RT-AC59U V2 - OpenVPN server - connection via cert key

[viallos]

Hi

I'm using the latest firmware version : 3.0.0.4.386_21649-g7401a04 on RT-AC59U V2 and I tried to setup OpenVPN server to accept connections without passwords but thru client cert and key.

In advanced tab I specified:
Username / Password Auth. Only : No
Authorization Mode : TLS

I downloaded EasyRSA-3.0.8 and have done the following

easyrsa init-pki
easyrsa build-ca
easyrsa build-server-full server nopass
easyrsa build-client-full client1 nopass
easyrsa gen-dh

I have pasted all required keys and certs to Asus OpenVPN server via Content modification of Keys & Certification option.
Applied changes.

When I download the client.ovpn file it contains:
auth-user-pass
option, and when I use it it asks for username and password.

When I commented out
#auth-user-pass
in client.ovpn file it no longer asks for password but I'm getting:

Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 TLS Error: Auth Username/Password was not provided by peer
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 TLS Error: TLS handshake failed
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 SIGUSR1[soft,tls-error] received, client-instance restarting

Full log from Asus looks like below:

Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 TLS: Initial packet from [AF_INET]192.168.50.150:49153 (via [AF_INET]xxxxxxxx), sid=9e1c211c cb158c3b
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC59U_V2, emailAddress=me@myhost.mydomain
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=me@myhost.mydomain
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 peer info: IV_VER=2.5_rc2
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 peer info: IV_PLAT=win
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 peer info: IV_PROTO=6
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 peer info: IV_NCP=2
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-128-CBC
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 peer info: IV_LZ4=1
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 peer info: IV_LZ4v2=1
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 peer info: IV_LZO=1
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 peer info: IV_COMP_STUB=1
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 peer info: IV_COMP_STUBv2=1
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 peer info: IV_TCPNL=1
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 TLS Error: Auth Username/Password was not provided by peer
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 TLS Error: TLS handshake failed
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 SIGUSR1[soft,tls-error] received, client-instance restarting

Is it possible to connect without username/password to this router on stock firmware?


Is there anything else that I need to set in router config?
On Basic setup page it has only one user - router admin account.
Do I need to add another client there with password prior to running command: easyrsa build-client-full client1 nopass
I just wonder if I add another user with password than I should create exact the same key/cert via command: easyrsa build-client-full client1 .... and set the same password that I created on basic config screen?

I just add that if I'm using standard setup with username and password via OpenVPN client for windows it is working fine.

But I want to configure serwer to accept connections without password as I would like to conect to this serwer my WAGO PFC that can't use interactive logon.