• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN Client Export Utility problems with openvpn 2.2 verify-x509-name

Scheduled Pinned Locked Moved OpenVPN
3 Posts 2 Posters 8.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    bl00d666
    last edited by Nov 11, 2013, 7:52 PM

    Hi Folk,
    we are using pfsense has our Enterprise Firewall and we really love it. Recently there was an update for the package OpenVPN Client Export Utility (version 1.1.4 for today update) and I start having problems with the export.
    The vpn works fine for everyone already setup, but the new package I created just did not work. So I investigate the problems and here what I find.

    Since openvpn 2.3 openvpn use the option verify-x509-name to validate the cert name. For openvpn 2.2 it was tls-remote that was used to do it. The problems is that you can still create a package for openvpn 2.2 with the export uttility, but it will put the option verify-x509-name anyway in the .ovpn config.
    The connection failed before the authentication with the error :

    Options error: Unrecognized option or missing parameter(s) in C:\Program Files (x86)\OpenVPN\config\xxxx-udp-1195-xxxxx-config.ovpn:10: verify-x509-name (2.2.2).

    Changing the config manually to replace verify-x509-name by tls-remote let you authenticate,
    but finaly failed with the error :

    TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.

    Note that I am using a password to protect the pkcs12 file. I find that using the export utility to export a 2.3 client configuration with openvpn manager and using quote for the CN and a password to protect the pkcs12 file work just like it was before.

    So, i just want to point you that the export client have the option to export a client for windows with openvpn 2.2, but the config file use verify-x509-name as the option to verify the cert and it's not a valid option for the 2.2client. It probably also have a special parameter for the password protected pkcs12 file, but I did not find it.

    Continue your great work guys, PFsense is an awesome Distribution and I will continue to use it for a long time

    1 Reply Last reply Reply Quote 0
    • B
      bl00d666
      last edited by Nov 12, 2013, 2:51 PM

      there is a new version of the client export utility this morning (1.1.5) anyone know how to get the release note to see the change?

      i search and did not find anything.

      1 Reply Last reply Reply Quote 0
      • M
        Makje
        last edited by Nov 12, 2013, 3:18 PM

        as far as i know 1.1.4 and 1.1.5 have the verifiy-x509 removed for only the Yealink phones
        se this thread: http://forum.pfsense.org/index.php/topic,68398.15.html

        1 Reply Last reply Reply Quote 0
        3 out of 3
        • First post
          3/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received