OVPN client certificate checking

pacman88 · October 30, 2016, 4:17pm

Hi

I am quite new to RouterOS and RouterBoards but I am slowly getting into it and i really love the possibilities and the affordable price of really great hardware.

However i run into what i think is a major security concern with OVPN site to site tunnels. Wherever possible I use ipip over IPsec with PSK which i consider safe (correct me if I am wrong). In some cases ipip over IPsec is not an option because one site does not have a static or not even public IP (eg. mobile boradband with carrier NAT) there i would like to use the openvpn client built into RouterOS. I was able to get a connection up and running without any problems but the scary part was that i did not even need to upload the cert of the ovpn server to the client.

As far as my knowledge goes this means that my client has no way of verifying the identity of the server which opens the possibility of a man in the middle attack. It is hard for me to believe that there is really no way of getting the client to check the server certificate but i really did not find any option to do it. In my understanding it should not even be possible to connect to a server without certificate validation.

Please tell me that i am missing something.

BR
Alex

pacman88 · November 2, 2016, 12:45pm

can anyone confirm this problem? or is it just me?

pacman88 · November 5, 2016, 11:11pm

at the risk of sounding rude:
i really think implementing a vpn protocol that relies on certificates and then not validating those certs is a major flaw and i would at least expect a statement on if it is a configuration issue on my side or if there is really no option to do this.
having this topic unanswered for days is not really satisfying.

pacman88 · November 14, 2016, 10:43am

push…

mrz · November 15, 2016, 1:06pm

This is community forum. To get official reply you need to write to support.

Currently RouterOS client does not verify server certificate, but server verifies client certificate if such option is enabled.
If you want two way verification then you can use SSTP which has this feature.

pacman88 · November 15, 2016, 1:14pm

Thanks for your answer.

is there any reason for not checking server certificate? even with client certificates enabled this opens the door for some attack vectors. To me this is rather disappointing.
Thanks anyway for the SSTP alternative recommendation.

mrz · November 15, 2016, 1:32pm

This feature is simply not implemented yet for OVPN. It is possible that we will add it in the future.