In fact that's RC7 that does it wrong and RC11 that does it right... Here is the --tls-remote parameter doc :
--tls-remote name Accept connections only from a host with X509 name or common name equal to name. The remote host must also pass all other tests of verification. Name can also be a common name prefix, for example if you want a client to only accept connections to "Server-1", "Server-2", etc., you can simply use --tls-remote Server So you should be using the content of the CN field... for a certificate issued to C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=client2/[EMAIL PROTECTED] You should have "tls-remote client2" In 2.1-rc7 there was a regression in the X509 certificates data extraction which impacted all the options using of the X509 name contents, your current tls-remote value is a workaround to that bug. See http://sourceforge.net/mailarchive/message.php?msg_id=F434C2FD-28EE-4FF2-B677-366B18B99AA6%40lassitu.de for the upstream bug in RC7 See bug 265058 for a discussion on fixing this RC7 problem in a hardy SRU. ** Changed in: openvpn (Ubuntu) Status: New => Invalid -- openvpn 2.1~rc11 tls_read_plaintext error https://bugs.launchpad.net/bugs/289856 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openvpn in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs