Hello. I need your help. Please forgive me for my bad English, Google Translate helps me. I configured the OVPN server on Mikrotik hardware and successfully configured the Windows client. Then I decided to check the same settings on the Android client and encountered an error: "openvpn ANDROID CLIENT EVENT: core_thread_error info='mbed tls: error parsing config private key pkcs5 request encryption or digital alg not available". After finding a solution to the problem, I did the following: Exported the client certificate with a passphrase of type PKSC12(client.p12), but intentionally removed all references to certificates from the config file.
My Windows ovpn example:
-------------------------------------
client
dev tun
proto tcp-client
remote XXXXXXXXX
port 1194
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
ca "CA.crt"
cert "Client.crt"
verb 4
mute 10
cipher AES-256-CBC
auth SHA1
auth-user-pass file
auth-nocache
-------------------------------------
My Android example:
-------------------------------------
client
dev tun
proto tcp-client
remote XXXXXXX
port 1194
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
verb 4
mute 10
cipher AES-256-CBC
auth SHA1
auth-user-pass file
auth-nocache
-------------------------------------
When I import a profile, I am prompted to find and select a certificate to connect to. I have successfully installed the certificate by entering my passphrase and connect successfully.
Question 1: why on the Android client I was able to connect without a CA certificate. How safe is that?
Question 2: Why stops working on the WIndows client if to clean ca ca.crt?
Question 3: what then is the need for a CA certificate?