work in progress for https://github.com/opnsense/core/issues/2787

- add option : validate_server_cn
- send "auth-user-pass" in PlainOpenVPN when mode is server_user or server_tls_user

src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml

@@ -31,7 +31,12 @@
         <type>checkbox</type>
         <help>Use a random local source port (lport) for traffic from the client. Without this set, two clients may not run concurrently.</help>
     </field>
-
+    <field>
+        <id>openvpn_export.validate_server_cn</id>
+        <label>Validate server CN</label>
+        <type>checkbox</type>
+        <help>Verify the server certificate Common Name (CN) when the client connects</help>
+    </field>
     <field>
         <id>openvpn_export.testxx1</id>
         <label>TestXX1</label>

src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php

@@ -100,6 +100,13 @@ class PlainOpenVPN extends BaseExporter implements IExportProvider
             $conf[] = "lport 0";
         }
 
+        if ($this->config['mode'] !== 'server_user' && !empty($this->config['server_cn'])
+                && !empty($this->config['validate_server_cn'])) {
+            $conf[] = "verify-x509-name \"{$this->config['server_cn']}\" name";
+        } elseif (in_array($this->config['mode'], array('server_user', 'server_tls_user'))) {
+            $conf[] = "auth-user-pass";
+        }
+
         return $conf;
     }
 

src/opnsense/mvc/app/models/OPNsense/OpenVPN/Export.xml

@@ -22,6 +22,10 @@
                     <default>1</default>
                     <Required>Y</Required>
                 </random_local_port>
+                <validate_server_cn type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </validate_server_cn>
             </server>
         </servers>
     </items>