Velvet Star Monitor

Standout celebrity highlights with iconic style.

updates

My openvpn clients connects to server with .ovpn+ca.crt files only

Writer Matthew Martinez

I ask you if my clients connect to openvpn server through two files only: client.ovpn and ca.crt, Is this connection secure? Any security problems in this mechanism there? Is the connection encrypted?

Knowing that:

  1. Clients can connect without any problems or warnings,
  2. Openvpn client should connect to server though these four files: client.crt client.key ca.crt client.ovpn ,
  3. client.ovpn as shown:
client
dev tun0
proto tcp
remote IP PORT
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
# cert client.crt
# key client.key
remote-cert-tls server
;tls-auth ta.key 1
cipher AES-128-CBC
comp-lzo
verb 3
auth-user-pass pass

Server configuration:

port port
proto tcp
dev tun0
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server P.P.P.P 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.4.4" push "dhcp-option DNS 8.8.8.8"
cipher AES-128-CBC
comp-lzo
persist-key persist-tun
status openvpn-status.log verb 3
client-cert-not-required
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
4

1 Answer

In the server configuration you have the following lines:

client-cert-not-required
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login

client-cert-not-required has the following description from man openvpn:

Don't require client certificate, client will authenticate usingu sername/password only. Be aware that using this directive is less secure than requiring certificates from all clients.

The plugin requires authentication against PAM.

The data is encrypted when it transits the VPN. This is shown by the line cipher AES-128-CBC, which specifies which encryption to use. AES is generally regarded as secure.

If you consider this secure enough depends on what you are attempting to protect, and the quality of the passwords. There's no one-stop answer to this; you have to define the threats you find applicable, and what security is acceptable.

Maintaining a CA and distributing certificates may be more work than distributing passwords. This depends on your setup. It also makes it more difficult to setup VPN on a new computer, as you securely have to bring the relatively long key to that computer. The decreased security of password authentication may be a worthwhile trade off in this aspect.

TL;DR: It depends.

4

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Similar Journal

View All

Can you buy Daedric / Dragon Bone armour?

May 2026

How can I delete local content from a game not in my list in Steam?

May 2026

Why are my settlers not doing their jobs and refusing to stay assigned?

May 2026

Loot amount in town hall

May 2026