1

I have imported the client config file to official OpenVPN client for Android.

The config file contains CA cert but no client cert or key. That's fine because i have auth-user-pass directive in it.

But when I try to connect, a window pops up saying:

Select Certificate

This profile doesn't include a client certificate. Continue connecting without a certificate or select one from the Android keychain?

If I choose to continue, it connects but this window appears every time I want to connect.

The same profile works fine on Windows (official OpenVPN GUI) and VPN Client Pro (unofficial client from Play Store).

Why it is looking for client certificate when the authentication method is user+pass?

Thanks.

EDIT for JW0914:

Since you are providing wrong information I did a little bit of search and found the answer:

As it is described here the key is to add "--verify-client-cert none" to the server config file.

Omid Shojaee
  • 121
  • 1
  • 1
  • 3
  • Ditch that generic OpenVPN app for OpenVPN for Android, which actually allows full functionality as a client. As to your question, the certificate must be imported to the Android KeyChain in [Android] Settings (this is a security feature for Android - all certs must be imported into the KeyChain - DO NOT store unencrypted certificate keys on internal/external Android storage). If you install the OpenVPN for Android app, it'll be more clear, as it allows you to do so from within the app. – JW0914 Jan 05 '20 at 14:27
  • I am happy with VPN Client Pro but my question remains that why I should import the certificate into Android keychain when the authentication method does not need it? – Omid Shojaee Jan 05 '20 at 14:38
  • 1
    Your question states your using OpenVPN Connect, not VPN Client Pro. Please update question with the correct app being used. As to certificates, all OpenVPN connections require certificates as an authentication method (you can add other authentication methods on top of certificates, but certificates are always required). – JW0914 Jan 05 '20 at 14:44
  • I have switched to VPN Client Pro because OpenVPN Connect is not working. The question is about OpenVPN Connect.

    As for the certificate, the OpenVPN default config says:

    ###############################################################################

    Client certificate and key.

    A pair of client certificate and private key is required in case you want to

    use the certificate authentication.

    I don't want to use certificate authentication.

     – Omid Shojaee Jan 06 '20 at 15:23
  • I've addressed what the issue is in my prior two comments - you must import the certificate and key into the Android keychain. If you do not have a client cert and key, and this is your personal OpenVPN server, you must generate a client cert and key either via EasyRSA or openssl and have it signed via the VPN's CA/ICA.. OpenVPN is an SSL VPN and certificates are required, they are not optional, as using an OpenVPN server without certificates compromises the security of the VPN tunnel. If this is a 3rd party VPN, they've provided you with the cert and key signed by the VPN's CA/ICA – JW0914 Jan 06 '20 at 15:32
  • I updated my original post. – Omid Shojaee Jan 12 '20 at 15:00
  • You're fundamentally misunderstanding what you're trying to accomplish. You're configuring a VPN to protect the information flowing through its tunnel, but w/o PKI client & server certificates there is no way to encrypt that data... i.e. the VPN is useless. How exactly do you believe OpenVPN encrypts the data in the tunnel if certificates & keys aren't utilized? (See lines 877 - 923 in this openssl.cnf to see how RSA & ECDSA encryption occurs, as well as KUs/EKUs.) – JW0914 Jan 12 '20 at 18:08
  • @jw0914 you don't need client certs for encryption. See also every https enabled website – robertmain May 16 '21 at 12:20
  • @robertmain A client cert encrypts information between the client & server, as well as decrypts information between the server & client. KUs of the client & server cert control types of encryption used, with EKUs clientAuth [client] & serverAuth [server] required to prevent MITM attacks. Please refer to OpenVPN's wikis for additional info, as you have a fundamental misunderstanding of encryption within an SSL VPN (while only a PSK can be used, it isn't secure, thereby defeating the purpose of a VPN). – JW0914 May 16 '21 at 13:35
  • @JW0914 that's actually still not correct - but I've decided I don't care anymore. – robertmain Jun 09 '21 at 02:00
  • @robertmain Everything in my comment comes from OpenVPN's and OpenSSL's man pages (portions of the KU link also came from the RFC), something that would be known had the man page links provided been referenced. – JW0914 Jun 09 '21 at 12:18
  • Hi, looks like you've found the solution by yourself, which is great! Consider posting it as a proper answer since self-answering is not only allowed but even encouraged. Thanks! – Andrew T. Sep 13 '23 at 14:23

0 Answers0