Verify-x509-name

[Xyrr]

Hi guys,

I'm new at using OpenVPN and I have run into an issue. I use my DDWRT router to host an OpenVPN server, and a OnePlus One running Android 4.4.2 and OpenVPN Connect 1.1.16 to connect to it. It's all working fine, TLS authentication included. Now, I read through some tutorials to make OpenVPN more secure and found some information regarding the "verify-x509-name" command to tighten security a little more. I am using the following line in the client profile on my Android smartphone:

Code: Select all

verify-x509-name elephant name

Now, elephant is not the CN of my OpenVPN server and it still connects anyway. It doesn't matter what I enter there; it's as if the line is just ignored. I've also tried adding quotes around the name and tried some other variants where the entire subject is checked, but to no avail. I searched on the internet to see if there is anything to be done server-side to make the verify-x509-name command work but didn't find anything of the sort. I suspect that the problem has something to do with the Android client, so I thought I'd ask here.

So my question is: does the OpenVPN Connect client support this command? If so, what am I doing wrong?

Thanks!
Xyrr

[Traffic]

Using standard OpenVPN and --verify-x509-name (bad.name name .. ie. deliberately incorrect name) I get this error:

Code: Select all

VERIFY X509NAME ERROR: CN=real.name, must be bad.name

If this does not work for your Android smartphone then I would imagine either you have set it up incorrectly or OpenVPN for Android does not support this option ...

Please post your client log at verb 4.

[Xyrr]

Thanks for your reply. Unfortunately OpenVPN Connect for Android doesn't seem to have a log export function, nor is the log saved to a file, so I had to take screenshots. The first one seems to have pretty much all the information needed. Nowhere other than in this first piece of the log is verify-x509-name mentioned.



I'm assuming that, because the verify-x509-name option is unused, the Android client doesn't support it?

[Xyrr]

I made a reply before but it seems to have dissapeared, so I'll try again. First of all, thanks for your reply. Unfortunately, OpenVPN Connect for Android doesn't seem to have a log copy/paste or export function, so I had to take screenshots. There's no mention of anything related to verify-x509-name except for the first part of the log, showing it as unused.



The complete log can be seen here: http://i.imgur.com/JksawO8.jpg

I'm assuming that because it is shown as an unused option, verify-x509-name is not supported in the Android client? Or am I doing something wrong?

[Traffic]

It does look like --verify-x509-name is not supported on Android smartphone ...

You could try asking in the #openvpn-as IRC channel on freenode, I expect you will get an authoritative answer there.