I’m using the OpenVPN clients that they have available here: https://openvpn.net/community-downloads/ (also the Android App here: https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=en_us ) and what I find is that basically the configurations work however there is a missing property in the .ovpn files that I download. By adding just one line:
Everything works with both the desktop and Android clients.
ca.pem file is the CA certificate that the server contains (I extracted it using OpenSSL from the PKCS12 file that is already in the ZIP).
Is there some property that I’ve missed when I set up the server or is this hardcoded in the UI for OpenVPN?
you can also create a connection PEM formatted. You only need to leave the password field empty while creating a new connection, in that case you get an ‘Insecure Client Package’. If you enter a password you get a client package encrypted via PKCS#12.
the connection ‘testwithoutpwd’ have two disc icons. The left one is PEM formatted. The connection ‘testwithpwd’ do have only one which is in PKCS#12 format.
As a beneath info, Android should be able to handle both formats whereby the PKCS#12 one is more secure --> https://openvpn.net/vpn-server-resources/faq-regarding-openvpn-connect-android/ or --> https://ics-openvpn.blinkt.de/FAQ.html .
Sorry, maybe I did not explain the issue correctly. Everything works on the server side and the packages get imported on the client side. When connecting however, the client fails to validate the server certificate because it doesn’t infer the CA certificate from the configuration.
I just tested with a configuration without a password and the resulting configuration included the CA certificate, but this could be the case even in the case the private key in the PKCS12 file is password protected - I’ll try to find out where in the code this happens and I’ll try to submit a patch for it.