OpenVPN Support Forum

Posted: **Sun Mar 19, 2017 7:10 am**

Hi all,

When we use only auth-user-pass-verify to authenticate connections and client config doesn't have any certs expect a <ca> and <tls-auth> section, are the options such as: remote-cert-tls server & tls-remote still needed?

From my understanding, as the client doesn't have any common CA signed certificate & key of his own, he has no way to impersonate as the server? Please correct me if I am wrong.

Thanks.

Posted: **Tue Mar 21, 2017 5:50 pm**

Any one ?? Please suggest.

Posted: **Tue Mar 21, 2017 9:07 pm**

akbsol wrote:Please suggest

Suggest: Most people prefer more security than less ..

MITM attacks are carried out by a Man-In-The-Middle .. not your client or server.

Posted: **Wed Mar 22, 2017 4:41 am**

Thanks for replying. The suggestion sought by me though wasn't about what most people prefer

I simply wanted to know the theoretical possibility of MitM as outlined here:

https://openvpn.net/index.php/open-sour ... .html#mitm

when client configs don't have any certificate except <ca> and authentication is simply based on username-password. The page above lists methodologies to adopt:

"To avoid a possible Man-in-the-Middle attack where an authorized client tries to connect to another client by impersonating the server, make sure to enforce some kind of server certificate verification by clients."

But when no client has any certificate & key of his own, can he still impersonate?

OpenVPN Support Forum

Can we skip those (anti-)MITM options when only user/pass based auth is being done?

Can we skip those (anti-)MITM options when only user/pass based auth is being done?

Re: Can we skip those (anti-)MITM options when only user/pass based auth is being done?

Re: Can we skip those (anti-)MITM options when only user/pass based auth is being done?

Re: Can we skip those (anti-)MITM options when only user/pass based auth is being done?