Minor issue with client export config commands?
-
So noticed error was getting in connection. Been there for quite some time, just finally got around to looking into it the other day ;)
Thu Oct 03 10:22:38 2013 DEPRECATED OPTION: –tls-remote, please update your configuration
Which comes from this statement in the config file you can download with the export
tls-remote pfsense-openvpn
Where my server cert uses that pfsense-openvpn name.
Now you still seem to get the verification.
Thu Oct 03 10:22:43 2013 VERIFY X509NAME OK: /C=US/ST=Illinois/L=Schaumburg/O=home/emailAddress=johnpoz@snipped/CN=pfsense-openvpn
Thu Oct 03 10:22:43 2013 VERIFY OK: depth=0, /C=US/ST=Illinois/L=Schaumburg/O=home/emailAddress=johnpoz@snipped.com/CN=pfsense-openvpnEven though the command is deprecated..
But if you edit the config to use the new format of the command
verify-x509-name pfsense-openvpn nameThen you no longer get that warning about the deprecated command. And still get verification.
Thu Oct 03 10:30:46 2013 VERIFY X509NAME OK: C=US, ST=Illinois, L=Schaumburg, O=home, emailAddress=johnpoz@snipped, CN=pfsense-openvpn
Thu Oct 03 10:30:46 2013 VERIFY OK: depth=0, C=US, ST=Illinois, L=Schaumburg, O=home, emailAddress=johnpoz@snipped, CN=pfsense-openvpnPossible we could get it updated to use the new form of the command? Maybe this thread would better suited in the packages section? Since I would think that the export package is what creates these configs?
Its nothing major - just a bit of annoyance watching the connection ;) If mods feel this is better suited in other section, please move - thanks!
-
That should be an OK change so long as all of the target clients support it, which they should as most of not all of them should be based on 2.3 now but it may not be quite that simple for clients on iOS and Android.
We may end up needing another checkbox or similar option for exporting that triggers it.
-
I may have a problem with this updated setting. When I export the windows installer and then try to connect it says "Connecting to (VPN NAME) has failed".
Here is what the config looks like:
dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote (EXT IP) (Port#) tcp
verify-x509-name TCP Server name
auth-user-pass
pkcs12 (NAME).p12
tls-auth (NAME).key 1
ns-cert-type server
comp-lzoIf I change "verify-x509-name TCP Server name" back to the old settings of "tls-remote TCP Server" then it connects just fine. Any thoughts?
-
Use OpenVPN 2.3.x and not an outdated client, and make sure you're on the most recent version of the client export package.
-
I have always used the 2.3-x86 windows installer and I just updated the OpenVPN Client Export Utility to 1.1.5 but it does not fix the issue. I still have to change it back to tls-remote to get it to connect.
-
I didn't notice before but your server cert CN has spaces in it. You need to check the box to quote the CN.
-
I checked the "Strict User/CN Matching" box (hopefully that is what you mean by quote the CN) then exported the config but it still gives the same error.
-
No. In the client export options there is a checkbox to quote the server CN.
-
Yep that was my issue. Thanks!