openvpn option: "--client-cert-not-required" is not accepted (backport #1348)

docs/configuration/interfaces/openvpn.rst

@@ -45,13 +45,13 @@
 still don't support it. However, it's very useful for quickly setting up
 tunnels between routers.
 
 As of VyOS 1.4, OpenVPN site-to-site mode can use either pre-shared keys or x.509 certificates.
 
 The pre-shared key mode is deprecated and will be removed from future OpenVPN versions,
 so VyOS will have to remove support for that option as well. The reason is that using pre-shared keys
 is significantly less secure than using TLS.
 
 We'll configure OpenVPN using self-signed certificates, and then discuss the legacy
 pre-shared key mode.
 
 In both cases, we will use the following settings:
@@ -73,16 +73,16 @@
 Setting up certificates
 =======================
 
 Setting up a full-blown PKI with a CA certificate would arguably defeat the purpose
 of site-to-site OpenVPN, since its main goal is supposed to be configuration simplicity,
 compared to server setups that need to support multiple clients.
 
 However, since VyOS 1.4, it is possible to verify self-signed certificates using
 certificate fingerprints.
 
 On both sides, you need to generate a self-signed certificate, preferrably using the "ec" (elliptic curve) type.
 You can generate them by executing command ``run generate pki certificate self-signed install <name>`` in the configuration mode.
 Once the command is complete, it will add the certificate to the configuration session, to the ``pki`` subtree.
 You can then review the proposed changes and commit them.
 
 .. code-block:: none
@@ -116,13 +116,13 @@
 
   vyos@vyos# commit
 
 You do **not** need to copy the certificate to the other router. Instead, you need to retrieve its SHA-256 fingerprint.
 OpenVPN only supports SHA-256 fingerprints at the moment, so you need to use the following command:
 
 .. code-block:: none
 
   vyos@vyos# run show pki certificate openvpn-local fingerprint sha256 
   5C:B8:09:64:8B:59:51:DC:F4:DF:2C:12:5C:B7:03:D1:68:94:D7:5B:62:C2:E1:83:79:F1:F0:68:B2:81:26:79
 
 Note: certificate names don't matter, we use 'openvpn-local' and 'openvpn-remote' but they can be arbitrary.
 
@@ -548,7 +548,7 @@
        openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config"
        openvpn-option "--push redirect-gateway"
        openvpn-option --duplicate-cn
-       openvpn-option --client-cert-not-required
+       openvpn-option "--verify-client-cert none"
        openvpn-option --comp-lzo
        openvpn-option --persist-key
        openvpn-option --persist-tun