openvpn icon indicating copy to clipboard operation
openvpn copied to clipboard
verified publisher icon OpenVPN

Feature request: allow `verify-x509-name` in `<connection>` blocks

Open posita opened this issue 2 years ago • 0 comments

According to the docs (as of this writing):

The following OpenVPN options may be used inside of a block:

bind, connect-retry, connect-retry-max, connect-timeout, explicit-exit-notify, float, fragment, http-proxy, http-proxy-option, link-mtu, local, lport, mssfix, mtu-disc, nobind, port, proto, remote, rport, socks-proxy, tun-mtu and tun-mtu-extra.

verify-x509-name is notably absent. x509 verification can be remote specific. A good example of this is NordVPN configs which often contain remotes such as:

remote xxx.xxx.xxx.xxx yyy
verify-x509-name CN=zzz.nordvpn.com

Where xxx.xxx.xxx.xxx is the IP address, yyy is the port, and zzz is the expected host name. It would be nice to be able to do something like the following:

# ...
<connection>
remote 123.123.123.123 1234
verify-x509-name CN=co123.nordvpn.com
<connection>

<connection>
remote 234.234.234.234 2345
verify-x509-name CN=co234.nordvpn.com
<connection>

remote-random
# ...

posita avatar Jul 31 '23 21:07 posita