Error message in router log

wilddog

Young grasshopper
Joined
Jan 2, 2019
Messages
34
Reaction score
2
Location
ky
Hello, I wonder if anyone here can tell me what this error msg means in my asus ac3200 router. (The bolding is mine) I just noticed it today when I was looking at some other things. I'm using Openvpn.

Dec 14 16:57:05 rc_service: udhcpc 26046:notify_rc stop_upnp
Dec 14 16:57:05 rc_service: waitting "start_firewall" via udhcpc ...
Dec 14 16:57:06 rc_service: udhcpc 26046:notify_rc start_upnp
Dec 14 16:57:06 rc_service: waitting "stop_upnp" via udhcpc ...
Dec 14 16:57:09 vpnserver1[26133]: WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional (or --client-cert-not-required) may accept clients which do not present a certificate
Dec 14 16:57:09 vpnserver1[26133]: OpenVPN 2.4.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 1 2021
Dec 14 16:57:09 vpnserver1[26133]: library versions: OpenSSL 1.0.2u 20 Dec 2019, LZO 2.03
Dec 14 16:57:09 vpnserver1[26134]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 14 16:57:09 vpnserver1[26134]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Dec 14 16:57:09 vpnserver1[26134]: Diffie-Hellman initialized with 2048 bit key
Dec 14 16:57:09 vpnserver1[26134]: TUN/TAP device tun21 opened
Dec 14 16:57:09 vpnserver1[26134]: TUN/TAP TX queue length set to 100
Dec 14 16:57:09 vpnserver1[26134]: /sbin/ifconfig tun21 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Dec 14 16:57:09 vpnserver1[26134]: /etc/openvpn/ovpn-up tun21 1500 1622 10.8.0.1 10.8.0.2 init
Dec 14 16:57:09 vpnserver1[26134]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
 

NightLife

Getting comfortable
Joined
Sep 10, 2021
Messages
490
Reaction score
1,096
Location
Canada
Under your openvpn config, is 'Username/Password Auth. Only' selected as 'Yes' or 'No'?

ugcuc.png
 

jmhmcse

Pulling my weight
Joined
Dec 30, 2018
Messages
211
Reaction score
129
Location
usa
Dec 14 16:57:09 vpnserver1[26133]: WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional (or --client-cert-not-required) may accept clients which do not present a certificate


This is a warning message that is telling you that the OpenVPN server does not require a client side certificate; your secure connection is relying only upon a valid Username and Password combination.

Copying the server's certificate to the client and then inserting "--verify-client-cert require" into the Custom Configuration box adds another level of security; the client (phone, tablet, pc, etc) has been updated with the appropriate certificate and still requires a valid Username/Password combination to connect.
 

wilddog

Young grasshopper
Joined
Jan 2, 2019
Messages
34
Reaction score
2
Location
ky
Dec 14 16:57:09 vpnserver1[26133]: WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional (or --client-cert-not-required) may accept clients which do not present a certificate


This is a warning message that is telling you that the OpenVPN server does not require a client side certificate; your secure connection is relying only upon a valid Username and Password combination.

Copying the server's certificate to the client and then inserting "--verify-client-cert require" into the Custom Configuration box adds another level of security; the client (phone, tablet, pc, etc) has been updated with the appropriate certificate and still requires a valid Username/Password combination to connect.
When I look at the log file from my openvpn app on my phone, it looks like it is using the file to connect. Here is part of it:
14:26:03.822 -- Connecting to XXX.asuscomm.com]:1194 (169.136.XX.XXX) via UDPv4
14:26:03.827 -- EVENT: CONNECTING
14:26:03.829 -- Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client
14:26:03.829 -- Creds: Username/Password

If not, then are you saying I need to modify the client.opvn file as you mentioned?
Thanks.
 

wilddog

Young grasshopper
Joined
Jan 2, 2019
Messages
34
Reaction score
2
Location
ky
Dec 14 16:57:09 vpnserver1[26133]: WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional (or --client-cert-not-required) may accept clients which do not present a certificate


This is a warning message that is telling you that the OpenVPN server does not require a client side certificate; your secure connection is relying only upon a valid Username and Password combination.

Copying the server's certificate to the client and then inserting "--verify-client-cert require" into the Custom Configuration box adds another level of security; the client (phone, tablet, pc, etc) has been updated with the appropriate certificate and still requires a valid Username/Password combination to connect.
In my client.opvn file the first several lines, is this where I insert the verify-client-cert ?

remote XXXX.asuscomm.com XXXX
float
nobind
proto udp
dev tun
sndbuf 0
rcvbuf 0
keepalive 15 60
comp-lzo adaptive
auth-user-pass
client
auth SHA1
cipher AES-128-CBC
ns-cert-type server
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
I'm not seeing this in my router, I'm I looking in the wrong place?
Need to look under VPN > OpenVPN > VPN Details > Advanced Settings. It doesn't show all of the options for VPN settings when left at General.

As above, the VPN will work fine left as you have it. You're just using name/password without a certificate installed on the client accessing the VPN. The latter provides greater security by ensuring that the client has a second key beyond the password.

It's been a while since I've done, but I think that if you set the Username/Password Auth. Only option to No, then it may add the line to the .opvn file for you.
 

wilddog

Young grasshopper
Joined
Jan 2, 2019
Messages
34
Reaction score
2
Location
ky
Need to look under VPN > OpenVPN > VPN Details > Advanced Settings. It doesn't show all of the options for VPN settings when left at General.

As above, the VPN will work fine left as you have it. You're just using name/password without a certificate installed on the client accessing the VPN. The latter provides greater security by ensuring that the client has a second key beyond the password.

It's been a while since I've done, but I think that if you set the Username/Password Auth. Only option to No, then it may add the line to the .opvn file for you.
yes, I see it now, I changed it to "no" . right below it, there's "Authorization Mode" and it's set to TLS, is this correct? the other choice is "static key" thanks
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
Yes, just leave as is set to TLS.

I think that's all that you need to do assuming that it carried over the cert when you generated the .opvn file.

Clear the log, disconnect the client, and connect again. The error should not appear now.
 
Last edited:

wilddog

Young grasshopper
Joined
Jan 2, 2019
Messages
34
Reaction score
2
Location
ky
Yes, just leave as is set to TLS.

I think that's all that you need to do assuming that it carried over the cert when you generated the .opvn file.

Clear the log, disconnect the client, and connect again. The error should not appear now.
Yes thanks to your help it appears to be connecting and I see no errors in the router logs. Thanks again!
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
I believe that the default now is to require the cert so it only shows the error if there's an exception. I'm not absolutely positive about that though. Not an OpenVPN expert. But I'd expect that you'd see some errors otherwise related to that if not.
 

NightLife

Getting comfortable
Joined
Sep 10, 2021
Messages
490
Reaction score
1,096
Location
Canada
I'm not seeing this in my router, I'm I looking in the wrong place?

I was hoping you'd find it, as it achieves what you were looking for I think ... when you review the choices made in the image:

 
Top