-
LonelyPixel
- OpenVpn Newbie
- Posts: 13
- Joined: Fri Nov 23, 2012 7:44 pm
No server certificate verification method has been enabled.
When connecting to my OpenVPN server, I get this message on the client in red colour:
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
I have read that page and acknowledged it. The certificates already have the appropriate settings. How can I make this red line go away?
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11142
- Joined: Fri Jun 03, 2016 1:17 pm
Re: No server certificate verification method has been enabled.
Post
by TinCanTech » Thu May 31, 2018 11:27 am
The HOWTO wrote:Now add the following line to your client configuration:
remote-cert-tls server
-
LonelyPixel
- OpenVpn Newbie
- Posts: 13
- Joined: Fri Nov 23, 2012 7:44 pm
Re: No server certificate verification method has been enabled.
Post
by LonelyPixel » Thu May 31, 2018 12:53 pm
Thanks for the pointer. I haven’t seen this line and thought there’s nothing more to do. Maybe the page layout was a bit too complex or I was already in that «stupid documentation» mood.
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11142
- Joined: Fri Jun 03, 2016 1:17 pm
Re: No server certificate verification method has been enabled.
Post
by TinCanTech » Thu May 31, 2018 1:15 pm
LonelyPixel wrote: ↑
Thu May 31, 2018 12:53 pm
or I was already in that «stupid documentation» mood.
Would you prefer there not to be documentation ?
People put a lot of effort into writing it .. but we can delete it all if you prefer 
-
LonelyPixel
- OpenVpn Newbie
- Posts: 13
- Joined: Fri Nov 23, 2012 7:44 pm
Re: No server certificate verification method has been enabled.
Post
by LonelyPixel » Thu May 31, 2018 5:19 pm
If there is no documentation, I’d be annoyed about it not being there. If there’s a documentation that’s hard to find, use and understand, I’d be annoyed about it being hard to find, use and understand. Please understand that incomplete efforts cannot beat psychology. You can’t sell a product by arguing that you couldn’t do it any better. I’m just giving you feedback on that, other’s won’t and turn somewhere else. I guess you still don’t care because we’re all not paying any money.
And yes, deleting the outdated part of the documentation might indeed be helpful! It just doesn’t look too professional if I turn to the forums about a documentation page from a prominent FAQ list only to hear that it’s long outdated. You see where my impression comes from?
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11142
- Joined: Fri Jun 03, 2016 1:17 pm
Re: No server certificate verification method has been enabled.
Post
by TinCanTech » Thu May 31, 2018 5:56 pm
LonelyPixel wrote: ↑
Thu May 31, 2018 5:19 pm
If there is no documentation, I’d be annoyed about it not being there. If there’s a documentation that’s hard to find, use and understand, I’d be annoyed about it being hard to find, use and understand.
You can help improve it 
LonelyPixel wrote: ↑
Thu May 31, 2018 5:19 pm
You can’t sell a product by arguing that you couldn’t do it any better. I’m just giving you feedback on that, other’s won’t and turn somewhere else. I guess you still don’t care because we’re all not paying any money.
I care which is why I help .. but we need more help.
LonelyPixel wrote: ↑
Thu May 31, 2018 5:19 pm
yes, deleting the outdated part of the documentation might indeed be helpful!
You can help improve it
LonelyPixel wrote: ↑
Thu May 31, 2018 5:19 pm
It just doesn’t look too professional if I turn to the forums about a documentation page from a prominent FAQ list only to hear that it’s long outdated.
At least all the pages of documentation from Openvpn are fully dated, unlike much of the FUD out there .. so you can decide immediately if you want to read it or not.
-
LonelyPixel
- OpenVpn Newbie
- Posts: 13
- Joined: Fri Nov 23, 2012 7:44 pm
Re: No server certificate verification method has been enabled.
Post
by LonelyPixel » Tue Aug 14, 2018 6:58 pm
Oh, that’s been a long time.
I understand that you need more help to keep the docs updated. But I really feel that should be done by people who know what they talk about. You can probably guess from my questions that I’m not one of them. Set aside that I can’t even guess the effort it’d take me to find out how to help with that. Somebody would have to spend a lot of time putting me on the right track that they could better spend in fixing it directly.
-
1_C4T4LY5T
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Jul 06, 2020 12:48 am
Re: No server certificate verification method has been enabled.
Post
by 1_C4T4LY5T » Mon Jul 06, 2020 12:51 am
I see that open vpn error tells me to go here: https://openvpn.net/community-resources/how-to/#mitm
but that makes no sense to me as I’m definitely a noob to vpn’s in general. I did try to add «remote-cert-tls server» to the end of my client config file. When I added it the red error went away but now the client just keeps saying connecting in status and never actually errors or connects for me.
Could I get some help from anyone in a very dumbed down way? like if you were explaining it to your mom for example 
?
Thank you in advance for any help.
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11142
- Joined: Fri Jun 03, 2016 1:17 pm
Re: No server certificate verification method has been enabled.
Post
by TinCanTech » Mon Jul 06, 2020 2:11 am
You mist speak to your server admin
-
1_C4T4LY5T
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Jul 06, 2020 12:48 am
Re: No server certificate verification method has been enabled.
Post
by 1_C4T4LY5T » Mon Jul 06, 2020 2:36 am
I have no server admin. This is an hp elite 8300 sff i7-2600 box I setup server 2019 on and then installed Open VPN. I’d be happy to provide needed info.
I’ve setup the vpn through enabling the open vpn setting on my nighthawk R7000P. I’ve followed the directions from netgear and everything else seems to have setup just as it described …all but this open vpn client starting up.
-
300000
- OpenVPN Expert
- Posts: 688
- Joined: Tue May 01, 2012 9:30 pm
Re: No server certificate verification method has been enabled.
Post
by 300000 » Mon Jul 06, 2020 12:10 pm
You can try paid version on this site and setup is more easy .no more red or whatever notice.
If you want red warning go away you need adding something into openssl config inside easyras so it will adding attribute httpsserver authentication so the warning will go.
That is the way people consider using community version for personal use and paid version for commercial use .
It is only one line of config that work the best and there is no document how to do it either so try to find it yourself .openvpn manual not document it anywhere so people can’t find it
-
Hart, Henry
- OpenVpn Newbie
- Posts: 1
- Joined: Tue Sep 08, 2020 3:02 am
Re: No server certificate verification method has been enabled.
Post
by Hart, Henry » Tue Sep 08, 2020 3:05 am
300000 wrote: ↑
Mon Jul 06, 2020 12:10 pm
You can try paid version on this site and setup is more easy .no more red or whatever notice.
Is this true? I would be more than happy to use the Paid version if I knew that almost nothing would be required of me — no red notices, no errors, no dropped connections with errors (which we too are experiencing now without touching the server and certs are up to date) and 24/7 support. Where do I sign up….
-
300000
- OpenVPN Expert
- Posts: 688
- Joined: Tue May 01, 2012 9:30 pm
Re: No server certificate verification method has been enabled.
Post
by 300000 » Tue Sep 08, 2020 10:42 am
you can download OpenVPN Access Server now to try it , no more red or whatever notice to up set people but only pay money that is how free software work or if you like you can do it yourself simple. infarct red warning make quite scare to use when you want to hide something more than nomal .
I am using XCA to create certificate so for me no red warning at all or whatever but you need to going to openssl to learn how to create certificate and what kind of difference attribute to create all kind of difference certificate to use in all difference situation
Hi Gert
Thank you for your reply
Our client uses checkpoint vpn and they only give us a username a password and the gateway i.e gateway.XXX.co.za
and then we download the client — install it — enter our details and bingo! we are in.
but on Linux — checkpoint is even more difficult to understand or try to get working. so was looking for something else that I can install enter my details and connect.
is there anything like checkpoint that I can install and then simply enter my details and connect like I currently do on windows.
and please I am nowhere near being a developer or an IT guy. if you can assist I will be very gratefull.
because currently in my life no deb file or installable executable then no go.
Kind Regards
Derick
________________________________
From: Gert Doering ***@***.***>
Sent: Wednesday, 23 November 2022 09:22
To: OpenVPN/openvpn-gui ***@***.***>
Cc: Derick Mommsen ***@***.***>; Comment ***@***.***>
Subject: Re: [OpenVPN/openvpn-gui] WARNING: No server certificate verification method has been enabled. (#453)
Hi,
On Tue, Nov 22, 2022 at 10:00:17PM -0800, derickza wrote:
I will just keep trying until I either find a complete application that works on Linux or Google myself to death looking for a set of copy and paste terminal instructions that works for me. That I don???t understand in any case.
The issue here is: to use OpenVPN, you need to have a config file with
details about servers, secret keys, etc — that can not be provided by
us in an installable package.
Either the server operator provides that config file (and then he’s the
responsible person for questions about that config file), or you’ll have
to learn how these pieces all work together.
There’s no way to do «shrinkwrap VPN».
gert
…
—
«If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor.»
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering — Munich, Germany ***@***.***
—
Reply to this email directly, view it on GitHub<#453 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A4KZFUU73A5JYQGCT67DFX3WJXA2PANCNFSM5D7E7WPQ>.
You are receiving this because you commented.Message ID: ***@***.***>
Всех приветствую !
OS-OpenSuse 42.3
OpenVPN-2.3
easyrsa- 3.0.5
Server.conf
Код:
port 1194
proto tcp
dev tun
server 192.168.99.0 255.255.255.0
push "route 192.168.90.0 255.255.255.0"
ca ca.crt
cert blic-vpn.crt
key blic-vpn.key
dh dh.pem
tls-auth ta.key 0
crl-verify crl.pem
key-direction 0
cipher AES-256-CBC
auth SHA256
explicit-exit-notify 0
ifconfig-pool-persist ipp.txt
mute 10
persist-key
persist-tun
max-clients 50
keepalive 10 900
user nobody
group nobody
status openvpn-status.log 1
status-version 3
log-append openvpn-server.log
verb 9
Client.conf
Код:
client
dev tun
remote 192.168.80.21
proto tcp
ca ca.crt
cert adm.crt
key adm.key
cipher AES-256-CBC
auth SHA256
key-direction 1
route-method exe
route-delay 2
resolv-retry infinite
nobind
persist-key
persist-tun
tls-client
tls-auth ta.key 1
auth-nocache
Создал тестовый OpenVPN и столкнулся со следующим:
Интерфейс tun подымается
Логи клиента при попытке подключиться к серверу:
Код:
Sat Jan 12 00:51:28 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Sat Jan 12 00:51:28 2019 Windows version 6.1 (Windows 7) 64bit
Sat Jan 12 00:51:28 2019 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Sat Jan 12 00:51:28 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 12 00:51:28 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:28 2019 Attempting to establish TCP connection with [AF_INET]192.168.80.21:1194 [nonblock]
Sat Jan 12 00:51:29 2019 TCP connection established with [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:29 2019 TCP_CLIENT link local: (not bound)
Sat Jan 12 00:51:29 2019 TCP_CLIENT link remote: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:30 2019 Connection reset, restarting [-1]
Sat Jan 12 00:51:30 2019 SIGUSR1[soft,connection-reset] received, process restarting
Sat Jan 12 00:51:35 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 12 00:51:35 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:35 2019 Attempting to establish TCP connection with [AF_INET]192.168.80.21:1194 [nonblock]
Sat Jan 12 00:51:36 2019 TCP connection established with [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:36 2019 TCP_CLIENT link local: (not bound)
Sat Jan 12 00:51:36 2019 TCP_CLIENT link remote: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:36 2019 Connection reset, restarting [-1]
Sat Jan 12 00:51:36 2019 SIGUSR1[soft,connection-reset] received, process restarting
Sat Jan 12 00:51:38 2019 SIGTERM[hard,init_instance] received, process exiting
Как только я комментирую на сервере строку отвечающую за проверку сертификатов:
#crl-verify crl.pem
Клиент подключается и работает как положено.
Лог клиента после удачного подключения:
Код:
Sat Jan 12 00:56:17 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Sat Jan 12 00:56:17 2019 Windows version 6.1 (Windows 7) 64bit
Sat Jan 12 00:56:17 2019 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Sat Jan 12 00:56:17 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 12 00:56:17 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:56:17 2019 Attempting to establish TCP connection with [AF_INET]192.168.80.21:1194 [nonblock]
Sat Jan 12 00:56:18 2019 TCP connection established with [AF_INET]192.168.80.21:1194
Sat Jan 12 00:56:18 2019 TCP_CLIENT link local: (not bound)
Sat Jan 12 00:56:18 2019 TCP_CLIENT link remote: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:56:18 2019 [blic-vpn] Peer Connection Initiated with [AF_INET]192.168.80.21:1194
Sat Jan 12 00:56:20 2019 open_tun
Sat Jan 12 00:56:20 2019 TAP-WIN32 device [Подключение по локальной сети 2] opened: \.Global{61223E3E-B757-452A-B418-E67442450004}.tap
Sat Jan 12 00:56:20 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.88.6/255.255.255.252 on interface {61223E3E-B757-452A-B418-E67442450004} [DHCP-serv: 192.168.88.5, lease-time: 31536000]
Sat Jan 12 00:56:20 2019 Successful ARP Flush on interface [24] {61223E3E-B757-452A-B418-E67442450004}
Sat Jan 12 00:56:20 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Jan 12 00:56:22 2019 env_block: add PATH=C:WindowsSystem32;C:Windows;C:WindowsSystem32Wbem
Sat Jan 12 00:56:22 2019 env_block: add PATH=C:WindowsSystem32;C:Windows;C:WindowsSystem32Wbem
Sat Jan 12 00:56:22 2019 Initialization Sequence Completed
Sat Jan 12 00:56:32 2019 env_block: add PATH=C:WindowsSystem32;C:Windows;C:WindowsSystem32Wbem
Sat Jan 12 00:56:32 2019 env_block: add PATH=C:WindowsSystem32;C:Windows;C:WindowsSystem32Wbem
Sat Jan 12 00:56:32 2019 SIGTERM[hard,] received, process exiting
Дата и время сервер/клиент не расходятся, полность удалял тестовую среду генерил заново.
Ошибка повторяется.
Лог сервера когда строка crl-verify crl.pem не закоментированна (Ошибка.txt)
Лог сервера когда строка crl-verify crl.pem с коментом (Работает.txt)
Последний раз редактировалось leksstav 14.01.2019 15:43, всего редактировалось 2 раза.
Tutor
2018-08-19
12:24 PM
OpenVPN warning: No server certificate verification method has been enabled
Hi, I’ve got a new Orbi router (Model RBR20) and two satellites. The router’s firmware is V2.1.4.16. I enabled OpenVPN on the Orbi router and it works fine with my mobile device. When I use OpenVPN with my Windows 10 laptop, however, I get this warning message in the OpenVPN client log:
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Visting the URL doesn’t do a lot of good. There aren’t a lot of configuration settings for OpenVPN on the Orbi Advanced Settings / VPN Service menu option. It lets me enable OpenVPN and little else, nothing to do with server certification verification.
The OpenVPN client for Windows is the latest available (V2.4.6).
What can I do, if anything, so this warning message doesn’t appear (and the implicit risk is properly mitigated)?
Message 1 of 43
Initiate
2019-03-02
09:26 PM
Re: OpenVPN warning: No server certificate verification method has been enabled
try adding
remote-cert-tls server
to the end of your config file that should remove the warning
Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 42 of 43
Guru
2018-08-19
12:54 PM
Re: OpenVPN warning: No server certificate verification method has been enabled
@DarrenM
@Christian_R
My Setup | ISP SparkLight | Internet Cable 1000↓/50↑ CAX80 Modem Mode | Wifi Router MK83+ (Router Mode) | and RBK853 (Router Mode) | Switches NG GS105/8, GS308v3, GS110MX and XS505M | Additional NG HW: C7800/CAX80/CM1100/CM1200/CM2000, Orbi: CBK40, CBK752, RBK50, RBK853, RBK752, RBK953, SXK30 | NightHawk: MK63, MR6150, R7000, R7800, R7960P, R8000, R8500, R9000, RAXE500, RAX50, XR450, XR700, XR1000, EX7500/EX7700
Message 2 of 43
NETGEAR Employee Retired
2018-08-20
10:21 AM
Re: OpenVPN warning: No server certificate verification method has been enabled
Message 3 of 43
Tutor
2018-08-20
10:41 AM
Re: OpenVPN warning: No server certificate verification method has been enabled
Thanks, Christian.
When the Orbi router does it auto-check for new firmware, it says it’s already up-to-date (on V2.1.4.16).
Any downside to upgrading the firmware using your provided link? If I wanted to downgrade the firmware back to 2.1.4.16 (if something is screwy with the newer firmware version), is that possible?
And this wouldn’t require updating the firmware on the two satellites, would it?
Message 4 of 43
Guru
2018-08-20
10:46 AM
Re: OpenVPN warning: No server certificate verification method has been enabled
It’s recommended to manually download the FW files and then update the Satellites first, then the router. Please use a wired LAN cable connected PC or laptop for this operation.
My Setup | ISP SparkLight | Internet Cable 1000↓/50↑ CAX80 Modem Mode | Wifi Router MK83+ (Router Mode) | and RBK853 (Router Mode) | Switches NG GS105/8, GS308v3, GS110MX and XS505M | Additional NG HW: C7800/CAX80/CM1100/CM1200/CM2000, Orbi: CBK40, CBK752, RBK50, RBK853, RBK752, RBK953, SXK30 | NightHawk: MK63, MR6150, R7000, R7800, R7960P, R8000, R8500, R9000, RAXE500, RAX50, XR450, XR700, XR1000, EX7500/EX7700
Message 5 of 43
NETGEAR Employee Retired
2018-08-20
11:48 AM
Re: OpenVPN warning: No server certificate verification method has been enabled
@famousdavis,
There would be no downside using the link to upgrade your firmware and yes, you will be able to downgrade back if necessary by clicking on the various firmware versions in the link provided.
It is not required to update the firmware on the satellites but as always, upgrading to the latest firmware is recommended.
Regards,
Christian
Message 6 of 43
Tutor
2018-08-20
12:18 PM
Re: OpenVPN warning: No server certificate verification method has been enabled
Does the same firmware download work for both the Orbi router and its connected satellites? Eg, the satellites don’t get their own special firmware, correct?
If I recall, the same Orbi model number is used to identify both the Orbi router and the Orbi satellites, both. I’m inferring from your last post that I could use the firmware update on both the router and its satellites.
I’ll try this out tonight and report back whatever I learn.
Message 7 of 43
Guru
2018-08-20
12:20 PM
Re: OpenVPN warning: No server certificate verification method has been enabled
There will be separate files for the router and satellites.
My Setup | ISP SparkLight | Internet Cable 1000↓/50↑ CAX80 Modem Mode | Wifi Router MK83+ (Router Mode) | and RBK853 (Router Mode) | Switches NG GS105/8, GS308v3, GS110MX and XS505M | Additional NG HW: C7800/CAX80/CM1100/CM1200/CM2000, Orbi: CBK40, CBK752, RBK50, RBK853, RBK752, RBK953, SXK30 | NightHawk: MK63, MR6150, R7000, R7800, R7960P, R8000, R8500, R9000, RAXE500, RAX50, XR450, XR700, XR1000, EX7500/EX7700
Message 8 of 43
Tutor
2018-08-20
12:22 PM
Re: OpenVPN warning: No server certificate verification method has been enabled
Just saw your reply, thx. Although, weirdly, on my iPhone and laptop, I can’t scroll down to see your full reply. ??? Not happening with other posts???
Message 9 of 43
Tutor
2018-08-20
12:23 PM
Re: OpenVPN warning: No server certificate verification method has been enabled
N/M. It’s just your signature I can’t see in its entirety! 
Message 10 of 43
Guru
2018-08-20
12:29 PM
Re: OpenVPN warning: No server certificate verification method has been enabled
My Setup | ISP SparkLight | Internet Cable 1000↓/50↑ CAX80 Modem Mode | Wifi Router MK83+ (Router Mode) | and RBK853 (Router Mode) | Switches NG GS105/8, GS308v3, GS110MX and XS505M | Additional NG HW: C7800/CAX80/CM1100/CM1200/CM2000, Orbi: CBK40, CBK752, RBK50, RBK853, RBK752, RBK953, SXK30 | NightHawk: MK63, MR6150, R7000, R7800, R7960P, R8000, R8500, R9000, RAXE500, RAX50, XR450, XR700, XR1000, EX7500/EX7700
Message 11 of 43
Tutor
2018-08-20
07:37 PM
Re: OpenVPN warning: No server certificate verification method has been enabled
After downloading the latest f/w update for the Orbi router (v2.2.0.68), I’ve decided to forestall doing anything right now to my Orbi system.
The router’s f/w update doesn’t disclose what’s been changed in the release notes. And the f/w is only for the RBR20 router, not the RBS20 satellites. The Netgear support site for the satellites still shows that f/w v2.1.4.16 is the latest.
It seems based upon my poking around and watching a few videos on the Netgear support site that it’s best to keep the router and satellites on the same f/w version, so I’m hesitant to change the f/w right now to address my issue on the router, as that would put it out-of-sync with the f/w used by the satellites. Maybe it’s not an issue at all, but I won’t know that unless I tamper with a very stable network configuration.
And since the router’s f/w release date was literally just a few days ago, I’d rather not be one of the first out of the gate. Having a stable network is a top priority for me more than addressing my OpenVPN warning.
I’ll monitor the discussion chatter here and see if others have a similar warning as I’ve got, and if a firmware update specifically fixes that warning condition (and the MITM threat leading to the warning).
Thanks for your timely reply to my question! Great forum!
Message 12 of 43
Guru
2018-08-20
07:52 PM
Re: OpenVPN warning: No server certificate verification method has been enabled
Well since this post is related to certificate verification, the router only needs updating. Hoping the new FW resolves that for you. Let us know…
My Setup | ISP SparkLight | Internet Cable 1000↓/50↑ CAX80 Modem Mode | Wifi Router MK83+ (Router Mode) | and RBK853 (Router Mode) | Switches NG GS105/8, GS308v3, GS110MX and XS505M | Additional NG HW: C7800/CAX80/CM1100/CM1200/CM2000, Orbi: CBK40, CBK752, RBK50, RBK853, RBK752, RBK953, SXK30 | NightHawk: MK63, MR6150, R7000, R7800, R7960P, R8000, R8500, R9000, RAXE500, RAX50, XR450, XR700, XR1000, EX7500/EX7700
Message 13 of 43
Tutor
2018-08-27
07:23 PM
Re: OpenVPN warning: No server certificate verification method has been enabled
Hi all,
My curiosity got the best of me, so tonight I upgraded the RBR20 router to the latest firmware, v2.2.0.68. After the firmware update successfully applied and my Internet connection restored, I disconnected my laptop from my home network and connected it to my mobile phone’s hotspot, so I could establish an OpenVPN connection outside my home’s network.
I connected to my hotspot fine, started OpenVPN just fine, but, alas, I get the same warning message: «No server certificate verification method has been enabled.»
The latest router firmware doesn’t resolve this issue. 
Message 14 of 43
Aspirant
2018-09-01
12:29 PM
Re: OpenVPN warning: No server certificate verification method has been enabled
I have the same problem. I’ve got the most recent FW and have installed and reinstalled OpenVPN 3 times. I get the same warning every time from my laptop on iphone hotspot. I’ve had OpenVPN working in the past, so I’m confused.
Model: RBR50| Orbi AC3000 Tri-band WiFi (Router Only)
Message 15 of 43
Aspirant
2018-09-17
06:34 AM
Re: OpenVPN warning: No server certificate verification method has been enabled
I have the same issue! Firmware is up to date. I have uninstalled and reinstalled the OpenVPN three times. I have re-downloaded the configuration files and replaced them three times. I spent an hour on the phone with Netgear support with no resolution! So what seems to be the problem Netgear??
Model: RBR50| Orbi AC3000 Tri-band WiFi (Router Only)
Message 16 of 43
Guru
2018-09-17
06:59 AM
Re: OpenVPN warning: No server certificate verification method has been enabled
@Christian_R
@Blanca_O
My Setup | ISP SparkLight | Internet Cable 1000↓/50↑ CAX80 Modem Mode | Wifi Router MK83+ (Router Mode) | and RBK853 (Router Mode) | Switches NG GS105/8, GS308v3, GS110MX and XS505M | Additional NG HW: C7800/CAX80/CM1100/CM1200/CM2000, Orbi: CBK40, CBK752, RBK50, RBK853, RBK752, RBK953, SXK30 | NightHawk: MK63, MR6150, R7000, R7800, R7960P, R8000, R8500, R9000, RAXE500, RAX50, XR450, XR700, XR1000, EX7500/EX7700
Message 17 of 43
NETGEAR Employee Retired
2018-09-17
10:04 AM
Re: OpenVPN warning: No server certificate verification method has been enabled
@famousdavis,
Thank you for providing an update on your issue. I have sent you a message. Please respond at your earliest convenience.
~Christian
Message 18 of 43
NETGEAR Employee Retired
2018-09-17
10:07 AM
Re: OpenVPN warning: No server certificate verification method has been enabled
@Ocsig,
I have sent you a message. Please check your inbox.
~Christian
Message 19 of 43
NETGEAR Employee Retired
2018-09-17
10:11 AM
Re: OpenVPN warning: No server certificate verification method has been enabled
@d-One
Thank you for reaching out to us with expressing a similar issue as others. I have sent you a message.
~Christian
Message 20 of 43
Aspirant
2018-09-25
04:18 PM
Re: OpenVPN warning: No server certificate verification method has been enabled
Same Problem… Just with win10… on ios config works
Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 21 of 43
Aspirant
2018-10-04
08:24 PM
Re: OpenVPN warning: No server certificate verification method has been enabled
I’m also having this issue, I’m on firmware 2.2.1.210. Can anyone provide any insight into how I can fix the issue w/ Windows 10?
Works fine on Android. I’ve tried downgranding OVPN to the earlier stable release, but that didn’t fix the problem either.
Model: RBR50| Orbi AC3000 Tri-band WiFi (Router Only)
Message 22 of 43
Retired_Member
Not applicable
2018-10-07
01:41 PM
Re: OpenVPN warning: No server certificate verification method has been enabled
Hi,
I’m having the same issue. I can connect via my iphone but not Win 10. Installed the latest firmware, but that’s made no difference. Is it something in the formatting of the ovpn file?
Thanks
Model: RBR50| Orbi AC3000 Tri-band WiFi (Router Only), RBS50| Orbi AC3000 Tri-band WiFi (Satellite Only)
Message 23 of 43
Guru
2018-10-07
02:28 PM
Re: OpenVPN warning: No server certificate verification method has been enabled
@Blanca_O
@Christian_R
My Setup | ISP SparkLight | Internet Cable 1000↓/50↑ CAX80 Modem Mode | Wifi Router MK83+ (Router Mode) | and RBK853 (Router Mode) | Switches NG GS105/8, GS308v3, GS110MX and XS505M | Additional NG HW: C7800/CAX80/CM1100/CM1200/CM2000, Orbi: CBK40, CBK752, RBK50, RBK853, RBK752, RBK953, SXK30 | NightHawk: MK63, MR6150, R7000, R7800, R7960P, R8000, R8500, R9000, RAXE500, RAX50, XR450, XR700, XR1000, EX7500/EX7700
Message 24 of 43
NETGEAR Moderator
2018-10-08
12:43 PM
Re: OpenVPN warning: No server certificate verification method has been enabled
Hi @ryoung81 and @Retired_Member
I have sent you a message. Please check your inbox.
Regards,
Blanca
Community Team
Message 25 of 43
OpenVPN is one of the best VPNs out there as not only they are providing you with a wide range of services to choose from in accordance with the needs and requirements that you might have, but they are also offering world-class security on any public or private network.
All this collectively makes it the right choice for most of the businesses and individuals out there to go for OpenVPN for all the needs that they have and make their connections secure. However, if you are getting an error message stating “No Server Certificate Validation Method Has Been Enabled”, here is all you need to know about it.
To solve the issue, and troubleshoot it in the right manner, you need to know what it means, and what are the reasons that might be triggering the error message on your screen. To start with that, there are multiple validation certificates that are in play whenever you are connected over the internet. These certificates are connected with your browser, your server, ISP, and a whole lot more factors. These certificates basically ensure that the information that is being transferred over the internet is secure from each end, and there are no third-party intrusions for reading or changing the data.
If you are getting that specific error message, that means that the certificate validation server might not be responding, or your connection might not have set it properly. Whatever the case might be, here are a few ways to have it fixed over the OpenVPN.
1) Update your Browser
The server certificate validation is mostly done by your web browser and while most of the latest browsers update automatically when connected to the internet, there might have been some issue with your update and that can cause you to have such problems. What you will need to do in such cases is to update the website browser to its latest version and that will solve all sorts of problems for you. Make sure that you also enable the auto-updates on for your browser and that will certainly make it work.
2) Websites issue
Another thing that you must know about this specific error message is that each website also has its own security certificate that is validated by the browser. So, you must be careful about that while trying to visit some website that you don’t trust and if you are visiting any such website for the first time, you are likely to get that error as a warning message that you should avoid browsing such websites.
3) Update OpenVPN
This was a bug with some versions of the OpenVPN and that caused a mess back then. You can face this error sometimes with the outdated application versions and that might be the culprit here. So, update the version of the OpenVPN application that you are using and that is going to solve the problem for you most of the times and you will not be bothered with that error message again.
I tried to install openvpn on debian squeez (server) and connect from my fedora 17 as (client). Here is my configuration:
server configuration
# Server TCP
proto tcp
port 1194
dev tun
# Keys and certificates
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
# Network
# Virtual address of the VPN network
server 192.170.70.0 255.255.255.0
# This line adds the client to the router network server
push "route 192.168.1.0 255.255.255.0"
# Create a route server to the tun interface
#route 192.170.70.0 255.255.255.0
# Security
keepalive 10 120
# type of data encryption
cipher AES-128-CBC
# enabling compression
comp-lzo
# maximum number of clients allowed
max-clients 10
# no user and group specific to the use of the VPN
user nobody
group nogroup
# to make persistent connection
persist-key
persist-tun
# Log of the OpenVPN status
status /var/log/openvpn-status.log
# logs openvpnlog /var/log/openvpn.log
log-append /var/log/openvpn.log
# verbosity
verb 5
client configuration
client
dev tun
proto tcp-client
remote <my server wan IP> 1194
resolv-retry infinite
cipher AES-128-CBC
# Keys
ca ca.crt
cert client.crt
key client.key
# Security
nobind
persist-key
persist-tun
comp-lzo
verb 3
Message from the host client (fedora 17) in the log file /var/log/messages:
Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> Starting VPN service 'openvpn'...
Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 7470
Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN service 'openvpn' appeared; activating connections
Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN plugin state changed: starting (3)
Dec 6 21:56:01 GlobalTIC NetworkManager[691]: <info> VPN connection 'Connexion VPN 1' (Connect) reply received.
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: OpenVPN 2.2.2 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Sep 5 2012
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]:[COLOR="Red"][U][B] WARNING: No server certificate verification method has been enabled.[/B][/U][/COLOR] See http://openvpn.net/howto.html#mitm for more info.
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]:[COLOR="Red"] WARNING: file '/home/login/client/client.key' is group or others accessible[/COLOR]
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: UDPv4 link local: [undef]
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: UDPv4 link remote: [COLOR="Red"]<my server wan IP>[/COLOR]:1194
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: [COLOR="Red"]read UDPv4 [ECONNREFUSED]: Connection refused (code=111)[/COLOR]
Dec 6 21:56:03 GlobalTIC nm-openvpn[7472]: [COLOR="Red"]read UDPv4[/COLOR] [ECONNREFUSED]: Connection refused (code=111)
Dec 6 21:56:07 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Dec 6 21:56:15 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Dec 6 21:56:31 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Dec 6 21:56:41 GlobalTIC NetworkManager[691]: <warn> VPN connection 'Connexion VPN 1' (IP Conf[/CODE]
ifconfig on server host(debian):
ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:16:21:ac
inet addr:192.168.1.6 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe16:21ac/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9059 errors:0 dropped:0 overruns:0 frame:0
TX packets:5660 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:919427 (897.8 KiB) TX bytes:1273891 (1.2 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.170.70.1 P-t-P:192.170.70.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ifconfig on the client host (fedora 17)
as0t0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 5.5.0.1 netmask 255.255.252.0 destination 5.5.0.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 321 (321.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
as0t1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 5.5.4.1 netmask 255.255.252.0 destination 5.5.4.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 321 (321.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
as0t2: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 5.5.8.1 netmask 255.255.252.0 destination 5.5.8.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 321 (321.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
as0t3: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 5.5.12.1 netmask 255.255.252.0 destination 5.5.12.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 321 (321.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
**p255p1**: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.2 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::21d:baff:fe20:b7e6 prefixlen 64 scopeid 0x20<link>
ether 00:1d:ba:20:b7:e6 txqueuelen 1000 (Ethernet)
RX packets 4842070 bytes 3579798184 (3.3 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3996158 bytes 2436442882 (2.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16
p255p1 is label for eth0 interface
and
on the server :
root@hoteserver:/etc/openvpn# tree
.
├── client
│** ├── ca.crt
│** ├── client.conf
│** ├── client.crt
│** ├── client.csr
│** ├── client.key
│** ├── client.ovpn
│*
│**
├── easy-rsa
│** ├── build-ca
│** ├── build-dh
│** ├── build-inter
│** ├── build-key
│** ├── build-key-pass
│** ├── build-key-pkcs12
│** ├── build-key-server
│** ├── build-req
│** ├── build-req-pass
│** ├── clean-all
│** ├── inherit-inter
│** ├── keys
│** │** ├── 01.pem
│** │** ├── 02.pem
│** │** ├── ca.crt
│** │** ├── ca.key
│** │** ├── client.crt
│** │** ├── client.csr
│** │** ├── client.key
│** │** ├── dh1024.pem
│** │** ├── index.txt
│** │** ├── index.txt.attr
│** │** ├── index.txt.attr.old
│** │** ├── index.txt.old
│** │** ├── serial
│** │** ├── serial.old
│** │** ├── server.crt
│** │** ├── server.csr
│** │** └── server.key
│** ├── list-crl
│** ├── Makefile
│** ├── openssl-0.9.6.cnf.gz
│** ├── openssl.cnf
│** ├── pkitool
│** ├── README.gz
│** ├── revoke-full
│** ├── sign-req
│** ├── vars
│** └── whichopensslcnf
├── openvpn.log
├── openvpn-status.log
├── server.conf
└── update-resolv-conf
on the client:
[login@hoteclient openvpn]$ tree
.
|-- easy-rsa
| |-- 1.0
| | |-- build-ca
| | |-- build-dh
| | |-- build-inter
| | |-- build-key
| | |-- build-key-pass
| | |-- build-key-pkcs12
| | |-- build-key-server
| | |-- build-req
| | |-- build-req-pass
| | |-- clean-all
| | |-- list-crl
| | |-- make-crl
| | |-- openssl.cnf
| | |-- README
| | |-- revoke-crt
| | |-- revoke-full
| | |-- sign-req
| | `-- vars
| `-- 2.0
| |-- build-ca
| |-- build-dh
| |-- build-inter
| |-- build-key
| |-- build-key-pass
| |-- build-key-pkcs12
| |-- build-key-server
| |-- build-req
| |-- build-req-pass
| |-- clean-all
| |-- inherit-inter
| |-- keys [error opening dir]
| |-- list-crl
| |-- Makefile
| |-- openssl-0.9.6.cnf
| |-- openssl-0.9.8.cnf
| |-- openssl-1.0.0.cnf
| |-- pkitool
| |-- README
| |-- revoke-full
| |-- sign-req
| |-- vars
| `-- whichopensslcnf
|-- keys -> ./easy-rsa/2.0/keys/
`-- server.conf
Is the source of the problem cipher AES-128-CBC, proto tcp-client or UDP or the interface p255p1 on Fedora17 or that file authentification ta.key is not found?