Skip to content

Fingerprint Authentication

Overview

Fingerprint authentication (OpenVPN 2.6+) is a simplified authentication mode similar to WireGuard's approach. Instead of a full PKI with a Certificate Authority, peers are verified by their certificate fingerprints.

When to Use

Use Case Recommended Mode
Small deployments (< 10 clients) Fingerprint
Large deployments PKI
Simplified management needed Fingerprint
Compliance requires CA infrastructure PKI

Setup

sudo ./openvpn-install.sh install --auth-mode fingerprint --client mydevice

How It Works

  1. Each peer (server and clients) generates a self-signed certificate
  2. The certificate fingerprint (SHA256 hash) is extracted
  3. Server stores client fingerprints in its configuration
  4. Clients verify the server fingerprint in their .ovpn file
sequenceDiagram
    participant C as Client
    participant S as Server
    C->>S: TLS handshake with self-signed cert
    S->>S: Check client fingerprint against allowed list
    S->>C: Accept/Reject
    C->>C: Verify server fingerprint
    Note over C,S: VPN tunnel established

Differences from PKI Mode

Feature PKI Fingerprint
Certificate Authority Yes No
CRL (revocation list) Yes No
Revocation method CRL Remove fingerprint from config
Certificate renewal New cert + CRL update Replace fingerprint
OpenVPN version Any 2.6+
Complexity Higher Lower

Client Revocation

In fingerprint mode, revoking a client removes its fingerprint from the server configuration rather than adding it to a CRL:

sudo ./openvpn-install.sh client revoke mydevice

Requirements

  • OpenVPN 2.6 or later on both server and clients
  • The script auto-detects OpenVPN version and validates compatibility