OpenVPN
Proposal: Make client-side authentication methods optional
Hi,
I would like to discuss about mandatory client-side authentication methods, such as --cert/--key, --pkcs12, or --auth-user-pass
Currently, I had something in my find to fully delegate the authentication to WEBAUTH protocol.
WEBAUTH does not require client certificates and username/pass authentication is done via web browser. That also make auth-user-pass obsolete.
Running a OpenVPN server with
verify-client-cert none
username-as-common-name
auth-user-pass-optional
works fine, but from client side, it's an requirement to configure client certificates or auth-user-pass.
A configuration without client-side authentication methods produces an config error:
Options error: No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass
which I would like to eliminate.
In such cases, I prefer tls-crypt-v2 or tls-crypt options as initial authentication as additional security layer.
The current workaround is one pair of client certificates which I have to use at each client.
I would like to discuss about mandatory client-side authentication methods, such as --cert/--key, --pkcs12, or --auth-user-pass
+1 to removing this restriction. I think the rationale for this was to protect users against insecure setups, but forcing this on the client side doesn't look very useful. Trying to warn/prevent server setups with no client authentication mechanism in place should be enough.
protect users against insecure setups
This if should be keep, a new config directive, like expect-webauth could be introduces. If set, the OpenVPN client fail to connect unless WEBAUTH is used.
A potential workaround is define username/password inline (use dummy values):
<auth-user-pass>
username
pass
</auth-user-pass>
It seems like this patch is ready.
Could someone post that patch to the mailing list?