Hi
I am quite new to RouterOS and RouterBoards but I am slowly getting into it and i really love the possibilities and the affordable price of really great hardware.
However i run into what i think is a major security concern with OVPN site to site tunnels. Wherever possible I use ipip over IPsec with PSK which i consider safe (correct me if I am wrong). In some cases ipip over IPsec is not an option because one site does not have a static or not even public IP (eg. mobile boradband with carrier NAT) there i would like to use the openvpn client built into RouterOS. I was able to get a connection up and running without any problems but the scary part was that i did not even need to upload the cert of the ovpn server to the client.
As far as my knowledge goes this means that my client has no way of verifying the identity of the server which opens the possibility of a man in the middle attack. It is hard for me to believe that there is really no way of getting the client to check the server certificate but i really did not find any option to do it. In my understanding it should not even be possible to connect to a server without certificate validation.
Please tell me that i am missing something.
BR
Alex