OpenVPN
verify-x509-name inside <connection> block prevents multi-server configuration in OpenVPN
Hello OpenVPN team, I'm encountering an issue when configuring multiple servers in an .ovpn configuration file. Normally, when using a single server, the configuration includes:
remote 37.19.212.217 443 tcp
verify-x509-name CN=ca1531.nordvpn.com
However, when I attempt to add multiple servers using the
<connection>
remote 37.19.212.217 443 tcp
verify-x509-name CN=ca1531.nordvpn.com
</connection>
OpenVPN throws an error and requires verify-x509-name to be placed outside the
Expected Behavior: It should be possible to define multiple connections with individual verify-x509-name values within the <connection> block.
Observed Behavior:
When verify-x509-name is included inside a
Possible Solutions:
- Allow verify-x509-name within each <connection> block so that different servers can be defined with their respective certificates.
- Provide an alternative way to specify verify-x509-name per server in a multi-server setup. Would you be able to clarify whether this is an intentional restriction or if it's something that can be addressed in a future update?
Thank you for your support!
As far as I can see from looking at the sources (options.c) verify-x509-name is currently handled as a "global" options, not a "per connection" option - thus, what you are trying to achieve is not possible today.
We have no plans to work on this particular feature, as there seems to be little demand for it (= your request ist the first I've ever heard about this limitation). Adding this can be done - someone has to provide code, unit tests, documentation.
I stumbled on this thread because I was trying to do the same thing, with the same VPN provider. I'd like to have redundant servers configured in case one goes down. For the servers I'm trying to connect to, I noticed that the only difference in the ovpn files provided by NordVPN are remote and verify-x509-name. Making a contribution is intriguing, but my free time is limited at this time.
