Problem in OpenVPN Client Export Utility 0.22 and a workaround



  • Hello all

    Yesterday I created a new user for OpenVPN in my pfSense box and had an error. It failed to connect in both Windows (with the installer) and Linux (Ubuntu, CentOS) with the archive, but it worked in Mac+Viscosity and the Viscosity bundle.

    This is the error i got:
    […trimmed...]
    Wed Aug 15 21:57:04 2012 Control Channel Authentication: using 'hostname-udp-1194-tls.key' as a OpenVPN static key file
    Wed Aug 15 21:57:04 2012 LZO compression initialized
    Wed Aug 15 21:57:04 2012 UDPv4 link local (bound): [undef]:1194
    Wed Aug 15 21:57:04 2012 UDPv4 link remote: 84.x.x.x:1194
    Wed Aug 15 21:57:04 2012 TLS Error: Unroutable control packet received from 84.x.x.x:1194 (si=3 op=P_ACK_V1)
    Wed Aug 15 21:57:05 2012 TLS Error: Unroutable control packet received from 84.x.x.x:1194 (si=3 op=P_CONTROL_V1)
    Wed Aug 15 21:57:06 2012 TLS Error: Unroutable control packet received from 84.x.x.x:1194 (si=3 op=P_ACK_V1)

    After spend several hours trying to do it work (that included create new certificates, new CAs, reinstall the Export Utility package, reboot…) i discovered what happened. Here it is to help you or the developer to fix it (TYA).

    The server certificate for my OpenVPN server is called:

    Road Warrior Server Cert.

    And the problem is that (at least) the 0.22 of Export Utility surrounds that name in the tls-remote entry in the ovpn file with quotes. This way:

    tls-remote "Road Warrior Server Cert."

    And that does it fail. This not happens if the cert. name has no spaces! (it works with the quotes)

    Simply by editing that file and removing the quotes it works again both in Linux and Windows (leaving this way):

    tls-remote Road Warrior Server Cert.

    I found a previous archive (exported with an older versión of the utility) and it has no quotes. At some time (i think less than 3 weeks) the quotes was added resulting in this problem.

    So, here you have a workaround and a request to solve it  ;) Thanks!

    Hope helps someone

    Best,



  • I think this can be solved replacing

    $conf .= "tls-remote "{$servercn}"{$nl}";

    with

    $conf .= "tls-remote {$servercn}{$nl}";

    in /usr/local/pkg/openvpn-client-export.inc

    Any expert can confirm it? I'm pretty sure it's the solution.


  • Rebel Alliance Developer Netgate

    The quotes were added because they were required by others to function correctly.

    The real fix is to not use spaces in your CA/Cert common names. :-)



  • Yes, i guessed that, but then i would reissue all packages/configs to users  :-[

    Perhaps a warning in the gui helps to avoid this in the future to other pfSense users.

    Best,


Locked