No server certificate verification method has been enabled.

[LonelyPixel]

When connecting to my OpenVPN server, I get this message on the client in red colour:

WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

I have read that page and acknowledged it. The certificates already have the appropriate settings. How can I make this red line go away?

[TinCanTech]

Now add the following line to your client configuration:

remote-cert-tls server

[LonelyPixel]

Thanks for the pointer. I haven't seen this line and thought there's nothing more to do. Maybe the page layout was a bit too complex or I was already in that "stupid documentation" mood.

[TinCanTech]

or I was already in that "stupid documentation" mood.

Would you prefer there not to be documentation ?

People put a lot of effort into writing it .. but we can delete it all if you prefer

[LonelyPixel]

If there is no documentation, I'd be annoyed about it not being there. If there's a documentation that's hard to find, use and understand, I'd be annoyed about it being hard to find, use and understand. Please understand that incomplete efforts cannot beat psychology. You can't sell a product by arguing that you couldn't do it any better. I'm just giving you feedback on that, other's won't and turn somewhere else. I guess you still don't care because we're all not paying any money.

And yes, deleting the outdated part of the documentation might indeed be helpful! It just doesn't look too professional if I turn to the forums about a documentation page from a prominent FAQ list only to hear that it's long outdated. You see where my impression comes from?

[TinCanTech]

If there is no documentation, I'd be annoyed about it not being there. If there's a documentation that's hard to find, use and understand, I'd be annoyed about it being hard to find, use and understand.

You can help improve it

You can't sell a product by arguing that you couldn't do it any better. I'm just giving you feedback on that, other's won't and turn somewhere else. I guess you still don't care because we're all not paying any money.

I care which is why I help .. but we need more help.

yes, deleting the outdated part of the documentation might indeed be helpful!

You can help improve it

It just doesn't look too professional if I turn to the forums about a documentation page from a prominent FAQ list only to hear that it's long outdated.

At least all the pages of documentation from Openvpn are fully dated, unlike much of the FUD out there .. so you can decide immediately if you want to read it or not.

[LonelyPixel]

Oh, that's been a long time.

I understand that you need more help to keep the docs updated. But I really feel that should be done by people who know what they talk about. You can probably guess from my questions that I'm not one of them. Set aside that I can't even guess the effort it'd take me to find out how to help with that. Somebody would have to spend a lot of time putting me on the right track that they could better spend in fixing it directly.

[1_C4T4LY5T]

I see that open vpn error tells me to go here: https://openvpn.net/community-resources/how-to/#mitm
but that makes no sense to me as I'm definitely a noob to vpn's in general. I did try to add "remote-cert-tls server" to the end of my client config file. When I added it the red error went away but now the client just keeps saying connecting in status and never actually errors or connects for me.

Could I get some help from anyone in a very dumbed down way? like if you were explaining it to your mom for example ?

Thank you in advance for any help.

[TinCanTech]

You mist speak to your server admin

[1_C4T4LY5T]

I have no server admin. This is an hp elite 8300 sff i7-2600 box I setup server 2019 on and then installed Open VPN. I'd be happy to provide needed info.
I've setup the vpn through enabling the open vpn setting on my nighthawk R7000P. I've followed the directions from netgear and everything else seems to have setup just as it described ...all but this open vpn client starting up.

[300000]

You can try paid version on this site and setup is more easy .no more red or whatever notice.

If you want red warning go away you need adding something into openssl config inside easyras so it will adding attribute httpsserver authentication so the warning will go.

That is the way people consider using community version for personal use and paid version for commercial use .

It is only one line of config that work the best and there is no document how to do it either so try to find it yourself .openvpn manual not document it anywhere so people can't find it

[Hart, Henry]

You can try paid version on this site and setup is more easy .no more red or whatever notice.

Is this true? I would be more than happy to use the Paid version if I knew that almost nothing would be required of me -- no red notices, no errors, no dropped connections with errors (which we too are experiencing now without touching the server and certs are up to date) and 24/7 support. Where do I sign up....

[300000]

you can download OpenVPN Access Server now to try it , no more red or whatever notice to up set people but only pay money that is how free software work or if you like you can do it yourself simple. infarct red warning make quite scare to use when you want to hide something more than nomal .

I am using XCA to create certificate so for me no red warning at all or whatever but you need to going to openssl to learn how to create certificate and what kind of difference attribute to create all kind of difference certificate to use in all difference situation

[calipo]

This is my clien configuration
client
dev tun
proto udp
remote mapuche.mendoza.gov.ar
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 1
<ca>

Where write "remote-cert-tls server"?
Thanks

[sylsun]

We have the same problem, withe a freebox revolution, since the 12th of july.
I tried to add "remote-cert-tls server"
But it doesn't work : TLS Error: Unroutable control packet received from [AF_INET]

[sylsun]

And same computer with openvpn works with an other box

[becm]

Most other issues with similar errors hint to
- connecting to the wrong server or
- using wrong client settings.

Other (correct) configs to connect to other servers naturally will work.

[calipo]

I cant connect. Error is
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2025-01-10 20:22:57 TCP/UDP: Preserving recently used remote address: [AF_INET]201.xxx.xxxx.xxx
2025-01-10 20:22:57 UDPv4 link local: (not bound)
2025-01-10 20:22:57 UDPv4 link remote: [AF_INET]201.xxx.xxx.xx
2025-01-10 20:22:57 VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=AR, ST=MZ, L=Mendoza, O=DIC, CN=server, emailAddress=rycom@xxxx.gov.ar, serial=465
2025-01-10 20:22:57 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2025-01-10 20:22:57 TLS_ERROR: BIO read tls_read_plaintext error
2025-01-10 20:22:57 TLS Error: TLS object -> incoming plaintext read error
2025-01-10 20:22:57 TLS Error: TLS handshake failed
2025-01-10 20:22:57 SIGUSR1[soft,tls-error] received, process restarting
Any idea

[calipo]

I have Debian 13. With Debian 12 works fine. Seem the problem is the new version
Any idea?