Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Client Export Utility problems with openvpn 2.2 verify-x509-name

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 8.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bl00d666
      last edited by

      Hi Folk,
      we are using pfsense has our Enterprise Firewall and we really love it. Recently there was an update for the package OpenVPN Client Export Utility (version 1.1.4 for today update) and I start having problems with the export.
      The vpn works fine for everyone already setup, but the new package I created just did not work. So I investigate the problems and here what I find.

      Since openvpn 2.3 openvpn use the option verify-x509-name to validate the cert name. For openvpn 2.2 it was tls-remote that was used to do it. The problems is that you can still create a package for openvpn 2.2 with the export uttility, but it will put the option verify-x509-name anyway in the .ovpn config.
      The connection failed before the authentication with the error :

      Options error: Unrecognized option or missing parameter(s) in C:\Program Files (x86)\OpenVPN\config\xxxx-udp-1195-xxxxx-config.ovpn:10: verify-x509-name (2.2.2).

      Changing the config manually to replace verify-x509-name by tls-remote let you authenticate,
      but finaly failed with the error :

      TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.

      Note that I am using a password to protect the pkcs12 file. I find that using the export utility to export a 2.3 client configuration with openvpn manager and using quote for the CN and a password to protect the pkcs12 file work just like it was before.

      So, i just want to point you that the export client have the option to export a client for windows with openvpn 2.2, but the config file use verify-x509-name as the option to verify the cert and it's not a valid option for the 2.2client. It probably also have a special parameter for the password protected pkcs12 file, but I did not find it.

      Continue your great work guys, PFsense is an awesome Distribution and I will continue to use it for a long time

      1 Reply Last reply Reply Quote 0
      • B
        bl00d666
        last edited by

        there is a new version of the client export utility this morning (1.1.5) anyone know how to get the release note to see the change?

        i search and did not find anything.

        1 Reply Last reply Reply Quote 0
        • M
          Makje
          last edited by

          as far as i know 1.1.4 and 1.1.5 have the verifiy-x509 removed for only the Yealink phones
          se this thread: http://forum.pfsense.org/index.php/topic,68398.15.html

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.