I have gone through multiple iterations of the install and configuration. I have followed the steps in the forums…. and my client does connect with the below errors using OpenVPN Connect 3.8.0:
Your connection configuration contains unsupported options. Contact your Server Admin for more info. • ‘auth-token-user’, • ‘auth-token’, • ‘auth-retry’, • ‘pkcs12’
Now since this is a basic install, how am I getting the above error and how do I correct? Thanks.
Same here. I installed App OpenVPN Connect (Beta) 3.7.1 (10568) on an Android 15 device, imported .p12 file into certificate store, import profile from .ovpn file and start connecting…
Solution for me: Uncomment these 3 lines in .opvn file, import as profile again and it connects:
# auth-token-user USER
# auth-token TOTP
# auth-retry interact
I think it’s worth reading the following topic
https://community.ipfire.org/t/how-to-setup-a-newcore-191-opnvpn-connection-for-a-android-handy/
Try using the Community edition Open Source Community | OpenVPN
Regards
Ah, you mean the app “OpenVPN for Android”, https://play.google.com/store/apps/details?id=de.blinkt.openvpn&pli=1
Will give it a try…
Here is a summary related to the OpenVPN Connect client used as in Android, Linux and Windows.
This is a free program but was designed to work with the OpenVPN Connect Server software, that you have to pay for.
For some reason OpenVPN decided not to support all the capabilities available in the OpenVPN Community Server in the OpenVPN Connect Server. That includes the options related to OTP and to the use of pkcs12 certificate containers.
They do support OTP but the setup is different to how it works in the OpenVPN Community Server.
Originally, because of demand they did include a temporary hack to work with pkcs12 certificate containers. However later on they decided they would not support those certificate containers and so you have to have the certificates split up into ca, cert and key.
The OpenVPN Community Server software continues to support pkcs12 containers.
(Incidentally, with the CU197 version any new client created has the certs embedded directly in the .ovpn file, although you can still download for the client a pkcs12 container file if required.)
Earlier this year OpenVPN changed their OpenVPN Connect software to flag up that pkcs12 was no longer supported but in the interim would still be accepted.
Now with the latest OpenVPN Connect version it looks like they have moved from still accepting the pkcs12 container to saying that it is unrecognised.
@dark0ipfire and @cordth your error messages are saying that the otp options are allowed with OpenVPN Connect but not at the client end. They can only be used by pushing from the OpenVPN Connect Server software while the OpenVPN Community Server works fine with them at the client end.
The OpenVPN for Android app and Network Manager in Linux both use the OpenVPN Community software for their clients and not the OpenVPN Connect software.
Basically OpenVPN have made their “pay” OpenVPN Connect Server just a bit misaligned with their “open source” OpenVPN Community Server and the Connect client is aligned with the Connect Server.
Basically if you use the Connect client, you will need to modify the client .ovpn to remove any parts from the Community related version that are not compatible with the Connect version or use the OpenVPN for Android version that is matched to the OpenVPN Community Server software. I have been using it for years.
Should the name be change to “OpenVPN partly open source”.?
Hello,
Side question: why Core197 does try to stop at shutdown OpenVPN even if it is disabled?
Also, Connection Tracking Daemon tries to read the openVPN log files although in this system the service was never configured / never powered on.
Thank you.
That is not new for CU197. Any package such as ssh or ips or proxy or mail or … will show up with the warning that it was not running.
If it was not intended to be running then that is fine but if it was supposed to be running then it is warning you.
It is very difficult to figure out if certain packages were intended to be enabled and had accidentally become disabled so that the message is only shown when you had intended the package to be running but now it isn’t.
Currently the initscript stop is just run as standard when shutting the system down and if the daemon is not running it provides that warn message. Not running the stop command in the initscript if the daemon is not running means that before trying to stop it you have to check if it is running first by running the status command (if that exists) and then based on that result deciding whether to try and stop the daemon or not.
This would make the whole shutdown much more complicated for no real benefit.
This process has been like this for ages.
The difference is that OpenVPN is now being dealt with the same as the other daemons and so now it shows up.
Thank you - this part fully explain why OpenVPN is shown in the shutdown starting from cu197.
Hi, all new generated ovpn files are don’t working with iPhones and iPads.
The OpenVPN Connect Client 3.7.2 don’t want the option auth-retry interact and the pkcs12 container.
It works only with changing the ovpn file.
Remove the auth option an split the pkcs12 to cert and key.
I see this at old versions of the ovpnmain.cgi and change it for myself to generate the right ovpn files.
