OpenVPN Client Export for Android

[abplfab]

After upgrading to 19.1: "Export Type: File only" the Android "OpenVPN Connect" imports the file and also connects. But there is no traffic possible through the tunnel.
Adding comp-lzo adaptive, tls-client and removing dev tun from the exported file solves the problem (then it's like <19.1). I didn't test yet which setting solves the problem or all 3 are needed.

[AdSchellevis]

Which android version?

tls-client should be automatically set by client (which is in the export), I expect dev tun should be the default when not specified, comp-lzo is deprecated (https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/)

Could you try to leave dev tun in and check with the other two settings added manual? (you can also add those in the custom config section)? if that works, check which one makes it functional.

Thanks!

[abplfab]

Tried with all combinations. Only comp-lzo adaptive is needed (it's also set like that in the server).
OpenVPN Connect Version 3.0.5 (1816)
Android Version 9 (latest updates from Dec. 2018 installed, Huawei Mate 20 Pro, LYA-L29)

[abplfab]

Even more "fun". Tried it with OpenVPN Client on Windows (latest 2.4.6), export Archive:
remote vpn.legatech.ch 1194 UDP:

Options error: remote: bad protocol associated with host vpn.legatech.ch: 'UDP'
Use --help for more information.

Change to remote vpn.legatech.ch 1194 udp:

Options error: Unrecognized option or missing or extra parameter(s) in Legatech TEST.ovpn:13: pkcs12 (2.4.6)
Use --help for more information.

pkcs12 Legatech User VPN_fabiana.p12
tls-auth Legatech User VPN_fabiana-tls.key 1

Options error: Unrecognized option or missing or extra parameter(s) in Legatech TEST.ovpn:13: pkcs12 (2.4.6)
Use --help for more information.

Change to:

pkcs12 "Legatech User VPN_fabiana.p12"
tls-auth "Legatech User VPN_fabiana-tls.key" 1

But now the client asks for a password for the key (I didn't set one on export) -> no connection possible
Set a password for P12 and export again, enter PW in OpenVPN GUI:

Sat Feb 02 10:32:04 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Sat Feb 02 10:32:04 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Sat Feb 02 10:32:04 2019 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Sat Feb 02 10:32:06 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Feb 02 10:32:06 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]62.2.x.y:1194
Sat Feb 02 10:32:06 2019 UDP link local (bound): [AF_INET][undef]:0
Sat Feb 02 10:32:06 2019 UDP link remote: [AF_INET]62.2.x.y:1194
Sat Feb 02 10:32:06 2019 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Sat Feb 02 10:32:06 2019 TLS_ERROR: BIO read tls_read_plaintext error
Sat Feb 02 10:32:06 2019 TLS Error: TLS object -> incoming plaintext read error
Sat Feb 02 10:32:06 2019 TLS Error: TLS handshake failed
Sat Feb 02 10:32:06 2019 SIGUSR1[soft,tls-error] received, process restarting
Sat Feb 02 10:32:10 2019 SIGTERM[hard,init_instance] received, process exiting

Client config exported on 18.7.x is still working with the updated OPNsense 19.1, but export on 19.1 seems very broken...

[sjjh]

We're facing some OpenVPN export problems after updating as well. We've also stumbled over the UDP-protocol error, running a client under Ubuntu 18.04:

user@host:~$ openvpn --config Downloads/VPN_Server_host.tld.ovpn --verb 4
Options error: remote: bad protocol associated with host <ip address>: 'UDP'
Use --help for more information.

After changing the line
remote <ip address> <port> UDP
in the exported config file to
remote <ip address> <port> udp
it doesn't complain anymore.
The next error we encountered is regarding the x509 name verification:

user@host:~$ openvpn --config Downloads/VPN_Server_host.tld.ovpn --verb 4
Sat Feb  2 15:17:12 2019 us=241839 Current Parameter Settings:
[...]
Sat Feb  2 15:17:12 2019 us=244631   verify_x509_type = 1
Sat Feb  2 15:17:12 2019 us=244650   verify_x509_name = 'C=foo0 ST=foo1 L=foo2 O=foo3 emailAddress=foo4 CN=foo5'
Sat Feb  2 15:17:23 2019 us=816059 VERIFY EKU OK
Sat Feb  2 15:17:23 2019 us=816077 VERIFY X509NAME ERROR: C=foo0, ST=foo1, L=foo2, O=foo3, emailAddress=foo4, CN=foo5, must be C=foo0 ST=foo1 L=foo2 O=foo3 emailAddress=foo4 CN=foo5
Sat Feb  2 15:17:23 2019 us=816172 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Sat Feb  2 15:17:23 2019 us=816196 TLS_ERROR: BIO read tls_read_plaintext error
Sat Feb  2 15:17:23 2019 us=816214 TLS Error: TLS object -> incoming plaintext read error
Sat Feb  2 15:17:23 2019 us=816230 TLS Error: TLS handshake failed
Sat Feb  2 15:17:23 2019 us=816401 TCP/UDP: Closing socket
Sat Feb  2 15:17:23 2019 us=816462 SIGUSR1[soft,tls-error] received, process restarting

So we changed the line
verify-x509-name "C=foo0/ST=foo1/L=foo2/O=foo3/emailAddress=foo4/CN=foo5" subject
in the exported config file to
verify-x509-name "C=foo0, ST=foo1, L=foo2, O=foo3, emailAddress=foo4, CN=foo5" subject
to make that error go away as well. Now it seems to work again.

The manual might need a small update (at least to the screen shots) as well, seems to look different now compared to before the update.

[AdSchellevis]

to patch the 3 issues mentioned, use:

opnsense-patch 9eebb2eb7 81364dd3d 6ee58cc30

The case issue was already reported and here fixed https://forum.opnsense.org/index.php?topic=11415.msg51678#msg51678

[abplfab]

I can confirm that.
After opnsense-patch 9eebb2eb7 81364dd3d 6ee58cc30 e9d1aa4 export works for both Windows and Android Client.

@AdSchellevis Thank you for the fast patch!

[AdSchellevis]

@abplfab thanks for confirming, we'll ask @fichtner to add this in 19.1.1 and ask @MichaelDeciso to look at the docs suggested by @sjjh (https://docs.opnsense.org/manual/how-tos/sslvpn_client.html)