Can we skip those (anti-)MITM options when only user/pass based auth is being done?

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See https://forums.openvpn.net/viewtopic.php?f=30&t=21589 for an example.
akbsol
OpenVpn Newbie
Posts: 3
Joined: Sun Mar 19, 2017 7:00 am

Can we skip those (anti-)MITM options when only user/pass based auth is being done?

Postby akbsol » Sun Mar 19, 2017 7:10 am

Hi all,

When we use only auth-user-pass-verify to authenticate connections and client config doesn't have any certs expect a <ca> and <tls-auth> section, are the options such as: remote-cert-tls server & tls-remote still needed?

From my understanding, as the client doesn't have any common CA signed certificate & key of his own, he has no way to impersonate as the server? Please correct me if I am wrong.

Thanks.

akbsol
OpenVpn Newbie
Posts: 3
Joined: Sun Mar 19, 2017 7:00 am

Re: Can we skip those (anti-)MITM options when only user/pass based auth is being done?

Postby akbsol » Tue Mar 21, 2017 5:50 pm

Any one ?? Please suggest.

User avatar
TinCanTech
I should be on the dev team.
Posts: 1893
Joined: Fri Jun 03, 2016 1:17 pm

Re: Can we skip those (anti-)MITM options when only user/pass based auth is being done?

Postby TinCanTech » Tue Mar 21, 2017 9:07 pm

akbsol wrote:Please suggest
Suggest: Most people prefer more security than less ..

MITM attacks are carried out by a Man-In-The-Middle .. not your client or server.

akbsol
OpenVpn Newbie
Posts: 3
Joined: Sun Mar 19, 2017 7:00 am

Re: Can we skip those (anti-)MITM options when only user/pass based auth is being done?

Postby akbsol » Wed Mar 22, 2017 4:41 am

Thanks for replying. The suggestion sought by me though wasn't about what most people prefer :-)

I simply wanted to know the theoretical possibility of MitM as outlined here:

https://openvpn.net/index.php/open-sour ... .html#mitm

when client configs don't have any certificate except <ca> and authentication is simply based on username-password. The page above lists methodologies to adopt:

"To avoid a possible Man-in-the-Middle attack where an authorized client tries to connect to another client by impersonating the server, make sure to enforce some kind of server certificate verification by clients."

But when no client has any certificate & key of his own, can he still impersonate?


Return to “Configuration”

Who is online

Users browsing this forum: No registered users and 5 guests