tls-remote workaround for openvpn on Ubuntu 17.10

Question

I try to work around that the option

--tls-remote

was removed in openvpn 2.4 so my openvpn config file does not work any more.

I tried to downgrade openvpn from 2.4 in Ubuntu 17.10 down to 2.3.4:

apt remove openvpn
wget http://ftp.us.debian.org/debian/pool/main/o/openvpn/openvpn_2.3.4-5+deb8u2_amd64.deb
dpkg -i openvpn_2.3.4-5+deb8u2_amd64.deb

But it seems like 2.3 is not compatible with Ubuntu 17.10: it sais, missing package initscripts which is not installable on 17.10.

What can I do to get my old config running? Or can I change the config, so it works with 2.4? This is the offending line:

tls-remote "/C=de/L=SomeTown/O=Something/CN=asg.myserver.de/emailAddress=administrator@myserver.de"

... rebuild the old package from source, but remove the dependency, or fake the dependency: https://askubuntu.com/q/18192/158442 — muru, Nov 27 '17 at 11:01
The option was probably removed for a reason; update your configuration. — fkraiem, Nov 27 '17 at 11:07

score 3 · Answer 1 · answered Nov 27 '17 at 11:21

The new configuration option to use is verify-x509-name it appears to expect a comma and space separated list for your Distinguished Name (DN):

verify-x509-name 'C=de, L=SomeTown, O=Something, CN=asg.myserver.de, emailAddress=administrator@myserver.de'

This information is from the OpenVPN man page for 2.4, in the TLS Mode Options section. The example there only uses the C, ST, L and CN parts to make up the DN, but it looks like it should work with other DN components

score 0 · Accepted Answer · answered Nov 27 '17 at 11:35

You have to replace the --tls-remote name with the new --verify-x509-name name type directive:

https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#a--tls-remote

So instead of the tls-remote command use this:

verify-x509-name 'C=de, L=SomeTown, O=Something, CN=asg.myserver.de, emailAddress=administrator@myserver.de'

strangely , this didnt work on my system, I got an error:

VERIFY X509NAME ERROR: C=de, L=SomeTown, O=Something, CN=asg.myserver.de, emailAddress=administrator@myserver.de, must be C=de, L=SomeTown, O=Something, CN=asg.myserver.de, emailAddress=administrator@myserver.de

Which seems a really strange message, so I tried around some more options and found out, it works with the type name instead of the (default) type subject:

verify-x509-name asg.myserver.de name

tls-remote workaround for openvpn on Ubuntu 17.10

2 Answers2