2.4.5 export ovpn 2.3 config bug

pukoid

Hello!
Running openvpn at port 443 tcp.
Updated 2.4.4 to 2.4.5-RELEASE. And faced a bug when exporting 7z-sfx installer for older OSes.
In 2.4.4 connection string was "remote 1.2.3.4 443 tcp-client" in 2.4.5 "remote 1.2.3.4 443 tcp4".
Openvpn client 2.3 for XP and Vista do not recognize option "tcp4" and fails to connect. Need to edit config.
Openvpn client 2.4 works normally.

pukoid

Example:
Bad 2.3 command:

c:\work\vpn-install-2.3.18-I002-i686\bin>openvpn.exe --dev tap --client --tls-client --auth-user-pass --capath "c:\Program Files\OpenVPN\config\gw-pfs-TCP4-443-xxx-vpn-ca.crt" --remote 1.2.3.4 443 tcp4
Options error: remote: bad protocol associated with host 81.1.214.195: 'tcp4'
Use --help for more information.

Correct 2.3 command:

c:\work\vpn-install-2.3.18-I002-i686\bin>openvpn.exe --dev tap --client --tls-client --auth-user-pass --capath "c:\Program Files\OpenVPN\config\gw-pfs-TCP4-443-xxx-vpn-ca.crt" --remote 1.2.3.4 443 tcp-client
Tue Jun 02 12:47:48 2020 OpenVPN 2.3.18 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Oct 26 2017
Tue Jun 02 12:47:48 2020 Windows version 6.1 (Windows 7) 64bit
Tue Jun 02 12:47:48 2020 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Enter Auth Username:Tue Jun 02 12:47:50 2020 ERROR: Auth username is empty

2.4 works fine with tcp4:

c:\work\vpn-install-2.4.8-I602-Win7\bin>openvpn.exe --dev tap --client --tls-client --auth-user-pass --capath "c:\Program Files\OpenVPN\config\gw-pfs-TCP4-443-xxx-vpn-ca.crt" --remote 1.2.3.4 443 tcp4
Tue Jun 02 12:41:51 2020 OpenVPN 2.4.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2019
Tue Jun 02 12:41:51 2020 Windows version 6.1 (Windows 7) 64bit
Tue Jun 02 12:41:51 2020 library versions: OpenSSL 1.1.0l  10 Sep 2019, LZO 2.10
Enter Auth Username:Enter Auth Password:

Gertjan

Bug ?
2.4.5 included this :

Among other, the protocol type is now present on the "remote" client line like udp4, tcp6 etc?.

So, if you export for old (OpenVPN2.3 and lower) installation, check !
Or edit / correct your dot opvn files.

edit : the issue shouldn't really exist .... because it needs you to maintain old OpenVPN client version on PC's.
And these were called back for security issues, and comfort of use - the new logo - new possibilities, etc etc....

pukoid

@Gertjan This checkbox was checked during setup and is checked now.
In Pfsense 2.4.4 remote string was ending with "tcp-client" in 2.4.5 become "tcp4".

Gertjan

Because OpenVPN 2.4 use the [proto(col)] as a choice.

proto indicates the protocol to use when connecting with the remote, and may be “tcp” or “udp”.
For forcing IPv4 or IPv6 connection suffix tcp or udp with 4/6 like udp4/udp6/tcp4/tcp6.

OpenVPN 2.3 clients won't understand this [proto(col)] option.
OpenVPN 2.4 clients do ....

pukoid

@Gertjan Updated OpenvpnClientExport package and checkbox works fine now. Dumb me.