,

How to fix your HdM VPN config for OpenVPN 2.4.3

Patrick Kleindienst

The latest OpenVPN 2.4.3 release shipped with some technically minor changes which however might break your HdM VPN setup in Linux (should also apply to MS Windows and Mac OS) due to compatibility issues in terms of the OpenVPN config params currently in use. In case this problem affects you, here’s how to fix it (instructions assume Linux, but can be adopted for Windows and Mac).

As for Linux, the OpenVPN 2.4.3 release has not yet made it’s way into the official repositories of the most popular distros like Ubuntu, which still adheres to OpenVPN 2.3.10 (16.04 LTS). However, the latest release is already available via the download page or the package managers of rolling release distros like Arch Linux.
Before we start, please check you OpenVPN version as follows:

$ openvpn --version

If you have installed a version prior to 2.4.3, you’re off the hook and can head your own path. If not, then you should probably keep reading.
It is assumed that you followed the instructions and already have created and downloaded your certificate as well as the auto-generated VPN config file. For example, given that you put everything into the /home/foobar/hdm-vpn/ folder, you can now initiate the VPN connection as decribed in the docs:

$ cd /home/foobar/hdm-vpn; sudo openvpn --config ./HdM_Nobelstr.ovpn

If everything goes “well”, you should now see an error message similar to this one:

$ cd /home/foobar/hdm-vpn; sudo openvpn --config ./HdM_Nobelstr.ovpn 
Options error: Unrecognized option or missing or extra parameter(s) in ./HdM_Nobelstr.ovpn:50: tls-remote (2.4.3)

The culprit causing that issue hides in the HdM_Nobelstr.ovpn config file and is quickly identified:

$ cat HdM_Nobelstr.ovpn | grep tls-remote
tls-remote "/C=DE/ST=Baden-Wuerttemberg/O=Hochschule_der_Medien/OU=RZ/CN=VPN-GW_Nobelstr/emailAddress=wlan@hdm-stuttgart.de"

Asking Google about the error message reveals that the tls-remote option has been removed since – have a guess – OpenVPN 2.4.3. This can also be looked up from the change log. Further investigation yielded that this option has been replaced by a new option called verify-x509-name. So the next step is to open the HdM_Nobelstr.ovpn config file and give that a try:

#tls-remote "/C=DE/ST=Baden-Wuerttemberg/O=Hochschule_der_Medien/OU=RZ/CN=VPN-GW_Nobelstr/emailAddress=wlan@hdm-stuttgart.de"
verify-x509-name "C=DE/ST=Baden-Wuerttemberg/O=Hochschule_der_Medien/OU=RZ/CN=VPN-GW_Nobelstr/emailAddress=wlan@hdm-stuttgart.de"

So that’s it? Sorry, we’re not quite there. If you restart your VPN connection as shown above, there’s a new error entering the stage:

VERIFY X509NAME ERROR: C=DE, ST=Baden-Wuerttemberg, O=Hochschule der Medien, OU=RZ, CN=VPN-GW Nobelstr, emailAddress=wlan@hdm-stuttgart.de, must be /C=DE/ST=Baden-Wuerttemberg/O=Hochschule_der_Medien/OU=RZ/CN=VPN-GW_Nobelstr/emailAddress=wlan@hdm-stuttgart.de

What goes wrong here is that the config format doesn’t match the format used in your certificate. You can easily fix that by throwing out the underscores and replacing the slashes with commas in the entry you added to HdM_Nobelstr.ovpn in the previous step:

#tls-remote "/C=DE/ST=Baden-Wuerttemberg/O=Hochschule_der_Medien/OU=RZ/CN=VPN-GW_Nobelstr/emailAddress=wlan@hdm-stuttgart.de"
verify-x509-name "C=DE, ST=Baden-Wuerttemberg, O=Hochschule der Medien, OU=RZ, CN=VPN-GW Nobelstr/emailAddress=wlan@hdm-stuttgart.de"

Try to establish your VPN connection again and you should finally succeed:

$ cd /home/foobar/hdm-vpn; sudo openvpn --config ./HdM_Nobelstr.ovpn
.
.
VERIFY X509NAME OK: C=DE, ST=Baden-Wuerttemberg, O=Hochschule der Medien, OU=RZ, CN=VPN-GW Nobelstr, emailAddress=wlan@hdm-stuttgart.de
.
.
Initialization Sequence Completed

I hope this helped and you’re again back on track with your HdM VPN connection. 🙂

Cheers!


Posted

in

,

by

Patrick Kleindienst

Tags:

Comments

Leave a Reply