• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Viscosity export adding .p12 line but no .p12 file

Scheduled Pinned Locked Moved OpenVPN
11 Posts 2 Posters 2.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    gusdvg
    last edited by Nov 11, 2013, 6:29 PM

    Jimp, in a somewhat unrelated note, the Client Export is exporting the Viscosity bundle with a p12 line even though no p12 file is being included in the zip. Its just a matter of manually removing the p12 line.

    I guess no one had noticed since it must not be a very popular download format, but I like it because it exports the certs without packaging them in p12 and so I can use them with different clients that don't like p12 (like Tunnelblick).

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Nov 11, 2013, 6:53 PM

      I split this off since it was unrelated to the other topic.

      I haven't used the Viscosity export in a while since inline configs work great in everything (including Viscosity and Tunnelblick) these days and the .zip and other options are less and less useful as time goes on.

      So you're saying that it puts in the ca/cert/key lines in addition to the .p12 but doesn't include a .p12, just the individual ca/cert/key files?
      Do you have an example config of what you're seeing? Be sure to mask or edit out any private info.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • G
        gusdvg
        last edited by Nov 12, 2013, 12:58 AM

        jimp, here is a screenshot of what I'm seeing, the conf file has a p12 line, but no p12 file is included.

        I have not tested inline configs with Tunnelblick, didn't know it could open them, though I guess you still need to create a folder for the config file. Either way, its nice to have an option to export certs without being packaged in p12.

        config.conf_and_Viscosity-2.visc-7.png
        config.conf_and_Viscosity-2.visc-7.png_thumb

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Nov 12, 2013, 1:22 PM

          OK I just pushed a fix to the export package for that, it should be up in a few minutes as 1.1.5.

          An inline config works in any recent client for Mac or Windows that I've found, and also with Android and iOS.

          Only devices stuck on really, really old versions of OpenVPN won't accept it.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • G
            gusdvg
            last edited by Nov 12, 2013, 5:11 PM

            With the new version 1.1.5, the line tls-remote got replaced with verify-x509-name, which does not work, at least on my Tunnelblick version. Its throwing an error:

            openvpn[48749]: Options error: Unrecognized option or missing parameter(s) in Dvillarreal-x509-test-visc.tblk/Contents/Resources/config.ovpn:17: verify-x509-name (2.2.1)

            This is the same for the inline config.

            1 Reply Last reply Reply Quote 0
            • J
              jimp Rebel Alliance Developer Netgate
              last edited by Nov 12, 2013, 5:45 PM

              Update tunnelblick, any version based on OpenVPN 2.3 should work.
              I think any version after Tunnelblick 3.3beta46 should be OK.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • G
                gusdvg
                last edited by Nov 12, 2013, 5:50 PM

                Actually I'm using 3.4beta14, which is the recommended build for OS X Mavericks, and the latest version. Its supposed to be based on OpenVPN 2.3 64bit… Is the line and parameters correct? This is what the Export is throwing for me:

                verify-x509-name openvpn-pfsense name
                
                1 Reply Last reply Reply Quote 0
                • J
                  jimp Rebel Alliance Developer Netgate
                  last edited by Nov 12, 2013, 5:56 PM

                  yeah that should be fine. tls-remote has been deprecated and OpenVPN says to stop using it ASAP. It's possible that Tunnelblick needs to catch up on that.

                  –tls-remote name (DEPRECATED)
                  [snip]
                                Please  also  note:  This  option is now deprecated.  It will be
                                removed either in OpenVPN v2.4 or v2.5.  So please make sure you
                                support  the new X.509 name formatting described with the –com-
                                pat-names option as soon as possible by updating your configura-
                                tions to use --verify-x509-name instead.

                  –verify-x509-name name type
                  [snip]
                                –verify-x509-name  'C=KG,  ST=NA,  L=Bishkek,  CN=Server-1' and
                                --verify-x509-name Server-1 name  or  you  could  use  --verify-
                                x509-name  Server-  name-prefix  if  you  want  a client to only
                                accept connections to "Server-1", "Server-2", etc.

                  I can add a checkbox to generate the config with tls-remote instead, but it might be bit before I have an opportunity to do so.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • G
                    gusdvg
                    last edited by Nov 12, 2013, 6:09 PM

                    I went into the Tunnelblick.app and noticed that it has two openvpn binaries, one for 2.2 and one for 2.3.2… So then I found it has an option to choose the OpenVPN version for each profile... and I was using the 2.2 version... So now with 2.3.2 its working perfectly, case closed :)

                    1 Reply Last reply Reply Quote 0
                    • J
                      jimp Rebel Alliance Developer Netgate
                      last edited by Nov 12, 2013, 6:11 PM

                      aha!

                      I wonder if we might want to document that one somewhere. I'm sure you won't be the last person to hit that.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • G
                        gusdvg
                        last edited by Nov 12, 2013, 6:20 PM

                        Yes, in fact it just happened to me again with another VPN profile… Tunnelblick defaults to 2.2, so people that use Tunnelblick by default will have trouble with this until they change the OpenVPN version!

                        ![Screen Shot 2013-11-12 at 12.17.32 PM.png](/public/imported_attachments/1/Screen Shot 2013-11-12 at 12.17.32 PM.png)
                        ![Screen Shot 2013-11-12 at 12.17.32 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2013-11-12 at 12.17.32 PM.png_thumb)

                        1 Reply Last reply Reply Quote 0
                        11 out of 11
                        • First post
                          11/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received