I've been trying to get my OVPN server work without client-side certificate verification.
My server.conf contains the following:
# Ports & protocols
port 1194
proto udp
dev tun
# Server certs and keys
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh2048.pem
# Server subnet
server 198.18.200.0 255.255.255.0
# Persist IP lease pool
ifconfig-pool-persist ipp.txt
# Pushing to a private subnet
push "route 192.168.10.234 255.255.255.0"
# Allowing duplicate common names for clients (no keys/certs)
duplicate-cn
# KeepAlive
keepalive 10 120
# Cryptographic cipher.
cipher AES-256-CBC
# privilege downgrade fix.
persist-key
persist-tun
# Output a short status log
status openvpn-status.log
# Verbosity level 4
verb 4
# Notify the client that when the server restarts
explicit-exit-notify 1
# Add PAM Auth plugin
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
# No need for client cert
client-cert-not-required
and the client.conf file contains the following
# Define Client
client
dev tun
# protocol
proto udp-client
# Server
remote abc.efg.xyz
# Service port
port 1194
# Not binding to a specific port
nobind
# Try to preserve some state across restarts.
persist-key
persist-tun
# moderate verbosity
verb 4
mute 10
# Chosen yptographic cipher.
cipher AES-256-CBC
# cipher algorithm
auth SHA1
# Username and password are stored in this file
auth-user-pass f_secret
auth-nocache
I am unable to connect and when I checked the log, it is requiring me the CA file.
Options error: You must define CA file (--ca) or CA path (--capath)
Can someone please tell me, how can I avoid using the CA file?
Best Answer
You can't skip server certificate verification. Otherwise you would put your users passwords at risk.
Especially when using password authentication, the client needs to verify to whom it is speaking. Otherwise anyone on the network path could impersonate your VPN gateway and steal your users passwords.