OpenVPN Connect doesn't require "Password Protect Certificate", and shows warnings in logs

emammadov · Apr 20, 2019, 7:28 PM

Hello,

I have posted this post in Openvpn section of this forum, but haven't received a reply yet, so I posted it here. When exporting vpn files of user, I check "Password Protect Certificate" and password and then click "OpenVPN Connect (iOS/Android) to export config file. After that, I import file.ovpn in OpenVPN Connect in Android phone, it requires username and password, but doesn't require "Password Protect Certificate". It connects successfully without "Password Protect Certificate". Why it happens? Beside this. this logs appear in Systems Logs. However none of these happens when using OpenVPN for Android program.

user 'username' authenticated
192.168.4.50:40300 [username] Peer Connection Initiated with [AF_INET]192.168.4.50:40300
192.168.4.50:40300 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA256'
192.168.4.50:40300 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1521'

stephenw10 · Apr 20, 2019, 10:49 PM

So you mean the OpenVPN connect app never asks you for the password to unlock the cert and fails to connect?

Sounds like a problem in the app. Nothing we can do about that.

Use the other app that works as expected.

Steve

emammadov · Apr 21, 2019, 5:53 AM

Openvpn Connect requires username and password, but doesn't require "Password Protect Certificate". It connects successfully without it. I wonder how it connects successfully without it.

johnpoz · Apr 21, 2019, 9:33 AM

So lets be clear..

You have username and password set or not to connect?

Billy
Password

Or just cert?? What is the setting on your openvpn server setting?

Or just when you exported the config you clicked the password protect

Which states its ONLY for the Viscosity bundle for key, and the pkcs12 if that is used, etc. Which I believe the pkcs12 file is only used when you download the archive (ie .zip)

So you want user that connects to have to have the cert, and put in

Billy
Password

And to even use the cert need to put in CertPassword? Every time they connect?

If you want to put a password on your .key you could always use openssl

Vellin_Boute · Apr 22, 2019, 9:41 AM

No need any password, You can login into 10.0.0.138 IP or just reinstall vpn, I guess.

johnpoz · Apr 22, 2019, 9:44 AM

What? Are you in the wrong lang section Vellin? No offense your terse response makes no sense at all with the context of this thread?