Minor issue with client export config commands?

  • LAYER 8 Global Moderator

    So noticed error was getting in connection.  Been there for quite some time, just finally got around to looking into it the other day ;)

    Thu Oct 03 10:22:38 2013 DEPRECATED OPTION: –tls-remote, please update your configuration

    Which comes from this statement in the config file you can download with the export

    tls-remote pfsense-openvpn

    Where my server cert uses that pfsense-openvpn name.

    Now you still seem to get the verification.

    Thu Oct 03 10:22:43 2013 VERIFY X509NAME OK: /C=US/ST=Illinois/L=Schaumburg/O=home/emailAddress=johnpoz@gmail.com/CN=pfsense-openvpn
    Thu Oct 03 10:22:43 2013 VERIFY OK: depth=0, /C=US/ST=Illinois/L=Schaumburg/O=home/emailAddress=johnpoz@gmail.com/CN=pfsense-openvpn

    Even though the command is deprecated..

    But if you edit the config to use the new format of the command
    verify-x509-name pfsense-openvpn name

    Then you no longer get that warning about the deprecated command.  And still get verification.

    Thu Oct 03 10:30:46 2013 VERIFY X509NAME OK: C=US, ST=Illinois, L=Schaumburg, O=home, emailAddress=johnpoz@gmail.com, CN=pfsense-openvpn
    Thu Oct 03 10:30:46 2013 VERIFY OK: depth=0, C=US, ST=Illinois, L=Schaumburg, O=home, emailAddress=johnpoz@gmail.com, CN=pfsense-openvpn

    Possible we could get it updated to use the new form of the command?  Maybe this thread would better suited in the packages section?  Since I would think that the export package is what creates these configs?

    Its nothing major - just a bit of annoyance watching the connection ;)  If mods feel this is better suited in other section, please move - thanks!

  • Rebel Alliance Developer Netgate

    That should be an OK change so long as all of the target clients support it, which they should as most of not all of them should be based on 2.3 now but it may not be quite that simple for clients on iOS and Android.

    We may end up needing another checkbox or similar option for exporting that triggers it.

  • I may have a problem with this updated setting. When I export the windows installer and then try to connect it says "Connecting to (VPN NAME) has failed".

    Here is what the config looks like:
    dev tun
    cipher AES-128-CBC
    auth SHA1
    resolv-retry infinite
    remote (EXT IP) (Port#) tcp
    verify-x509-name TCP Server name
    pkcs12 (NAME).p12
    tls-auth (NAME).key 1
    ns-cert-type server

    If I change "verify-x509-name TCP Server name" back to the old settings of "tls-remote TCP Server" then it connects just fine. Any thoughts?

  • Rebel Alliance Developer Netgate

    Use OpenVPN 2.3.x and not an outdated client, and make sure you're on the most recent version of the client export package.

  • I have always used the 2.3-x86 windows installer and I just updated the OpenVPN Client Export Utility to 1.1.5 but it does not fix the issue. I still have to change it back to tls-remote to get it to connect.

  • Rebel Alliance Developer Netgate

    I didn't notice before but your server cert CN has spaces in it. You need to check the box to quote the CN.

  • I checked the "Strict User/CN Matching" box (hopefully that is what you mean by quote the CN) then exported the config but it still gives the same error.

  • Rebel Alliance Developer Netgate

    No. In the client export options there is a checkbox to quote the server CN.

  • Yep that was my issue. Thanks!