Viscosity export adding .p12 line but no .p12 file



  • Jimp, in a somewhat unrelated note, the Client Export is exporting the Viscosity bundle with a p12 line even though no p12 file is being included in the zip. Its just a matter of manually removing the p12 line.

    I guess no one had noticed since it must not be a very popular download format, but I like it because it exports the certs without packaging them in p12 and so I can use them with different clients that don't like p12 (like Tunnelblick).


  • Rebel Alliance Developer Netgate

    I split this off since it was unrelated to the other topic.

    I haven't used the Viscosity export in a while since inline configs work great in everything (including Viscosity and Tunnelblick) these days and the .zip and other options are less and less useful as time goes on.

    So you're saying that it puts in the ca/cert/key lines in addition to the .p12 but doesn't include a .p12, just the individual ca/cert/key files?
    Do you have an example config of what you're seeing? Be sure to mask or edit out any private info.



  • jimp, here is a screenshot of what I'm seeing, the conf file has a p12 line, but no p12 file is included.

    I have not tested inline configs with Tunnelblick, didn't know it could open them, though I guess you still need to create a folder for the config file. Either way, its nice to have an option to export certs without being packaged in p12.



  • Rebel Alliance Developer Netgate

    OK I just pushed a fix to the export package for that, it should be up in a few minutes as 1.1.5.

    An inline config works in any recent client for Mac or Windows that I've found, and also with Android and iOS.

    Only devices stuck on really, really old versions of OpenVPN won't accept it.



  • With the new version 1.1.5, the line tls-remote got replaced with verify-x509-name, which does not work, at least on my Tunnelblick version. Its throwing an error:

    openvpn[48749]: Options error: Unrecognized option or missing parameter(s) in Dvillarreal-x509-test-visc.tblk/Contents/Resources/config.ovpn:17: verify-x509-name (2.2.1)

    This is the same for the inline config.


  • Rebel Alliance Developer Netgate

    Update tunnelblick, any version based on OpenVPN 2.3 should work.
    I think any version after Tunnelblick 3.3beta46 should be OK.



  • Actually I'm using 3.4beta14, which is the recommended build for OS X Mavericks, and the latest version. Its supposed to be based on OpenVPN 2.3 64bit… Is the line and parameters correct? This is what the Export is throwing for me:

    verify-x509-name openvpn-pfsense name
    

  • Rebel Alliance Developer Netgate

    yeah that should be fine. tls-remote has been deprecated and OpenVPN says to stop using it ASAP. It's possible that Tunnelblick needs to catch up on that.

    –tls-remote name (DEPRECATED)
    [snip]
                  Please  also  note:  This  option is now deprecated.  It will be
                  removed either in OpenVPN v2.4 or v2.5.  So please make sure you
                  support  the new X.509 name formatting described with the –com-
                  pat-names option as soon as possible by updating your configura-
                  tions to use --verify-x509-name instead.

    –verify-x509-name name type
    [snip]
                  –verify-x509-name  'C=KG,  ST=NA,  L=Bishkek,  CN=Server-1' and
                  --verify-x509-name Server-1 name  or  you  could  use  --verify-
                  x509-name  Server-  name-prefix  if  you  want  a client to only
                  accept connections to "Server-1", "Server-2", etc.

    I can add a checkbox to generate the config with tls-remote instead, but it might be bit before I have an opportunity to do so.



  • I went into the Tunnelblick.app and noticed that it has two openvpn binaries, one for 2.2 and one for 2.3.2… So then I found it has an option to choose the OpenVPN version for each profile... and I was using the 2.2 version... So now with 2.3.2 its working perfectly, case closed :)


  • Rebel Alliance Developer Netgate

    aha!

    I wonder if we might want to document that one somewhere. I'm sure you won't be the last person to hit that.



  • Yes, in fact it just happened to me again with another VPN profile… Tunnelblick defaults to 2.2, so people that use Tunnelblick by default will have trouble with this until they change the OpenVPN version!

    ![Screen Shot 2013-11-12 at 12.17.32 PM.png](/public/imported_attachments/1/Screen Shot 2013-11-12 at 12.17.32 PM.png)
    ![Screen Shot 2013-11-12 at 12.17.32 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2013-11-12 at 12.17.32 PM.png_thumb)