Viscosity export adding .p12 line but no .p12 file

jimp

I split this off since it was unrelated to the other topic.

I haven't used the Viscosity export in a while since inline configs work great in everything (including Viscosity and Tunnelblick) these days and the .zip and other options are less and less useful as time goes on.

So you're saying that it puts in the ca/cert/key lines in addition to the .p12 but doesn't include a .p12, just the individual ca/cert/key files?
Do you have an example config of what you're seeing? Be sure to mask or edit out any private info.

gusdvg

jimp, here is a screenshot of what I'm seeing, the conf file has a p12 line, but no p12 file is included.

I have not tested inline configs with Tunnelblick, didn't know it could open them, though I guess you still need to create a folder for the config file. Either way, its nice to have an option to export certs without being packaged in p12.

jimp

OK I just pushed a fix to the export package for that, it should be up in a few minutes as 1.1.5.

An inline config works in any recent client for Mac or Windows that I've found, and also with Android and iOS.

Only devices stuck on really, really old versions of OpenVPN won't accept it.

gusdvg

With the new version 1.1.5, the line tls-remote got replaced with verify-x509-name, which does not work, at least on my Tunnelblick version. Its throwing an error:

openvpn[48749]: Options error: Unrecognized option or missing parameter(s) in Dvillarreal-x509-test-visc.tblk/Contents/Resources/config.ovpn:17: verify-x509-name (2.2.1)

This is the same for the inline config.

jimp

Update tunnelblick, any version based on OpenVPN 2.3 should work.
I think any version after Tunnelblick 3.3beta46 should be OK.

gusdvg

Actually I'm using 3.4beta14, which is the recommended build for OS X Mavericks, and the latest version. Its supposed to be based on OpenVPN 2.3 64bit… Is the line and parameters correct? This is what the Export is throwing for me:

verify-x509-name openvpn-pfsense name

jimp

yeah that should be fine. tls-remote has been deprecated and OpenVPN says to stop using it ASAP. It's possible that Tunnelblick needs to catch up on that.

–tls-remote name (DEPRECATED)
[snip]
              Please  also  note:  This  option is now deprecated.  It will be
              removed either in OpenVPN v2.4 or v2.5.  So please make sure you
              support  the new X.509 name formatting described with the –com-
              pat-names option as soon as possible by updating your configura-
              tions to use --verify-x509-name instead.

–verify-x509-name name type
[snip]
              –verify-x509-name  'C=KG,  ST=NA,  L=Bishkek,  CN=Server-1' and
              --verify-x509-name Server-1 name  or  you  could  use  --verify-
              x509-name  Server-  name-prefix  if  you  want  a client to only
              accept connections to "Server-1", "Server-2", etc.

I can add a checkbox to generate the config with tls-remote instead, but it might be bit before I have an opportunity to do so.

gusdvg

I went into the Tunnelblick.app and noticed that it has two openvpn binaries, one for 2.2 and one for 2.3.2… So then I found it has an option to choose the OpenVPN version for each profile... and I was using the 2.2 version... So now with 2.3.2 its working perfectly, case closed :)

jimp

aha!

I wonder if we might want to document that one somewhere. I'm sure you won't be the last person to hit that.

gusdvg

Yes, in fact it just happened to me again with another VPN profile… Tunnelblick defaults to 2.2, so people that use Tunnelblick by default will have trouble with this until they change the OpenVPN version!