I’m a recent (happy) owner of the PepWave SOHO MK3. I’ve configured OpenVPN with no issues. However, digging into the security of it, I see that the PepWave seems to have a fixed certificate (public and private) associated with the device. Thus far I haven’t discovered a way to generate a new one. Can someone explain how to do this? I’ve tried turning Remote User Access off and on again, but that doesn’t generate a new certificate.
The issue with a fixed certificate is that there’s no way to “revoke” it, for example by generating a new one. Imagine the following scenarios:
- If you give the OpenVPN .ovpn file (which contains the public side of the certificate) to someone temporarily for example, you can’t invalidate it. Sure, you can invalidate their login, but the actual security of VPN is the certificate (public and private) used to protect the channel.
- A reseller (or current owner) grabs the certificate, and then sells the device. The seller now has the certificate of the device they sold.
Adding a “regenerate” button should be pretty easy, or you could just generate a new one every time Remote User Access is enabled.