SUMMARY
If an OpenVPN client-mode connection is setup with password authentication, the certificate will not be passed to the server, which prevents the tunnel from being brought up. A possible workaround is to set the certificate and key manually through the "openvpn-option" setting.
STEPS TO REPRODUCE
- Get (or just fake) the CA certificate, client certificate and client private key for an OpenVPN server
- Start a Vyos ISO
- Run the following commands
__
sudo su - mkdir -p /config/auth/ovpn/192.0.2.42 cat >/config/auth/ovpn/192.0.2.42/ca-cert.pem <<EOF # ... CA cert data... EOF cat >/config/auth/ovpn/192.0.2.42/cert.pem <<EOF # ... Client cert data... EOF cat >/config/auth/ovpn/192.0.2.42/cert.key <<EOF # ... Client key data... EOF exit configure set interfaces openvpn vtun0 mode client set interfaces openvpn vtun0 authentication username jdoe set interfaces openvpn vtun0 authentication password foobar set interfaces openvpn vtun0 remote-host 192.0.2.42 set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ovpn/192.0.2.42/ca-cert.pem set interfaces openvpn vtun0 tls cert-file /config/auth/ovpn/192.0.2.42/cert.pem set interfaces openvpn vtun0 tls key-file /config/auth/ovpn/192.0.2.42/cert.key commit sudo su - ps aux | grep openvpn | grep -- '--cert' | wc -l
OBSERVED RESULT
0
EXPECTED RESULT
1
SOFTWARE/OS VERSIONS
vyos-1.2.0-rolling+201905200337-amd64.iso
ADDITIONAL INFORMATION
The underlying issue is that the Config.pm file in vyatta-openvpn does not add the "--cert" and "--key" parameters to the OpenVPN command line if the selected mode is "client" and a password has been set.