Description
Hi,
I would like to discuss about mandatory client-side authentication methods, such as --cert/--key, --pkcs12, or --auth-user-pass
Currently, I had something in my find to fully delegate the authentication to WEBAUTH protocol.
WEBAUTH does not require client certificates and username/pass authentication is done via web browser. That also make auth-user-pass obsolete.
Running a OpenVPN server with
verify-client-cert none
username-as-common-name
auth-user-pass-optional
works fine, but from client side, it's an requirement to configure client certificates or auth-user-pass.
A configuration without client-side authentication methods produces an config error:
Options error: No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass
which I would like to eliminate.
In such cases, I prefer tls-crypt-v2 or tls-crypt options as initial authentication as additional security layer.
The current workaround is one pair of client certificates which I have to use at each client.