TL;DR
If your VPN uses a pre-shared key (PSK) for authentication, it’s likely vulnerable to Man-in-the-Middle (MITM) attacks. This is because PSKs are often weak and can be guessed or stolen. Switching to certificate-based authentication significantly improves security.
Understanding the Problem
A VPN creates a secure tunnel for your internet traffic. Traditionally, some VPNs used a ‘shared secret’ – a password or key that both your device and the VPN server know. This is simpler to set up than more robust methods but has serious security flaws.
Why Shared Secrets are Risky
Shared secrets are vulnerable because:
- Weak Keys: Users often choose easy-to-guess keys.
- Key Reuse: The same key might be used across multiple devices or for extended periods, increasing the attack surface.
- Compromised Devices: If a device is infected with malware, the secret can be stolen.
A Man-in-the-Middle (MITM) attacker intercepts your connection and pretends to be both you and the VPN server. With a shared secret, they can easily join the tunnel if they know the key.
How a MITM Attack Works with Shared Secrets
- Interception: The attacker positions themselves between your device and the VPN server (e.g., on a public Wi-Fi network).
- Impersonation: They intercept your connection request to the VPN server.
- Key Exchange: Because you’re using a shared secret, the attacker simply provides the same key when prompted.
- Tunnel Access: The attacker is now part of the VPN tunnel and can see all your traffic.
Solution: Switch to Certificate-Based Authentication
Certificate-based authentication uses digital certificates to verify identities, making MITM attacks much harder.
Step 1: Generate a Root CA (Certificate Authority)
This is the foundation of trust. You’ll need OpenSSL for this. On Linux/macOS:
openssl req -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3650Answer the prompts carefully, providing accurate information for your organisation.
Step 2: Generate Server Certificate
Create a certificate specifically for your VPN server:
openssl req -newkey rsa:4096 -nodes -keyout server.key -out server.csropenssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 -sha256Step 3: Generate Client Certificates
Create a unique certificate for each device connecting to the VPN:
openssl req -newkey rsa:4096 -nodes -keyout client1.key -out client1.csropenssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client1.crt -days 3650 -sha256Repeat for each client (client2, client3, etc.).
Step 4: Configure Your VPN Server
The exact configuration depends on your VPN software (OpenVPN, WireGuard, StrongSwan). You’ll need to:
- Tell the server to use certificate authentication.
- Specify the CA certificate (
ca.crt) for verifying client certificates. - Disable shared secret authentication.
For example, in OpenVPN, you’d typically modify your server.conf file.
Step 5: Configure Your Clients
Install the appropriate client software and configure it to use:
- The CA certificate (
ca.crt). - The client’s unique certificate and key (
client1.crtandclient1.key).
Ensure the client software trusts your Root CA.
Step 6: Test Your Configuration
Connect to the VPN using a client configured with a certificate. Verify that shared secret authentication is no longer possible. Monitor your VPN server logs for any errors or suspicious activity.
Additional Security Measures
- Strong Encryption: Use strong encryption algorithms (e.g., AES-256).
- Regular Updates: Keep your VPN software and operating systems up to date.
- Two-Factor Authentication: Consider adding two-factor authentication for an extra layer of security.