Dear All,
Not sure if this is something from eblocker, or something in ovpn. I mainly use eblocker for it's wonderfully easy option to access my private network through ovpn, and if needed use my commercial vpn subscription to go from my private network outside again through it, so passthrough. This works well, at least for me.
The concern is, the ovpn profile created via eblocker, when using it with the ovpn client, it works immediately. There's no request for a password or something. My worry is that if someone else gets hold of that file through my stupidiy, or another way, they can simply access my private network. I can't block that, because there's always the possibility to access the eblocker dashboard.
-So is there a way to add a password before access is granted?
-Or is this something which is part of the ovpn software?
Thanks for any hints and tips, or a swift kick in the right direction
Best regards,
There's no request for a password or something.
The authentication takes place via a key combo in the config file that is tied to the mobile device. This is to avoid passwords since user given passwords tend to be low security whereas digital keys can‘t be brute forced or guessed.
My worry is that if someone else gets hold of that file through my stupidiy, or another way, they can simply access my private network.
Yes, that‘s correct. You should safeguard the OpenVPN file same as other sensitive files on your device by (at least) using a proper authentication.
So is there a way to add a password before access is granted?
Not to my knowledge. But I take this as a „feature request“ to be discussed by the team. If you are a developer please join us - and help implementation 👍🚀
Or is this something which is part of the ovpn software?
No idea. Sorry.
Maybe someone else has more OpenVPN experience? @benne, @bpr, @calimero, @pio78, @valentin, anyone …?
THX!
Hello Random,
Thanks for the swift reply, and information contained. At least I now better understand.
I wish I was a developer, but unfortunately I'm not. My programming skills are minor, especially looking at what you've already achieved with eblocker so far. I found eblocker through a article in the Dutch C't magazine, and was really impressed. As I wrote, especially the ease of using the ovpn for access to my network and passthrough using my commercial vpn subscription.
I'm aware one needs to guard files very carefully, but I also known I'm only human, and make mistakes. Thus a password feature would add some extra security just in case. For the commercial vpn I must always add it before I can have access through it using ovpn.
-So I hope a feature like this is possible in the (near) future.
The (near) is of course wishfull thinking 😉 .
Thanks and best regards.
Thanks for your feedback.
I‘m happy bring some more light into the discussion. Please check this first for reference: https://community.openvpn.net/openvpn/wiki/Concepts-Authentication
There it reads:
Certificates are cryptographically signed by the CA, so these provide a strong level of security and authentication. By contrast, usernames are somewhat less secure given the types of passphrases often used, and the prolific re-use of same or similar passphrase.
We have chosen certificates for eBlocker Mobile authentication therefore.
From my perspective it might make sense to additionally secure the connection by 2 factor authentication (2FA) - but not passwords. Passwords would rather be a step back in security. But honestly, I‘m not sure whether 2FA is actually a gain (or just a burden) as services in a LAN are password protected anyhow. If that‘s not the case I‘d rather start improving these services first because this is high risk…
Nevertheless I bring this up in the next supporter meeting. Maybe some volunteer picks up the idea? Honestly I wouldn‘t hope for too much as this might get complex and the gain is rather poor (only for very few „stupid“ people who can’t handle key files or secure their mobile device properly).
Personally I would love see feature development 99% of users appreciate and not only <1% „very special“ users would use.
But you never know, maybe this idea is intriguing someone. Keep fingers crossed. 😉
You could encrypt the private key in eBlocker Mobile's client configuration yourself, if you have access to the command line tool OpenSSL:
- Download the client configuration from eBlocker
- Open the file in a text editor
- Save the lines between <key> and </key> to another text file
- Encrypt the key with OpenSSL as discussed here
- Copy the encrypted key back into the configuration file
Now OpenVPN should ask for the password before it can access the private key and connect to your eBlocker.
Smart solution! Well done. 😎 👍
I just hope „stupid“ users can follow. In case they can not follow, I proactively kindly ask those to direct any question to the OpenVPN forum. This is too off topic for eBlocker support here.
For us here, I consider the topic solved.
Wowserz, thanks for all the extra information.
Especially Boris Prinz his suggestions. I'm really gonna have a GOOD look into this, because it sounds really promising.
I do not consider myself "stupid", only prone to failure due to being human 😱 .
If this works, its for me an extra layer of protection in case of any booboos (Ausrutchers).
THANKS AGAIN,