Feature #3633
closed
OpenVPN client's "Client Certificate" should be optional
0%
Description
The OpenVPN client configuration requires a client certificate when mode is configured as SSL/TLS. The "Client Certificate" drop down should have a "none" option, which when chosen would omit the "cert" and "key" lines from the clientX.conf entirely.
That's a common config with VPN service providers. Right now you have to pick a bunk client cert, which gets ignored apparently server-side.
I think this is a fast, easy change, hence the 2.2 target, I just don't have even a few minutes to get into it right now.
Updated by Jim Pingle almost 10 years ago
- Status changed from New to Feedback
I added a commit to allow this with some input validation to make sure that if they leave it on 'none' that they must supply a username and password. Without a user/pass, OpenVPN will exit without a client certificate.
Updated by 
Updated by
Updated by Marcus Brown over 9 years ago
Can we relax the input validation to require password only?
I've tested it with a service provider that only requires a pw (really long token) and it functions normally as long as I manually edit clientX.up to remove the bogus username that I enter, then restart service and my tunnel comes up.
Updated by Phillip Davis over 9 years ago
Actually, at the moment, the code does allow a password to be entered without username - it gets through the front-end validation. But when I do that, setting up a dummy client with no certificate and just a password, the OpenVPN log has:
Dec 15 22:05:19 openvpn83536: Use --help for more information.
Dec 15 22:05:19 openvpn83536: Options error: No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass
Without having looked much, I guess the back-end code will be specifying some username parameter when there is no username.
Also, you cannot get through the front-end validation without a Certificate Authority defined, you get a validation error:
"The field Certificate Authority is required."
and I had to go and create a dummy Certificate Authority in order to get through the validation.
That seems a bit odd? If you do not need a cert for the link, then surely you do not need a CA?
Updated by Phillip Davis over 9 years ago
@G Brinton - can you try the code in https://github.com/pfsense/pfsense/pull/1389
I discovered that OpenVPN does not like having a blank line for username and then a password. Also it does not like a string (password) in the first line followed by nothing. It always expects 2 lines in the ".up" file, but the 2nd line can be empty (meaning no 2nd piece of authentication data provided). I guess when you edited out the bogus username, you also put a blank line after the "password".
This code lets me put just a username or password, and bring up a client successfully. I have not tested fully because I do not have a server anywhere waiting for such a config.
Updated by Marcus Brown over 9 years ago
I tested the patch.
It does indeed work for the username only AND password only use case.
I pasted my key into the pw field and successfully established the vpn link, then I deleted it from the pw field and moved it to the username field, and it also successfully established the link.
BTW, its the cryptostorm service, which seems quite nice. Very serious about privacy of their customers.
cryptostorm + pfSense = good
Updated by Marcus Brown over 9 years ago
RE: no cert vs no CA.
The cryptostorm.is service does supply a CA certificate which I imported to the pfSense cert manager and then used in the CA field of the openvpn client config..
Updated by Marcus Brown over 9 years ago
Hi, Is anyone going to pull this into master for 2.2?
Thanks