the certificate for the encryption. The private keys are different as well. But the identification cert is the same.
Is that part what you referring to as hardware coded? As long as the private and encryption cert are different, they should not connect to your VPN server as they will fail at these key exchange phases.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 636
Replies: 6
Voters 0
No one has voted for it yet.