Openvpn separate client certificates

I'm trying to set up openVPN connection to my watchguard M290 FW using this guide. Everything works, but upon closer inspection I notice that all clients are using the same private certificate (embedded in the .ovpn file).
As per openvpn instructions, you should create a separate private/public key pair for each client, which is clearly not the case here.

Could anyone explain me whether this is a security issue or not? Can I use this configuration in a safe way?



  • Options

    To me, the main issue is that one can't disable a specific private key, for any reason.
    If the general private key becomes compromised, then the key needs to be regenerated & distributed to all SSLVPN clients.

    Beyond the certs, there are also the firewall policies which control what SSLVPN users can do. Just being able to connect to the firewall using a SSLVPN client does not provide any access without an appropriate UserID & password.

    I personally do not consider this to be a significant security exposure.

  • Options

    Ok thanks for the clarification.

    I was a bit suspiscious as the openvpn version included in the watchguard mobile VPN client (12.7.2) dates already from 2018 (!!) which made me thinking about how safe watchguard vpn setup is.
    Maybe I change the watchguard clients with an up-to-date versions of openvpn in the future.

    FYI, here is the complete version of the included openvpn.exe

    openvpn.exe --version
    OpenVPN 2.4.5 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 1 2018
    library versions: OpenSSL 1.1.0f 25 May 2017, LZO 2.10
    Windows version 6.2 (Windows 8 or greater) 64bit
    Originally developed by James Yonan
    Copyright (C) 2002-2018 OpenVPN Inc sales@openvpn.net
    Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=no enable_plugin_down_root=no enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=yes enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_special_build= with_sysroot=no

  • Options

    Yes you can use an OpenVPN client.

    See this from a WG rep on WG using an older version of OpenVPN server:

    IPv6 binding Mobile users

  • Options

    Thanks for your response. So If I read the last comment of your link well; watchguard is using an old version of openvpn but is patching it themselves (e.g. for security issues)?

  • Options

    Yes, I read it as they are applying available security patches for the current version that is in Fireware.

    Note that there are many vendor or open source functions within Fireware, all of which need to be patched as needed. Some patches are for new features, many are for security exposures or bug fixes.

  • Options

    OK thanks for the extra information, this makes me feel more comfortable about the security of my environment.

Sign In to comment.