Page 1 of 3

OpenVPN CA

Posted: Sun Dec 20, 2020 1:25 am
by SPAU00
Is it possible to replace the Billion default OpenVPN CA for the purpose of OpenVPN server? If so how is this done. On this page a new certificate can be pasted over the default CA but this doesn't save. So how do we get a unique certificate into the router for OpenVPN server. Adding certificates on the certificates page does not change the OpenVPN CA.

Re: OpenVPN CA

Posted: Mon Dec 21, 2020 10:51 am
by billion_fan
SPAU00 wrote:
Sun Dec 20, 2020 1:25 am
Is it possible to replace the Billion default OpenVPN CA for the purpose of OpenVPN server? If so how is this done. On this page a new certificate can be pasted over the default CA but this doesn't save. So how do we get a unique certificate into the router for OpenVPN server. Adding certificates on the certificates page does not change the OpenVPN CA.
I'll check with our engineers and get back to you.

Re: OpenVPN CA

Posted: Tue Dec 22, 2020 9:02 am
by billion_fan
billion_fan wrote:
Mon Dec 21, 2020 10:51 am
SPAU00 wrote:
Sun Dec 20, 2020 1:25 am
Is it possible to replace the Billion default OpenVPN CA for the purpose of OpenVPN server? If so how is this done. On this page a new certificate can be pasted over the default CA but this doesn't save. So how do we get a unique certificate into the router for OpenVPN server. Adding certificates on the certificates page does not change the OpenVPN CA.
I'll check with our engineers and get back to you.
After checking with our engineers the default OpenVPN CA can not be adjusted.

Re: OpenVPN CA

Posted: Wed Dec 23, 2020 12:59 am
by SPAU00
billion_fan wrote:
Tue Dec 22, 2020 9:02 am
billion_fan wrote:
Mon Dec 21, 2020 10:51 am
SPAU00 wrote:
Sun Dec 20, 2020 1:25 am
Is it possible to replace the Billion default OpenVPN CA for the purpose of OpenVPN server? If so how is this done. On this page a new certificate can be pasted over the default CA but this doesn't save. So how do we get a unique certificate into the router for OpenVPN server. Adding certificates on the certificates page does not change the OpenVPN CA.
I'll check with our engineers and get back to you.
After checking with our engineers the default OpenVPN CA can not be adjusted.
Thanks for checking.
I own several billion routers located in various locations. The system OpenVPN CA is identical on all VPN routers so is basically a public certificate making the OpenVPN Server extremely vulnerable. I don't see why the server should work any differently than the client side of things where you can select your uploaded CA's, keys etc.

Re: OpenVPN CA

Posted: Wed Dec 23, 2020 10:56 am
by billion_fan
SPAU00 wrote:
Wed Dec 23, 2020 12:59 am
billion_fan wrote:
Tue Dec 22, 2020 9:02 am
billion_fan wrote:
Mon Dec 21, 2020 10:51 am


I'll check with our engineers and get back to you.
After checking with our engineers the default OpenVPN CA can not be adjusted.
Thanks for checking.
I own several billion routers located in various locations. The system OpenVPN CA is identical on all VPN routers so is basically a public certificate making the OpenVPN Server extremely vulnerable. I don't see why the server should work any differently than the client side of things where you can select your uploaded CA's, keys etc.
I'll pass on your suggestions to our engineers

Re: OpenVPN CA

Posted: Mon Jan 11, 2021 12:41 pm
by adeux001
+1 to this request

Re: OpenVPN CA

Posted: Tue Jan 19, 2021 12:42 pm
by obalik
I want to same request for suggest

Re: OpenVPN CA

Posted: Tue Jan 19, 2021 2:47 pm
by billion_fan
obalik wrote:
Tue Jan 19, 2021 12:42 pm
I want to same request for suggest
I've checked with our engineers again and they stated the following

1. Although each 8900AX-2400 uses the same “Root CA” , but the OpenVPN Server settings for each 8900AX-2400 device will be different i.e.: Cipher Encryption and HMAC Authentication.

2. Also our BiPAC 8900AX-2400 OpenVPN Server using the VPN Account for authentication.

Re: OpenVPN CA

Posted: Wed Jan 20, 2021 3:19 am
by SPAU00
billion_fan wrote:
Tue Jan 19, 2021 2:47 pm
obalik wrote:
Tue Jan 19, 2021 12:42 pm
I want to same request for suggest
I've checked with our engineers again and they stated the following

1. Although each 8900AX-2400 uses the same “Root CA” , but the OpenVPN Server settings for each 8900AX-2400 device will be different i.e.: Cipher Encryption and HMAC Authentication.

2. Also our BiPAC 8900AX-2400 OpenVPN Server using the VPN Account for authentication.
Thanks for your reply.

OpenVPN account password is encrypted yes but this isn't utilizing OpenVPN security.

Consider this scenario....

You want to connect to a remote Billion router network through OpenVPN with no remote host computer. You would need to use the Billion Root CA certificate as client (which is a public certificate) because the remote Billion Root CA cannot be replaced.

The Billion Root CA is useless leaving only password security which isn't what OpenVPN is about.

The client side of the Billion router for OpenVPN is customizable and as mentioned previously, I don't see why the server side should work any differently which would give Billion customers connection options fully utilizing OpenVPN security.

Re: OpenVPN CA

Posted: Wed Jan 20, 2021 1:40 pm
by nightcustard
After I read through this thread, I disabled the Billion OpenVPN server and reverted to another device on my network where you can change the root cert. I'm no security expert but surely a cooked-in certificate is a big 'no no'?