Project

General

Profile

Feature #3633

OpenVPN client's "Client Certificate" should be optional

Added by Chris Buechler over 4 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
Normal
Category:
OpenVPN
Target version:
Start date:
05/01/2014
Due date:
% Done:

0%

Estimated time:

Description

The OpenVPN client configuration requires a client certificate when mode is configured as SSL/TLS. The "Client Certificate" drop down should have a "none" option, which when chosen would omit the "cert" and "key" lines from the clientX.conf entirely.

That's a common config with VPN service providers. Right now you have to pick a bunk client cert, which gets ignored apparently server-side.

I think this is a fast, easy change, hence the 2.2 target, I just don't have even a few minutes to get into it right now.

Associated revisions

Revision 2da48592 (diff)
Added by Jim Pingle over 4 years ago

Allow the user to select "None" for OpenVPN client certificate, so long as they supply and auth user/pass. Ticket #3633

History

#1 Updated by Jim Pingle over 4 years ago

  • Status changed from New to Feedback

I added a commit to allow this with some input validation to make sure that if they leave it on 'none' that they must supply a username and password. Without a user/pass, OpenVPN will exit without a client certificate.

#2 Updated by Jim Thompson about 4 years ago

  • Assignee set to Chris Buechler

#3 Updated by Chris Buechler about 4 years ago

  • Status changed from Feedback to Resolved

works

#4 Updated by Marcus Brown almost 4 years ago

Can we relax the input validation to require password only?
I've tested it with a service provider that only requires a pw (really long token) and it functions normally as long as I manually edit clientX.up to remove the bogus username that I enter, then restart service and my tunnel comes up.

#5 Updated by Phillip Davis almost 4 years ago

Actually, at the moment, the code does allow a password to be entered without username - it gets through the front-end validation. But when I do that, setting up a dummy client with no certificate and just a password, the OpenVPN log has:
Dec 15 22:05:19 openvpn83536: Use --help for more information.
Dec 15 22:05:19 openvpn83536: Options error: No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass

Without having looked much, I guess the back-end code will be specifying some username parameter when there is no username.

Also, you cannot get through the front-end validation without a Certificate Authority defined, you get a validation error:
"The field Certificate Authority is required."
and I had to go and create a dummy Certificate Authority in order to get through the validation.
That seems a bit odd? If you do not need a cert for the link, then surely you do not need a CA?

#6 Updated by Phillip Davis almost 4 years ago

@G Brinton - can you try the code in https://github.com/pfsense/pfsense/pull/1389

I discovered that OpenVPN does not like having a blank line for username and then a password. Also it does not like a string (password) in the first line followed by nothing. It always expects 2 lines in the ".up" file, but the 2nd line can be empty (meaning no 2nd piece of authentication data provided). I guess when you edited out the bogus username, you also put a blank line after the "password".

This code lets me put just a username or password, and bring up a client successfully. I have not tested fully because I do not have a server anywhere waiting for such a config.

#7 Updated by Marcus Brown almost 4 years ago

I tested the patch.
It does indeed work for the username only AND password only use case.
I pasted my key into the pw field and successfully established the vpn link, then I deleted it from the pw field and moved it to the username field, and it also successfully established the link.

BTW, its the cryptostorm service, which seems quite nice. Very serious about privacy of their customers.
cryptostorm + pfSense = good

#8 Updated by Marcus Brown almost 4 years ago

RE: no cert vs no CA.
The cryptostorm.is service does supply a CA certificate which I imported to the pfSense cert manager and then used in the CA field of the openvpn client config..

#9 Updated by Marcus Brown almost 4 years ago

Hi, Is anyone going to pull this into master for 2.2?

Thanks

Also available in: Atom PDF