Can we skip those (anti-)MITM options when only user/pass based auth is being done?

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
akbsol
OpenVpn Newbie
Posts: 7
Joined: Sun Mar 19, 2017 7:00 am

Can we skip those (anti-)MITM options when only user/pass based auth is being done?

Post by akbsol » Sun Mar 19, 2017 7:10 am

Hi all,

When we use only auth-user-pass-verify to authenticate connections and client config doesn't have any certs expect a <ca> and <tls-auth> section, are the options such as: remote-cert-tls server & tls-remote still needed?

From my understanding, as the client doesn't have any common CA signed certificate & key of his own, he has no way to impersonate as the server? Please correct me if I am wrong.

Thanks.

akbsol
OpenVpn Newbie
Posts: 7
Joined: Sun Mar 19, 2017 7:00 am

Re: Can we skip those (anti-)MITM options when only user/pass based auth is being done?

Post by akbsol » Tue Mar 21, 2017 5:50 pm

Any one ?? Please suggest.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Can we skip those (anti-)MITM options when only user/pass based auth is being done?

Post by TinCanTech » Tue Mar 21, 2017 9:07 pm

akbsol wrote:Please suggest
Suggest: Most people prefer more security than less ..

MITM attacks are carried out by a Man-In-The-Middle .. not your client or server.

akbsol
OpenVpn Newbie
Posts: 7
Joined: Sun Mar 19, 2017 7:00 am

Re: Can we skip those (anti-)MITM options when only user/pass based auth is being done?

Post by akbsol » Wed Mar 22, 2017 4:41 am

Thanks for replying. The suggestion sought by me though wasn't about what most people prefer :-)

I simply wanted to know the theoretical possibility of MitM as outlined here:

https://openvpn.net/index.php/open-sour ... .html#mitm

when client configs don't have any certificate except <ca> and authentication is simply based on username-password. The page above lists methodologies to adopt:

"To avoid a possible Man-in-the-Middle attack where an authorized client tries to connect to another client by impersonating the server, make sure to enforce some kind of server certificate verification by clients."

But when no client has any certificate & key of his own, can he still impersonate?

Post Reply