OpenVPN.eu
http://forum.openvpn.eu/

Client Certificates without Username and Password
http://forum.openvpn.eu/viewtopic.php?f=25&t=9514
Page 1 of 1

Author:  michaelmehl [ 01.03.2016 13:00 ]
Post subject:  Client Certificates without Username and Password

Hi,

I'm running an OpenVPN server with username/password authentification, which is working just fine. For several reasons, however, I want to switch to an authentification using client certificates - without username/password.

I generate all CA, server and client certificates and placed them properly on the server; their validation during the connection process also seems to work. However, I fail to disable the username/password requirement. Without inserting username/password, I still can't connect to the server.

My general idea would be to simply remove the "auth-user-pass" statement from the client configuration file with the certificates working properly. If I do that, however, I end up with a client connection log with something like this:

Code:
...
Mrz 01 13:45:58: OpenVPN 2.3.10 Windows-MSVC [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Feb 11 2016
Mrz 01 13:45:58: library versions: OpenSSL 1.0.2f  28 Jan 2016, LZO 2.09
Mrz 01 13:45:59: Control Channel Authentication: using 'C:\...\ta.key' as a OpenVPN static key file
Mrz 01 13:45:59: Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XXX:443 [nonblock]
Mrz 01 13:46:00: TCP connection established with [AF_INET]XXX.XXX.XXX.XXX:443
Mrz 01 13:46:00: TCPv4_CLIENT link local: [undef]
Mrz 01 13:46:00: TCPv4_CLIENT link remote: [AF_INET]XXX.XXX.XXX.XXX:443
Mrz 01 13:46:01: Connection reset, restarting [0]
Mrz 01 13:46:01: SIGUSR1[soft,connection-reset] received, process restarting
...


I would appreciate any advice, what I would need to modify or change. Please find attached my server and my client configuration file.

Cheers,
Michael

--

Server Configuration:

Code:
dev tun

management 127.0.0.1 1195

server 10.8.0.0 255.255.255.0

push "route 10.8.0.0 255.255.255.0"

dh /var/packages/VPNCenter/target/etc/openvpn/keys/dh4096.pem
ca /var/packages/VPNCenter/target/etc/openvpn/keys/ca.crt
cert /var/packages/VPNCenter/target/etc/openvpn/keys/server.crt
key /var/packages/VPNCenter/target/etc/openvpn/keys/server.key

max-clients 5

comp-lzo

persist-tun
persist-key

verb 3

#log-append /var/log/openvpn.log

keepalive 10 60
reneg-sec 0

# client-cert-not-required
username-as-common-name
duplicate-cn

status /tmp/ovpn_status_2_result 30
status-version 2
proto udp6


Client Configuration

Code:
dev tun
tls-client
tls-auth ta.key 1

remote XXX.XXX.XXX.XXX XXX

pull

proto tcp-client

script-security 2

ca ca.crt

comp-lzo

reneg-sec 0

# auth-user-pass
ns-cert-type server

cert client.crt
key client.key

Page 1 of 1 All times are UTC
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/