Closed GoogleCodeExporter closed 9 years ago
This not a bug in ics openvpn. The behaviour you are reporting is in openvpn
itself. Does openvpn on your PC behave different?
Original comment by arne@rfc2549.org
on 21 Aug 2012 at 3:42
On my pc the ovpn config is working and also on my Samsung Galaxy S2.
(CyanogenMod 9 + OpenVpn Settings App) This is written in the log on my pc:
VERIFY X509NAME OK: /C=c/L=l/O=o/CN=cn/emailAddress=a@b.com
The devices have the following versions of OpenVPN:
PC 2.1.1
Samsung Galaxy S2 2.2.2
Asus Transformer Pad Infinity 2.1.1
What else could cause this problem?
Original comment by david.ma...@gmail.com
on 21 Aug 2012 at 3:50
OpenVPN 2.3 changed the X509 name behaviour. There is a proposed patch to add a
compatbility for older version but it is not yet included in 2.3:
http://comments.gmane.org/gmane.network.openvpn.devel/6988
Original comment by arne@rfc2549.org
on 21 Aug 2012 at 4:31
I've just installed your app on my Samsung Galaxy S2 and there I get the same
error. But the connection does work when I use the "OpenVpn Settings" app, so i
think its not a fault of the openvpn client or server. I will download your
sourcecode and try to debug the app. Maybe I will be able to find the Problem.
Original comment by david.ma...@gmail.com
on 22 Aug 2012 at 7:43
As I explained this is a change in Openvpn 2.3. There will be a compat-names
option in later 2.3 releases but for now you have to use the new format with
tls-remote. E.g. specifiying
tls-remote "C=c, L=l, O=o, CN=cn, emailAddress=a@b.com"
instead of
tls-remote "/C=c/L=l/O=o/CN=cn/emailAddress=a@b.com"
Original comment by arne@rfc2549.org
on 22 Aug 2012 at 7:53
I just realized that you include your own openvpn binaries in your app. Would
it be possible to just replace them on my device with the 2.2 version to get it
to work?
Original comment by david.ma...@gmail.com
on 22 Aug 2012 at 7:57
It is possible but using a 2.2 version would requiring backporting the patches
needed for the VPNService API. Also I don't understand why you cannot change
the tls-remote to the new format of 2.3?
Original comment by arne@rfc2549.org
on 22 Aug 2012 at 8:06
I'am using an Sophos (Astaro) firewall as OpenVpn server and this firewall
automaticly chooses this format for the tls-remote, so I'cannot change that. I
think I will checkout an older version of your sourcecode and compile myself
this older version until the new feature is available. Can you tell me wich
version I have to download to get the old OpenVpn version?
Original comment by david.ma...@gmail.com
on 22 Aug 2012 at 8:12
There is no version of my software that uses an OpenVPN 2.2 version.
Original comment by arne@rfc2549.org
on 22 Aug 2012 at 8:32
Alternativly you can apply the compat-names patch manually to my source and use
that until the patch is upstream
Original comment by arne@rfc2549.org
on 22 Aug 2012 at 8:34
The patch site is offline at the moment, I will try that when its online again.
Original comment by david.ma...@gmail.com
on 22 Aug 2012 at 9:40
http://sourceforge.net/mailarchive/forum.php?thread_name=1345211355-26513-1-git-
send-email-heiko.hund%40sophos.com&forum_name=openvpn-devel
Original comment by arne@rfc2549.org
on 22 Aug 2012 at 9:44
I've applied the patch and compiled openvpn using the ndk. But how can I now
specify the startup parameters for the openvpn binary in your application?
(--compat-names is a starup parameter, right?)
Original comment by david.ma...@gmail.com
on 22 Aug 2012 at 1:01
--compat-names is a config parameter like any another. You can set it in
advanced settings under custom config options of the VPN.
Original comment by arne@rfc2549.org
on 22 Aug 2012 at 1:08
I've tried to add this option to the buildOpenvpnArgv and under custom options,
but I just get the error "Unrecognized option or missing
parameters......compat-names". I see that my own compiled openvpn libs are
copied to the device, but the new command doesn't seem to be recognized. I've
cleaned all ndk libs and rebuilt them. The output of the patch was:
patch -p1 < openvpn.patch
patching file doc/openvpn.8
Hunk #1 succeeded at 3439 with fuzz 1 (offset 44 lines).
patching file src/openvpn/misc.c
patching file src/openvpn/misc.h
patching file src/openvpn/options.c
Hunk #1 succeeded at 2127 (offset -4 lines).
Hunk #2 succeeded at 5528 (offset -1 lines).
patching file src/openvpn/ssl_verify.c
patching file src/openvpn/ssl_verify_openssl.c
patch unexpectedly ends in middle of line
What could be the problem?
Original comment by david.ma...@gmail.com
on 22 Aug 2012 at 3:06
I found out that the --compat-names command is just for openvpn server, but I
also found the solution for the problem. I just hat to rename the tls-remote to
C=c, L=l, O=o, CN=cn, emailAddress=a@b.com in the config to get a connection!
Original comment by david.ma...@gmail.com
on 22 Aug 2012 at 6:57
I added an option in the import that should automatically convert the
remote-tls option for you. Can you test it?
Original comment by arne@rfc2549.org
on 23 Aug 2012 at 8:22
Attachments:
Original issue reported on code.google.com by
david.ma...@gmail.com
on 21 Aug 2012 at 3:23