OpenVPN Connect doesn't require "Password Protect Certificate", and shows warnings in logs



  • Hello,

    I have posted this post in Openvpn section of this forum, but haven't received a reply yet, so I posted it here. When exporting vpn files of user, I check "Password Protect Certificate" and password and then click "OpenVPN Connect (iOS/Android) to export config file. After that, I import file.ovpn in OpenVPN Connect in Android phone, it requires username and password, but doesn't require "Password Protect Certificate". It connects successfully without "Password Protect Certificate". Why it happens? Beside this. this logs appear in Systems Logs. However none of these happens when using OpenVPN for Android program.

    user 'username' authenticated
    192.168.4.50:40300 [username] Peer Connection Initiated with [AF_INET]192.168.4.50:40300
    192.168.4.50:40300 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA256'
    192.168.4.50:40300 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1521'


  • Netgate Administrator

    So you mean the OpenVPN connect app never asks you for the password to unlock the cert and fails to connect?

    Sounds like a problem in the app. Nothing we can do about that.

    Use the other app that works as expected.

    Steve



  • Openvpn Connect requires username and password, but doesn't require "Password Protect Certificate". It connects successfully without it. I wonder how it connects successfully without it.


  • LAYER 8 Global Moderator

    So lets be clear..

    You have username and password set or not to connect?

    Billy
    Password

    Or just cert?? What is the setting on your openvpn server setting?

    mode.png

    Or just when you exported the config you clicked the password protect
    bundleprotect.png

    Which states its ONLY for the Viscosity bundle for key, and the pkcs12 if that is used, etc. Which I believe the pkcs12 file is only used when you download the archive (ie .zip)

    So you want user that connects to have to have the cert, and put in

    Billy
    Password

    And to even use the cert need to put in CertPassword? Every time they connect?

    If you want to put a password on your .key you could always use openssl



  • No need any password, You can login into 10.0.0.138 IP or just reinstall vpn, I guess.


  • LAYER 8 Global Moderator

    What? Are you in the wrong lang section Vellin? No offense your terse response makes no sense at all with the context of this thread?


Log in to reply