Discussion:
[Openvpn-users] Client-cert-not-required but what shall I use on the client???
Andreas Iwanowski
2005-02-12 23:37:25 UTC
Permalink
Hello.

I am experimenting with user/password based authentication.
I configured the server with 'client-cert-not-required' and
'auth-user-pass-verify auth.bat via-file'.

On the client I said 'auth-user-pass'.
When I start OpenVPN on the client, however, it says 'You must define a CA file...'
And terminates!

How can I let the client know to use only username/pw??

I'm using 2.0rc.

Sincerely,
andy
Charles Duffy
2005-02-12 23:57:10 UTC
Permalink
I am experimenting with user/password based authentication. I configured
the server with 'client-cert-not-required' and 'auth-user-pass-verify
auth.bat via-file'.
On the client I said 'auth-user-pass'. When I start OpenVPN on the
client, however, it says 'You must define a CA file...' And terminates!
Yes, you still need a CA and such, even though you don't need a client
cert on the client side.
Andreas Iwanowski
2005-02-13 01:31:17 UTC
Permalink
I am experimenting with user/password based authentication. I
configured the server with 'client-cert-not-required' and
'auth-user-pass-verify auth.bat via-file'.
On the client I said 'auth-user-pass'. When I start OpenVPN on the
client, however, it says 'You must define a CA file...' And terminates!
Yes, you still need a CA and such, even though you don't need a client cert on the client side.
Yes, that is what I did.
I set up a CA for the server certificate and diffie hellman and the whole nine yards.
Then I configured the server to accept username/password authentication using a script.
But how do I set up the client properly? I don't want to use certificates on the clients,
And on the manpage it says that username/password authentication only is possible.
I just don't know how to set up the client to accept username/password only!

-andy
Charles Duffy
2005-02-13 02:20:24 UTC
Permalink
Post by Andreas Iwanowski
I set up a CA for the server certificate and diffie hellman and the
whole nine yards. Then I configured the server to accept
username/password authentication using a script. But how do I set up the
client properly? I don't want to use certificates on the clients, And on
the manpage it says that username/password authentication only is
possible. I just don't know how to set up the client to accept
username/password only!
You obviously aren't giving the client a CA certificate -- if you were,
you wouldn't get that error.

client-cert-not-required excuses you from having a client cert; you still
need a CA cert (with which to verify the server's cert).
James Yonan
2005-02-13 02:52:09 UTC
Permalink
Post by Andreas Iwanowski
I am experimenting with user/password based authentication. I
configured the server with 'client-cert-not-required' and
'auth-user-pass-verify auth.bat via-file'.
On the client I said 'auth-user-pass'. When I start OpenVPN on the
client, however, it says 'You must define a CA file...' And terminates!
Yes, you still need a CA and such, even though you don't need a client cert on the client side.
Yes, that is what I did.
I set up a CA for the server certificate and diffie hellman and the whole nine yards.
Then I configured the server to accept username/password authentication using a script.
But how do I set up the client properly? I don't want to use certificates on the clients,
And on the manpage it says that username/password authentication only is possible.
I just don't know how to set up the client to accept username/password only!
Remember that OpenVPN is doing bidirectional authentication: The server
authenticates the client and client authenticates the server.

Server Authenticates Client -- can be done with either a client
certificate or auth-user-pass or both.

Client Authenticates Server -- can currently only be done via a server
certificate signed by the root certificate (CA).

So you can use "auth-user-pass" and "client-cert-not-required" on the
client, but you still need a "ca" cert on the client to verify the
identity of the server.

James

Loading...