OpenVPN - Password Authentication Only
You can authenticate using a username/password perfectly fine without a server/CA certificate. However, I highly recommend configuring it to verify it with your CA certificate to prevent Man-in-the-Middle attacks.
Without any server verification anyone can impersonate your OpenVPN server and just accept your username/password. Results:
- The attacker can intercept all traffic. As you don't verify the server you're connecting to, anyone can claim to be your server in a public network (or private network controlled by the attacker).
- The attacker knows your username/password combination. Very very bad in case you reuse the same password for other things as well.
In Network Manager, it works fine without CA Cert as shown below, but please don't use it like that! If you don't use any server/CA certificate on Windows, you're really vulnerable to the above attacks.
I have found answer here: http://openvpn.net/index.php/open-source/documentation/howto.html#auth
Remember, you still need to have server certificate
Using username/password authentication as the only form of client authentication
By default, using auth-user-pass-verify or a username/password-checking plugin on the server will enable dual authentication, requiring that both client-certificate and username/password authentication succeed in order for the client to be authenticated.
While it is discouraged from a security perspective, it is also possible to disable the use of client certificates, and force username/password authentication only. On the server:
client-cert-not-required Such configurations should usually also set:
username-as-common-name which will tell the server to use the username for indexing purposes as it would use the Common Name of a client which was authenticating via a client certificate.
Note that client-cert-not-required will not obviate the need for a server certificate, so a client connecting to a server which uses client-cert-not-required may remove the cert and key directives from the client configuration file, but not the ca directive, because it is necessary for the client to verify the server certificate.