Ovpn file not accepted on Android

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
BobAGI
OpenVPN Power User
Posts: 167
Joined: Mon May 05, 2014 10:17 pm

Ovpn file not accepted on Android

Post by BobAGI » Sun Oct 22, 2017 10:00 pm

Background:
I have installed OpenVPN server 2.4.4 on a virtual Windows Server 2016 for testing purposes before embarking on setting up on our live network.
I used a combination of 3 how-to pages to set it up, one is the official OpenVPN one.
I have used easy-rsa to generate all the certificates and keys needed and I have also created a test client key/certificate set.
This has been stuffed into a client ovpn file like I have done many times before on Linux (this is my first time on Windows).

First test bombed:
To test this I have done like I always do, namely disconnect my Samsung Galaxy phone from WiFi so it enters the mobile network.
I have previously transferred the ovpn file using a USB connection and now on the phone in the OpenVPN-GUI app I have tried to import the profile.
But now I am getting a very strange error message on the phone, which I have never seen before:
"Error parsing OpenVPN profile nameofclient.ovpn: option_error: option <ca> was not properly closed out"
I have checked the file and it looks all right to me. The only thing that comes to mind now is that the ovpn file was created on Windows and thus could have Windows line endings (CRLF) but is being used on an Android phone, which most likely uses only LF line endings. But the file turns out to use LF only as line ending...
So I cannot understand why it would be like this because there would be lots of people having my error but I found only two on Google and these were not resolved...
Here is the start of my ovpn file:

Code: Select all

client
dev tun
proto udp
remote vpn.xxxxxxx.com 1199
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
comp-lzo
verb 3
mute 20
<ca> 
-----BEGIN CERTIFICATE-----
MIIGpzCCBI+gAwIBAgIJAJgCPgFWo8l7MA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD
--- remainder of certificate ---
Elhszk8LpvUQPyyhJP0KskhUDx1dQ4jKfoEb
-----END CERTIFICATE-----
</ca> 
<cert> 
-----BEGIN CERTIFICATE-----
MIIG6TCCBNGgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMCVVMx
etc to the end
Note that the <ca> tag for sure has a </ca> counterpart tag!

What can I look for in order to fix this problem?

BobAGI
OpenVPN Power User
Posts: 167
Joined: Mon May 05, 2014 10:17 pm

Re: Ovpn file not accepted on Android

Post by BobAGI » Mon Oct 23, 2017 6:52 am

Follow-up:
I have looked more carefully at the ovpn file now and it turns out that parts of the file uses unix line endings (LF) and parts of it Windows line endings (CRLF). Seems to depend on how it was created...
Is this the cause of the problem?

The client ovpn file was built using a variation of the MakeOVPN.sh file converted to MakeOVPN.bat for Windows.
The bat file essentially just copies together a set of files as follows:

Default.txt (CRLF line endings): contains the client openvpn options that go on top of the ovpn file
<ca>
ca.crt (LF line endings)
</ca>
<cert>
client.crt (CRLF line endings): this is filtered through sed to just use the lines between begin and end certificate
</cert>
<key>
client.3des.key (LF line endings)
</key>
<tls-auth>
ta.key (CRLF line endings)
</tls-auth>

So Default.txt, client.crt and ta.key use Windows CRLF line endings as do the lines containing the tags (<ca> </ca> etc)
But the ca.crt and client.3des.key use unix LF line endings.
Why the different files created by the scripts in the easy-rsa dierctory should wind up with different types of line endings is beyond me.
My batch script just copies together the files and adds the separation tags (except it uses sed to cut out parts of client.crt).
So I understand that the echo commands into the file will yield CRLF line endings, but why is this the case for ta.key?

I don't know how to change this to a uniform line ending scheme in a Windows bat file, though. Any ideas?

BobAGI
OpenVPN Power User
Posts: 167
Joined: Mon May 05, 2014 10:17 pm

Re: Ovpn file not accepted on Android

Post by BobAGI » Mon Oct 23, 2017 9:22 am

Follow-up 2:
I have now written a filter program to remove all CR bytes from the file. It removed 84 of these so now there are none left.
But still the phone app OpenVPN-Connect complains exactly the same about "not properly closed out"

Is there really noone here who has seen this?

PS:
I tested the ovpn file on my Win7 PC in OpenVPN-GUI after I forged the remote address since I can't use it for a server sitting behind the same router. It turns out that this time the import into OpenVPN did not cause any errors, but of course I got a timeout when trying to connect.
So now I think that there is s problem with the OpenVPN-Connect app on Android, where should I ask about that?
DS

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Ovpn file not accepted on Android

Post by TinCanTech » Mon Oct 23, 2017 11:04 am

Use Notepad++ to create your config file with inline certificates.
You can then choose the line endings when you save the file.

I don't know if mixing line endings is the problem but it sounds like it probably is.
Let us know what you find (I don't have Android to test) and we can update this:
https://community.openvpn.net/openvpn/wiki/IOSinline

BobAGI
OpenVPN Power User
Posts: 167
Joined: Mon May 05, 2014 10:17 pm

Re: Ovpn file not accepted on Android

Post by BobAGI » Mon Oct 23, 2017 2:19 pm

Well, it did not work out on Android...
I even fired up an older S4Mini phone having a non-updated app on it and loaded the fixed ovpn file to it.
It reacted the same by refusing to import the file due to this issue with ca.
Same file used on a different laptop passed all along to the connection where it was not able to reach the target.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Ovpn file not accepted on Android

Post by TinCanTech » Mon Oct 23, 2017 7:34 pm

Perhaps you have found a bug .. but which openvpn-connect app ?

BobAGI
OpenVPN Power User
Posts: 167
Joined: Mon May 05, 2014 10:17 pm

Re: Ovpn file not accepted on Android

Post by BobAGI » Mon Oct 23, 2017 8:14 pm

On Google Play it is shown as:
OpenVPN Connect is the official Android VPN client for OpenVPN servers
I have the latest version (1.1.17 build 76)
My final thing to do is compile the ovpn file manually from the various certificates and see what happens. So far I have used scripted building and it obviously cannot cope with varying line endings.
Someone suggested I use Notepad++, but when I do it adds a 3-byte UTF-8 BOM in front of the file and I think this is no good.
I will use UltraEdit instead where I can create a BOM-less UTF-8 text file. I'll be back in a while.

BobAGI
OpenVPN Power User
Posts: 167
Joined: Mon May 05, 2014 10:17 pm

Re: Ovpn file not accepted on Android

Post by BobAGI » Mon Oct 23, 2017 8:49 pm

Back again.
Import problem gone!

Now I have started with a new blank edit window set to UTF-8 without BOM using Ultraedit on Windows.
Then I have manually typed in the tags and copy pasted the blocks of text from the various cert and key files.
I started by copying in Default.txt and so on.
Saved the file under a new name and transferred it to the old Android phone, where I imported the profile.
Now there was no complaint anymore about the ca ending and I could start a session, which did not complete because of networking issues on the server side. And this is exactly why I had to use the phone in the first place (to help in debugging the server configuration)....

If I now use WinMerge to compare the two files it finds only a single difference, in the non-working file I have added a comment on top explaining what the file purpose is. And of course the line endings are different in the new file compared to the old one, WinMerge does not notice this, though.

I have no clue as to what is the difference between these files, maybe there are some subtle encoding difference that is invisible to the eye but not to software? Unicode screwing things up maybe?

I think I have to write a non-scripted program (non-Unicode too) to build the ovpn files from the building blocks but where I have better control than in batch scripting...
If we are to use this server on Windows we have to streamline the generation of the client ovpn files...

BobAGI
OpenVPN Power User
Posts: 167
Joined: Mon May 05, 2014 10:17 pm

Re: Ovpn file not accepted on Android

Post by BobAGI » Tue Oct 24, 2017 12:46 pm

OK, now I have created the MakeOVPN.exe Windows program and it makes usable client ovpn files working also on Android.
It must have been a problem with the echo commandsor sed in the batch file thta caused some invisible incompatibility...

Chriskk22
OpenVpn Newbie
Posts: 1
Joined: Wed Jul 04, 2018 12:09 am

Re: Ovpn file not accepted on Android

Post by Chriskk22 » Wed Jul 04, 2018 12:10 am

Hello. I have the same problem. Where can i find this programm?

BobAGI
OpenVPN Power User
Posts: 167
Joined: Mon May 05, 2014 10:17 pm

Re: Ovpn file not accepted on Android

Post by BobAGI » Wed Jul 04, 2018 5:48 am

You can't since I wrote it in an attempt at fixing the ovpn creation issues, but later abandoned OpenVPN server on Windows altogether.
Instead I installed a dedicated OpenVPN server running Ubuntu Server 16.04-03 LTS and scripted the whole OVPN file creation there.
No problems anymore. Scripting on Linux is so much simpler.
I even added a unix2dos operation on the finished OVPN file to make it readable more easily on Windows clients.

I definitely recommend setting up OpenVPN server on a Linux box rather than Windows.
It is a PITA to configure the network firewalling rules on Windows but just a few IPTABLES commands on Linux....

beaukey
OpenVpn Newbie
Posts: 1
Joined: Sat Sep 14, 2013 11:41 am

Re: Ovpn file not accepted on Android

Post by beaukey » Tue Jul 31, 2018 6:59 pm

I am using a couple scripts to compile OVPN files. I also got the error "...option_error: option <ca> was not properly closed out" on a new Android device running Android Oreo 8.1.0 & OpenVPN Connect 3.0.5.

I have learned:
1. Filename extension *must* be lowercase
2. Remove all space(s) between last character(s) and CrLf. E.g.:
<CA>{SPACE}CrLf to
<CA>CrLf

(You can check/modify with Notepad++ > View > Show Symbol > Show End of Line)

After these two changes, the OVPN file is recognized and works like expected.

Post Reply