pfSense Support Subscription

Author Topic: OpenVPN without username/password  (Read 18846 times)

0 Members and 1 Guest are viewing this topic.

Offline setchi

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
OpenVPN without username/password
« on: January 17, 2012, 03:00:33 pm »
Is it possible to use the user manager just to create/maintain certificates and keys.
I want my OpenVPN to NOT ask for username and password during connection and just
authenticate the user by the key and certificate.

Is there a howto or guide to setup OpenVPN on pfSense 2.0.1 without passwords?

Thanks,
Florian

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 20663
  • Karma: +1283/-18
    • View Profile
Re: OpenVPN without username/password
« Reply #1 on: January 24, 2012, 09:02:21 am »
Sure, just setup the OpenVPN server type as "SSL/TLS" (no auth) and then add certificates in the Cert Manager, you can still export client installers that way. They are not tied to usernames, just certificates. You don't need to add users since they do not need usernames and passwords.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline nexusN

  • Full Member
  • ***
  • Posts: 105
  • Karma: +0/-0
    • View Profile
Re: OpenVPN without username/password
« Reply #2 on: June 11, 2012, 12:51:53 am »
Sure, just setup the OpenVPN server type as "SSL/TLS" (no auth) and then add certificates in the Cert Manager, you can still export client installers that way. They are not tied to usernames, just certificates. You don't need to add users since they do not need usernames and passwords.

I am doing this, SSL/TLS only without User Auth, for a portion of VPN users(anonymously for some forum friends) ........ but I do have a worry on the safety of the connection. :(
The above is used because when someone is going to spread the credentials, it has no difference if I actually use User Auth or not.
No User Auth seems to be more convenient for them in connecting. ;D

Would the connection in this way less secure than having User Auth? ???

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 20663
  • Karma: +1283/-18
    • View Profile
Re: OpenVPN without username/password
« Reply #3 on: June 11, 2012, 09:42:08 am »
It depends on what you mean by "secure".

The level of encryption would be the same, with or without user authentication.

User authentication is an extra layer of prevention to keep out unauthorized access.

So in terms of access control, not having user auth makes it less secure.
But in terms of encryption, the security would be equivalent.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline nexusN

  • Full Member
  • ***
  • Posts: 105
  • Karma: +0/-0
    • View Profile
Re: OpenVPN without username/password
« Reply #4 on: June 15, 2012, 01:42:41 am »
It depends on what you mean by "secure".

The level of encryption would be the same, with or without user authentication.

User authentication is an extra layer of prevention to keep out unauthorized access.

So in terms of access control, not having user auth makes it less secure.
But in terms of encryption, the security would be equivalent.

Sorry for getting back to you late, my question has been well answered :D
In that way I should keep my current practice of having no user auth :P for the encryption being the same level.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 20663
  • Karma: +1283/-18
    • View Profile
Re: OpenVPN without username/password
« Reply #5 on: June 15, 2012, 06:36:52 am »
All you need to do is change the mode of the VPN from SSL/TLS+User Auth to simply SSL/TLS - then no auth will be required, but the rest of the settings can stay the same.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline nexusN

  • Full Member
  • ***
  • Posts: 105
  • Karma: +0/-0
    • View Profile
Re: OpenVPN without username/password
« Reply #6 on: June 19, 2012, 11:45:02 pm »
All you need to do is change the mode of the VPN from SSL/TLS+User Auth to simply SSL/TLS - then no auth will be required, but the rest of the settings can stay the same.
Yes, I did exactly the same and it works like a charm :D

Offline da_zhuang

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: OpenVPN without username/password
« Reply #7 on: August 02, 2012, 04:24:10 pm »
Dear Jimp:

I'm very new to openvpn and I'm not sure how to change the mode of the VPN from SSL/TLS+User Auth to simply SSL/TLS? Do I just modify the config file or do I need to reinstall with some other options enabled? Thanks.

Offline marvosa

  • Hero Member
  • *****
  • Posts: 732
  • Karma: +39/-0
    • View Profile
Re: OpenVPN without username/password
« Reply #8 on: August 02, 2012, 06:09:03 pm »
da_zhuang,
Edit your OpenVPN server, on the Server tab in the General information section use the drop down menu to change the Server Mode option to Remote Access (SSL/TLS).
« Last Edit: August 02, 2012, 06:11:44 pm by marvosa »

Offline hugolia

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: OpenVPN without username/password
« Reply #9 on: April 16, 2013, 09:49:18 am »
Is it possible to have User/password for some users but not for all?
I am using OpenVPN for RoadWarriors users (mostly notebooks). But now I need to setup a connection to a site where I will have a server with a daemon client to establish the VPN between sites.


Offline marvosa

  • Hero Member
  • *****
  • Posts: 732
  • Karma: +39/-0
    • View Profile
Re: OpenVPN without username/password
« Reply #10 on: April 16, 2013, 10:02:03 am »
hugolia,
Yes.  Just configure a 2nd server on a different port.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 20663
  • Karma: +1283/-18
    • View Profile
Re: OpenVPN without username/password
« Reply #11 on: April 16, 2013, 10:03:12 am »
Is it possible to have User/password for some users but not for all?
I am using OpenVPN for RoadWarriors users (mostly notebooks). But now I need to setup a connection to a site where I will have a server with a daemon client to establish the VPN between sites.

Yes, but they would need to use separate server instances. You can have one server that does user/pass, one that does not, and others for site-to-site VPNs.

Any more detail than that belongs in its own thread specific to your implementation, though, so if you need more help than that, feel free to start a fresh thread and ask.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!