OpenVPN Client Export Utility problems with openvpn 2.2 verify-x509-name



  • Hi Folk,
    we are using pfsense has our Enterprise Firewall and we really love it. Recently there was an update for the package OpenVPN Client Export Utility (version 1.1.4 for today update) and I start having problems with the export.
    The vpn works fine for everyone already setup, but the new package I created just did not work. So I investigate the problems and here what I find.

    Since openvpn 2.3 openvpn use the option verify-x509-name to validate the cert name. For openvpn 2.2 it was tls-remote that was used to do it. The problems is that you can still create a package for openvpn 2.2 with the export uttility, but it will put the option verify-x509-name anyway in the .ovpn config.
    The connection failed before the authentication with the error :

    Options error: Unrecognized option or missing parameter(s) in C:\Program Files (x86)\OpenVPN\config\xxxx-udp-1195-xxxxx-config.ovpn:10: verify-x509-name (2.2.2).

    Changing the config manually to replace verify-x509-name by tls-remote let you authenticate,
    but finaly failed with the error :

    TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.

    Note that I am using a password to protect the pkcs12 file. I find that using the export utility to export a 2.3 client configuration with openvpn manager and using quote for the CN and a password to protect the pkcs12 file work just like it was before.

    So, i just want to point you that the export client have the option to export a client for windows with openvpn 2.2, but the config file use verify-x509-name as the option to verify the cert and it's not a valid option for the 2.2client. It probably also have a special parameter for the password protected pkcs12 file, but I did not find it.

    Continue your great work guys, PFsense is an awesome Distribution and I will continue to use it for a long time



  • there is a new version of the client export utility this morning (1.1.5) anyone know how to get the release note to see the change?

    i search and did not find anything.



  • as far as i know 1.1.4 and 1.1.5 have the verifiy-x509 removed for only the Yealink phones
    se this thread: http://forum.pfsense.org/index.php/topic,68398.15.html