Certificate expired in VPN but config working with OpenVPN

[monochromec]

AirVPN gives trouble when selected:

2024-05-09 20:44:53.673 T:16194    info <general>: 2024-05-09 20:44:51 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305) OpenVPN ignores --cipher for cipher negotiations. 
2024-05-09 20:44:53.673 T:16194    info <general>: 2024-05-09 20:44:51 WARNING: file '<PATH_TO_KODI>/userdata/addon_data/service.vpn.manager/AirVPN/user.key' is group or others accessible
2024-05-09 20:44:53.673 T:16194    info <general>: 2024-05-09 20:44:51 OpenVPN 2.6.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2024-05-09 20:44:53.673 T:16194    info <general>: 2024-05-09 20:44:51 library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
2024-05-09 20:44:53.673 T:16194    info <general>: 2024-05-09 20:44:51 DCO version: N/A
2024-05-09 20:44:53.673 T:16194    info <general>: 2024-05-09 20:44:51 TCP/UDP: Preserving recently used remote address: [AF_INET]178.162.209.151:443
2024-05-09 20:44:53.673 T:16194    info <general>: 2024-05-09 20:44:51 UDPv4 link local: (not bound)
2024-05-09 20:44:53.673 T:16194    info <general>: 2024-05-09 20:44:51 UDPv4 link remote: [AF_INET]178.162.209.151:443
2024-05-09 20:44:53.673 T:16194    info <general>: 2024-05-09 20:44:51 VERIFY ERROR: depth=1, error=certificate has expired: C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress =info@airvpn.org, serial=10148936457887096835
2024-05-09 20:44:53.673 T:16194    info <general>: 2024-05-09 20:44:51 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-05-09 20:44:53.673 T:16194    info <general>: 2024-05-09 20:44:51 TLS_ERROR: BIO read tls_read_plaintext error
2024-05-09 20:44:53.673 T:16194    info <general>: 2024-05-09 20:44:51 TLS Error: TLS object -> incoming plaintext read error
2024-05-09 20:44:53.673 T:16194    info <general>: 2024-05-09 20:44:51 TLS Error: TLS handshake failed

AirVPN config when configuring addon via wizard:

client
dev tun
remote <VALID AIRVPN SERVER IP> 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
#route-delay 5
verb 3
explicit-exit-notify 5
push-peer-info
setenv UV_IPV6 yes
remote-cert-tls server
#cipher AES-256-CBC
comp-lzo no
proto udp
log /var/log/openvpn.log
#key-direction 1
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC
data-ciphers-fallback AES-256-CBC
# tun-ipv6
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
auth SHA512
<CA CERT KEY definitions>

The above config works with a standalone OpenVPN connection when invoked via the command line. OpenVPN version: 2.6.9 OS: Stock Noble Numbat

Happy to provide more info if required - just let me know.

[monochromec]

After doing some digging in the code, the problem can be traced back to an ancient CA cert. this addon uses to set up an initial VPN connection. To summarize the general approach when setting up a VPN connection as part of the config. wizard:

• After selecting a VPN provider from the list, the addons pulls down template data from https://github.com/Zomboided/service.vpn.manager.providers in order to set up a valid opnv config. file.
• Part of this template data is a CA certificate which is ancient, hence newer OpenVPN versions (or the underlying OpenSSL PKI infrastructure to be more precise) complain about this certificate (see error message in the log above). That's the reason why a valid OpenVPN config. is working when used the with client directly but not with the addon as the addon doesn't use the CA cert. in the ovpn config. file but its own outdated CA cert.
• So no dice with setting up a valid OpenVPN configuration past this step.

Two solutions to address this problem come to mind:

1. Clone the both repos (the main and the "providers" one) and modify the addon repo config to pull down the corrected code and providers data from this newly cloned repo. This solution is the proper and correct approach, the only drawback: Lots of effort to get this working.
2. On to the quick and dirty workaround (I'll illustrate this for a VPN provider which uses user and CA certificates in addition to a user-specific key for proper VPN authorisation when connecting to the VPN server; ExpressVPN and AirVPN are two prime examples for this type of config.):
   • Enter the wizard as usual and proceed to the step where the addon asks for an ovpn config. file containing the client cert and key. In the <path_to_kodi_addons_directory/service.vpn.manager/<your_VPN_provider>/ca.crt file you will find the offending old CA cert from the template data. Simply replace this with the CA cert. extracted from your original ovpn file.
   • Let the wizard conclude the configuration as usual - you should now have a working VPN configuration for this addon.