OpenVPN server is reusing key and the old certificate is valid after new implementation.
OpenVPN server is reusing key and the old certificate is valid after new implementation.
hvad I tried
1) I deleted the implementation of my OpenVPN server.
2) I create a new instance of the OpenVPN server using the routers webpage.
3) I share my vpn users to use the new OpenVPN server (section vpn, users)
4) I then connected from my pc with the new OpenVPN file including the certificates and key. that worked fine.
5) however to my big surprise I then tried using my mobile phone, I forgot to update my OpenVPN configuration file and use the old one, to my big surprise I was also able to log on.
6) which for me means that you are using the same key even though you create a new certificate pair moreover there is no check on the certificate used or simply the product is generating the same set each time.
I am very concerned , I expect a resolution asap this this not secure at all.
If you want to sell omada as SMB product then you need to make sure that basic security are implemented correct
Clive_A please send me a note when you have red my message
br
Trollen
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @Trollen
Thanks for posting in our business forum.
The cert will only calculate once and the cert will last 10 years long after the generation.
This cert will be universal to the OVPN servers you've created on the router.
The keys are different for every server you've created. Because the keys are generated differently every time you create a new server and export the .ovpn.
What's your config like? I do not take private messages regarding the issue.
For example, old(A), and new(B). AB two servers are the same in the config?
- Copy Link
- Report Inappropriate Content
Hi Clieve
is it possible that we can continue this conversation in a closed tread or similar ?
however this is what I think.
Why Two Configurations Work:
- If two configurations (old and new) work simultaneously, the router is likely configured to accept the same certificate and key across multiple server instances. The router's OpenVPN server may lack mechanisms to differentiate between old and new credentials once generated.
Important Considerations:
- Certificates and keys should ideally be unique for each OpenVPN server instance.
- If a new certificate is issued, the old certificate and key pair should be invalidated unless explicitly configured to be reused.
Why the Public Certificate Can't Have Two Passwords:
- Certificates are tied to their corresponding private keys through cryptographic algorithms.
- A single certificate cannot support multiple private keys or passwords because:
- The certificate is mathematically bound to its private key.
- Changing the private key would invalidate the cryptographic signature
regarding the certificated used
the router is limited only to accept selfsigned certificate for the implementation of the OpenVPN server , see my former feature request.
is not possible to use other that the certificate that router is born with, I suspect the routers building certificate are used, so I did a test.
1) save all the configuration of the routers settings.
2) reset the router to factory default,
3) apply the saved configuration again.
4) the router how have a new pair of certificate pub and key created on the router as self signed.
5) result the router now only accept the new base certificate and key file , the old one is diregarded as the certificate has been replaced.
6) however if you just delete you open server configuration on the router and then recreate it that will still use the current certificate and key which should not happen.
I hope it is clear let me know if and how you want to continue this conversation . I will prefer not in a open forum.
I remain Trollen
- Copy Link
- Report Inappropriate Content
Hi @Trollen
Thanks for posting in our business forum.
I prefer the discussion is open if it does not come to the sensitive information.
Trollen wrote
Hi Clieve
is it possible that we can continue this conversation in a closed tread or similar ?
however this is what I think.
Why Two Configurations Work:
- If two configurations (old and new) work simultaneously, the router is likely configured to accept the same certificate and key across multiple server instances. The router's OpenVPN server may lack mechanisms to differentiate between old and new credentials once generated.
Do you have a way to verify the .ovpn?
I know that you came to this conclusion based on the connection you have made.
But regarding the problem, I think there is nothing as strong as the video to illustrate everything you have experienced.
So you experienced this problem which has a past and current file and server, you need to show the video/picture of the past and current comparison and the test result.
Trollen wrote
Important Considerations:
- Certificates and keys should ideally be unique for each OpenVPN server instance.
Client certs and (private)keys are different for each server. The link I pasted earlier, clearly shows the result. Unless you can prove your statement.
Trollen wrote
- If a new certificate is issued, the old certificate and key pair should be invalidated unless explicitly configured to be reused.
To the second point, what the exact "new cert" do you mean here?
Trollen wrote
Why the Public Certificate Can't Have Two Passwords:
- Certificates are tied to their corresponding private keys through cryptographic algorithms.
- A single certificate cannot support multiple private keys or passwords because:
- The certificate is mathematically bound to its private key.
- Changing the private key would invalidate the cryptographic signature
- Client certs and keys are generated by calculations to verify the login from a user. And they are bound together unlike the CA cert.
- CA cert is to verify the server status and identify instead of the clients which means a single (CA) cert can support multiple client cert and private keys.
- That is correct.
Trollen wrote
regarding the certificated used
the router is limited only to accept selfsigned certificate for the implementation of the OpenVPN server , see my former feature request.
is not possible to use other that the certificate that router is born with, I suspect the routers building certificate are used, so I did a test.
I first think you have a misconception or misuse of the terms in the following description.
We don't support that and you have a request for that. I am aware of that. While it does not support this now, this is self-evident and cannot be used as proof of the issue described.
And to the conclusion/result you want to test which I don't quote here, they are not the same and CA cannot be the same because every calculation generates a different self-assigned CA after a reset. Fit the behavior and expectations.
Trollen wrote
regarding the certificated used
the router is limited only to accept selfsigned certificate for the implementation of the OpenVPN server , see my former feature request.
is not possible to use other that the certificate that router is born with, I suspect the routers building certificate are used, so I did a test.
1) save all the configuration of the routers settings.
2) reset the router to factory default,
3) apply the saved configuration again.
4) the router how have a new pair of certificate pub and key created on the router as self signed.
5) result the router now only accept the new base certificate and key file , the old one is diregarded as the certificate has been replaced.
6) however if you just delete you open server configuration on the router and then recreate it that will still use the current certificate and key which should not happen.
I hope it is clear let me know if and how you want to continue this conversation . I will prefer not in a open forum.
I remain Trollen
This is expected and how the system works. CA is the same regardless of what servers you have created.
I also looked up some third-party OVPN servers, they behaved the same way.
If possible, I would recommend you verify this with the OVPN official and see if the conclusion is the same. If it is, the problem is no longer on our side. It is the OVPN official's guideline on the CA generation and cert.
In summary:
- CA is self-assigned and the same once it generates, which is also the common practice. Our last 10 years unless you reset it.
- The client cert and (private) key are different from the servers you have created.
- We don't support importing your own CA and have no plan to add it yet. This should not be brought up in this case as they don't correlate. It is a feature request.
What you described is clear but not true so far until you can provide something concrete.
I hope it is clear from my side with everything I typed here.
I am after the proofs from you as what you said is against what I tested before in another post and the fact I discussed with the dev.
https://www.reddit.com/r/OpenVPN/comments/pl1phi/two_openvpn_servers_with_identical_certificates/
https://www.reddit.com/r/synology/comments/1f2y4mc/does_openvpn_server_use_1_and_the_same/
- Copy Link
- Report Inappropriate Content
Information
Helpful: 1
Views: 226
Replies: 3