OpenVPN CA

Discussions for BiPAC 8900 series: 8900AX-1600, 8900AX-2400, 8900X
SPAU00
Posts: 5
Joined: Mon Oct 28, 2019 8:35 am

OpenVPN CA

Post by SPAU00 » Sun Dec 20, 2020 1:25 am

Is it possible to replace the Billion default OpenVPN CA for the purpose of OpenVPN server? If so how is this done. On this page a new certificate can be pasted over the default CA but this doesn't save. So how do we get a unique certificate into the router for OpenVPN server. Adding certificates on the certificates page does not change the OpenVPN CA.

billion_fan
Posts: 5205
Joined: Tue Jul 19, 2011 4:30 pm

Re: OpenVPN CA

Post by billion_fan » Mon Dec 21, 2020 10:51 am

SPAU00 wrote:
Sun Dec 20, 2020 1:25 am
Is it possible to replace the Billion default OpenVPN CA for the purpose of OpenVPN server? If so how is this done. On this page a new certificate can be pasted over the default CA but this doesn't save. So how do we get a unique certificate into the router for OpenVPN server. Adding certificates on the certificates page does not change the OpenVPN CA.
I'll check with our engineers and get back to you.

billion_fan
Posts: 5205
Joined: Tue Jul 19, 2011 4:30 pm

Re: OpenVPN CA

Post by billion_fan » Tue Dec 22, 2020 9:02 am

billion_fan wrote:
Mon Dec 21, 2020 10:51 am
SPAU00 wrote:
Sun Dec 20, 2020 1:25 am
Is it possible to replace the Billion default OpenVPN CA for the purpose of OpenVPN server? If so how is this done. On this page a new certificate can be pasted over the default CA but this doesn't save. So how do we get a unique certificate into the router for OpenVPN server. Adding certificates on the certificates page does not change the OpenVPN CA.
I'll check with our engineers and get back to you.
After checking with our engineers the default OpenVPN CA can not be adjusted.

SPAU00
Posts: 5
Joined: Mon Oct 28, 2019 8:35 am

Re: OpenVPN CA

Post by SPAU00 » Wed Dec 23, 2020 12:59 am

billion_fan wrote:
Tue Dec 22, 2020 9:02 am
billion_fan wrote:
Mon Dec 21, 2020 10:51 am
SPAU00 wrote:
Sun Dec 20, 2020 1:25 am
Is it possible to replace the Billion default OpenVPN CA for the purpose of OpenVPN server? If so how is this done. On this page a new certificate can be pasted over the default CA but this doesn't save. So how do we get a unique certificate into the router for OpenVPN server. Adding certificates on the certificates page does not change the OpenVPN CA.
I'll check with our engineers and get back to you.
After checking with our engineers the default OpenVPN CA can not be adjusted.
Thanks for checking.
I own several billion routers located in various locations. The system OpenVPN CA is identical on all VPN routers so is basically a public certificate making the OpenVPN Server extremely vulnerable. I don't see why the server should work any differently than the client side of things where you can select your uploaded CA's, keys etc.

billion_fan
Posts: 5205
Joined: Tue Jul 19, 2011 4:30 pm

Re: OpenVPN CA

Post by billion_fan » Wed Dec 23, 2020 10:56 am

SPAU00 wrote:
Wed Dec 23, 2020 12:59 am
billion_fan wrote:
Tue Dec 22, 2020 9:02 am
billion_fan wrote:
Mon Dec 21, 2020 10:51 am


I'll check with our engineers and get back to you.
After checking with our engineers the default OpenVPN CA can not be adjusted.
Thanks for checking.
I own several billion routers located in various locations. The system OpenVPN CA is identical on all VPN routers so is basically a public certificate making the OpenVPN Server extremely vulnerable. I don't see why the server should work any differently than the client side of things where you can select your uploaded CA's, keys etc.
I'll pass on your suggestions to our engineers

adeux001
Posts: 6
Joined: Fri Mar 29, 2019 2:55 pm

Re: OpenVPN CA

Post by adeux001 » Mon Jan 11, 2021 12:41 pm

+1 to this request

obalik
Posts: 1
Joined: Tue Jan 19, 2021 12:38 pm
Contact:

Re: OpenVPN CA

Post by obalik » Tue Jan 19, 2021 12:42 pm

I want to same request for suggest

billion_fan
Posts: 5205
Joined: Tue Jul 19, 2011 4:30 pm

Re: OpenVPN CA

Post by billion_fan » Tue Jan 19, 2021 2:47 pm

obalik wrote:
Tue Jan 19, 2021 12:42 pm
I want to same request for suggest
I've checked with our engineers again and they stated the following

1. Although each 8900AX-2400 uses the same “Root CA” , but the OpenVPN Server settings for each 8900AX-2400 device will be different i.e.: Cipher Encryption and HMAC Authentication.

2. Also our BiPAC 8900AX-2400 OpenVPN Server using the VPN Account for authentication.
You do not have the required permissions to view the files attached to this post.

SPAU00
Posts: 5
Joined: Mon Oct 28, 2019 8:35 am

Re: OpenVPN CA

Post by SPAU00 » Wed Jan 20, 2021 3:19 am

billion_fan wrote:
Tue Jan 19, 2021 2:47 pm
obalik wrote:
Tue Jan 19, 2021 12:42 pm
I want to same request for suggest
I've checked with our engineers again and they stated the following

1. Although each 8900AX-2400 uses the same “Root CA” , but the OpenVPN Server settings for each 8900AX-2400 device will be different i.e.: Cipher Encryption and HMAC Authentication.

2. Also our BiPAC 8900AX-2400 OpenVPN Server using the VPN Account for authentication.
Thanks for your reply.

OpenVPN account password is encrypted yes but this isn't utilizing OpenVPN security.

Consider this scenario....

You want to connect to a remote Billion router network through OpenVPN with no remote host computer. You would need to use the Billion Root CA certificate as client (which is a public certificate) because the remote Billion Root CA cannot be replaced.

The Billion Root CA is useless leaving only password security which isn't what OpenVPN is about.

The client side of the Billion router for OpenVPN is customizable and as mentioned previously, I don't see why the server side should work any differently which would give Billion customers connection options fully utilizing OpenVPN security.

nightcustard
Posts: 46
Joined: Sat Nov 03, 2012 2:50 pm

Re: OpenVPN CA

Post by nightcustard » Wed Jan 20, 2021 1:40 pm

After I read through this thread, I disabled the Billion OpenVPN server and reverted to another device on my network where you can change the root cert. I'm no security expert but surely a cooked-in certificate is a big 'no no'?

Post Reply