openvpn Options error: Unrecognized option or missing parameter(s)

[soft...@gmail.com]

Hi,
I recently installed 3.4beta08 (build 3576) and added a new configuration.
Trying to connect I obtain this openvpn option error:
2013-09-16 13:04:01 openvpn[907] Options error: Unrecognized option or missing parameter(s) in /Library/Application Support/Tunnelblick/Users/company/VPN_ASA_2013.tblk/Contents/Resources/config.ovpn:2: fatal (2.2.1)
Thanks, Andrea

=======================================
Tunnelblick: OS X 10.7.5; Tunnelblick 3.4beta08 (build 3576); prior version 3.3.0 (build 3518); Admin user

Configuration file for /Users/company/Library/Application Support/Tunnelblick/Configurations/VPN_ASA_2013.tblk:

dev tun
proto udp
remote ovpn.server.it
rport 443
tls-client
ns-cert-type server
auth-user-pass
comp-lzo
pull
pkcs12 name.name2_vpn.p12
ca multipleca.pem
# Verbosity level.
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet, but display non-fatal network errors.
# 3 -- medium output, good for normal operation.
# 9 -- verbose, good for troubleshooting
verb 3
================================================================================
Tunnelblick Log:

2013-09-16 13:04:01 *Tunnelblick: OS X 10.7.5; Tunnelblick 3.4beta08 (build 3576); prior version 3.3.0 (build 3518)
2013-09-16 13:04:01 *Tunnelblick: Attempting connection with VPN_ASA_2013 using shadow copy; Set nameserver = 1; monitoring connection
2013-09-16 13:04:01 *Tunnelblick: openvpnstart start VPN_ASA_2013.tblk 1337 1 0 1 0 305 -atADGNWradsgnw
2013-09-16 13:04:01 *Tunnelblick: openvpnstart starting OpenVPN:
                    *                    /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn --cd /Library/Application Support/Tunnelblick/Users/company/VPN_ASA_2013.tblk/Contents/Resources --daemon --management 127.0.0.1 1337 --config /Library/Application Support/Tunnelblick/Users/company/VPN_ASA_2013.tblk/Contents/Resources/config.ovpn --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Scompany-SLibrary-SApplication Support-STunnelblick-SConfigurations-SVPN_ASA_2013.tblk-SContents-SResources-Sconfig.ovpn.1_0_1_0_305.1337.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -f -atADGNWradsgnw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -f -atADGNWradsgnw --up-restart
================================================================================

Console Log:

2013-09-16 13:03:42 Tunnelblick[503] Installation or repair succeeded; Log:
                                       Tunnelblick installer started 2013-09-16 13:03:42. 3 arguments: 0x0001 /Users/company/Library/Application Support/Tunnelblick/Configurations/VPN_ASA_2013.tblk /private/var/folders/bd/cphvkfrc8xl3kj006s6hb28h0000gp/T/TunnelblickTemporaryDotTblk-QA5y3l/VPN_ASA_2013.tblk
                                       Copied /private/var/folders/bd/cphvkfrc8xl3kj006s6hb28h0000gp/T/TunnelblickTemporaryDotTblk-QA5y3l/VPN_ASA_2013.tblk to /Users/company/Library/Application Support/Tunnelblick/Configurations/VPN_ASA_2013.tblk.temp
                                       Copied /Users/company/Library/Application Support/Tunnelblick/Configurations/VPN_ASA_2013.tblk.temp to /Users/company/Library/Application Support/Tunnelblick/Configurations/VPN_ASA_2013.tblk
                                       Changed ownership of /Users/company/Library/Application Support/Tunnelblick/Configurations/VPN_ASA_2013.tblk and its contents from 502:502 to 502:80
                                       Changed permissions from 755 to 750 on /Users/company/Library/Application Support/Tunnelblick/Configurations/VPN_ASA_2013.tblk
                                       Changed permissions from 755 to 750 on /Users/company/Library/Application Support/Tunnelblick/Configurations/VPN_ASA_2013.tblk/Contents
                                       Changed permissions from 755 to 750 on /Users/company/Library/Application Support/Tunnelblick/Configurations/VPN_ASA_2013.tblk/Contents/Resources
                                       Changed permissions from 644 to 640 on /Users/company/Library/Application Support/Tunnelblick/Configurations/VPN_ASA_2013.tblk/Contents/Resources/name.name2_vpn.p12
                                       Changed permissions from 644 to 640 on /Users/company/Library/Application Support/Tunnelblick/Configurations/VPN_ASA_2013.tblk/Contents/Resources/config.ovpn
                                       Changed permissions from 644 to 640 on /Users/company/Library/Application Support/Tunnelblick/Configurations/VPN_ASA_2013.tblk/Contents/Resources/multipleca.pem
                                       Copied /Users/company/Library/Application Support/Tunnelblick/Configurations/VPN_ASA_2013.tblk to /Library/Application Support/Tunnelblick/Users/company/VPN_ASA_2013.tblk.temp
                                       Copied /Library/Application Support/Tunnelblick/Users/company/VPN_ASA_2013.tblk.temp to /Library/Application Support/Tunnelblick/Users/company/VPN_ASA_2013.tblk
                                       Changed ownership of /Library/Application Support/Tunnelblick/Users/company/VPN_ASA_2013.tblk and its contents from 502:80 to 0:0
                                       Changed permissions from 640 to 600 on /Library/Application Support/Tunnelblick/Users/company/VPN_ASA_2013.tblk/Contents/Resources/name.name2_vpn.p12
                                       Changed permissions from 640 to 600 on /Library/Application Support/Tunnelblick/Users/company/VPN_ASA_2013.tblk/Contents/Resources/config.ovpn
                                       Changed permissions from 640 to 600 on /Library/Application Support/Tunnelblick/Users/company/VPN_ASA_2013.tblk/Contents/Resources/multipleca.pem
                                       Created secure (shadow) copy of VPN_ASA_2013.tblk
2013-09-16 13:03:53 openvpn[902] Options error: Unrecognized option or missing parameter(s) in /Library/Application Support/Tunnelblick/Users/company/VPN_ASA_2013.tblk/Contents/Resources/config.ovpn:2: tal (2.2.1)
2013-09-16 13:04:01 openvpn[907] Options error: Unrecognized option or missing parameter(s) in /Library/Application Support/Tunnelblick/Users/company/VPN_ASA_2013.tblk/Contents/Resources/config.ovpn:2: tal (2.2.1)

[jkbull...gmail.com]

Hmmm. These OpenVPN error messages are so cryptic and vague that this kind of problem is hard to solve.

This error (" Unrecognized option or missing parameter(s)… config.ovpn:2: tal (2.2.1)" has four parts:

• "Unrecognized option or missing parameter(s)" -- clear enough, although quite vague.
  
• "config.ovpn:2" seems to be referring to either line 2 or character 2 of the config.ovpn configuration file.
  
• "tal" -- that's odd. You don't have any sequence of "tal" in the configuration file. Perhaps it is trying to show non-printable characters (with the high-bit set, for example, or control characters).
  
• "2.1.1" could be just saying what version of OpenVPN you are using, but it could also be trying to say that the option is not available in OpenVPN version 2.2.1.
  

So either there is a missing option or an unrecognized option. I don't see anything missing, but  it is always hard to see what isn't there.

There is no OpenVPN option named "tal", though, so if OpenVPN is seeing one, that's the problem.

If you have a different configuration file that works (for other servers, for example), you could do a "diff" on the two configuration files to see what differences there are. (The order of options in a configuration file does not matter, so you can move them around to make the new configuration better match the one that works and minimize the differences.)

Otherwise, you might want to see if the configuration file has any non-printable characters other than LF, space, and tab.

The next beta version of Tunnelblick will test specifically for non-printable characters and warn about them, but it may not be released for a few days.

[soft...@gmail.com]

Il giorno lunedì 16 settembre 2013 14:01:05 UTC+2, jkbull...gmail.com ha scritto:

• "tal" -- that's odd. You don't have any sequence of "tal" in the configuration file. Perhaps it is trying to show non-printable characters (with the high-bit set, for example, or control characters).
  

Thanks for your prompt answer.
sometimes I find in the log the word "fatal" (other times only "tal") so I suppose some chars were "eaten" in the process of logging.

• "2.1.1" could be just saying what version of OpenVPN you are using, but it could also be trying to say that the option is not available in OpenVPN version 2.2.1.
  

Can I force to use in some way openVpn 2.2.3 ? I have seen that is included in TB package.

So either there is a missing option or an unrecognized option. I don't see anything missing, but  it is always hard to see what isn't there.

There is no OpenVPN option named "tal", though, so if OpenVPN is seeing one, that's the problem.

If you have a different configuration file that works (for other servers, for example), you could do a "diff" on the two configuration files to see what differences there are. (The order of options in a configuration file does not matter, so you can move them around to make the new configuration better match the one that works and minimize the differences.)

The configuration is the same I used succesfully until yesterday with TB 3.3
I had to upgrade because the old certificate p12 expired and the new one didn't work with 3.3 due to the ctrl-char check on the new p12 certificate that didn't pass.
The error messages like this one:
2013-09-16 12:59:35 openvpn[858] Options error: Unrecognized option or missing parameter(s) in /Library/Application Support/Tunnelblick/Users/company/VPN_ASA_2013.tblk/Contents/Resources/config.ovpn:2: fatal (2.2.1)
is written by openvpn client 2.2.1 (inside TB) that is not able to understand something ? Or it's a message from openvpn server in the remote server ?

I have another VPN config working well (both TB 3.3 and the new one), very similar, without the "ca multipleca.pem" line.
I tried to comment that line, but the result was the same error.

Otherwise, you might want to see if the configuration file has any non-printable characters other than LF, space, and tab.

The next beta version of Tunnelblick will test specifically for non-printable characters and warn about them, but it may not be released for a few days.

I rewrote the config file from scratch directy in osx shell by nano.

Thanks for your help,
Andrea

[jkbull...gmail.com]

On Monday, September 16, 2013 9:55:37 AM UTC-4, soft...@gmail.com wrote:

sometimes I find in the log the word "fatal" (other times only "tal") so I suppose some chars were "eaten" in the process of logging.

Good point. That's probably what happened.

• "2.1.1" could be just saying what version of OpenVPN you are using, but it could also be trying to say that the option is not available in OpenVPN version 2.2.1.
  

Can I force to use in some way openVpn 2.2.3 ? I have seen that is included in TB package.

Yes. Use the "OpenVPN version" setting on the "Preferences" panel.

 

If you have a different configuration file that works (for other servers, for example), you could do a "diff" on the two configuration files to see what differences there are. (The order of options in a configuration file does not matter, so you can move them around to make the new configuration better match the one that works and minimize the differences.)

The configuration is the same I used succesfully until yesterday with TB 3.3
I had to upgrade because the old certificate p12 expired and the new one didn't work with 3.3 due to the ctrl-char check on the new p12 certificate that didn't pass.

I think the control-char check is only done when a .tblk is installed, not when you connect using it. So should be able to revert to Tunnelblick 3.3.0 since you have already installed the .tblk. If that fixes the problem, then please let me know -- you will have discovered a bug in the beta.

 

The error messages like this one:
2013-09-16 12:59:35 openvpn[858] Options error: Unrecognized option or missing parameter(s) in /Library/Application Support/Tunnelblick/Users/company/VPN_ASA_2013.tblk/Contents/Resources/config.ovpn:2: fatal (2.2.1)
is written by openvpn client 2.2.1 (inside TB) that is not able to understand something ? Or it's a message from openvpn server in the remote server ?

This is a message from the OpenVPN program complaining about the configuration as it starts up and figures out what it is supposed to do -- it has not contacted the OpenVPN server at that point and stops there.

 

I have another VPN config working well (both TB 3.3 and the new one), very similar, without the "ca multipleca.pem" line.
I tried to comment that line, but the result was the same error.

Check that there is not something in the other config that is missing in the one that fails -- a "missing parameter".

 

Otherwise, you might want to see if the configuration file has any non-printable characters other than LF, space, and tab.

I rewrote the config file from scratch directy in osx shell by nano.

That should take care of any non-printable characters.

I made a .tblk with your your configuration file (I copy/pasted it from your post) and dummy name.name2_vpn.p12 and multipleca.pem files, installed it, and tried to connect. It got past the problem that you are having, and asked me for a username/password for the VPN.

I assume that "name.name2_vpn.p12" and "multipleca.pem" are not the actual names of the files you are using -- that you edited them before posting -- so maybe there is something odd about the actual file names in the options in the configuration file.

The only other thing I can think of is CR characters in one of the files. I have seen OpenVPN fail with very unusual results for certain types of files if the file contain CR-LF line endings (instead of LF line endings). I doubt that's it, but it might be worth looking at.

[soft...@gmail.com]

Il giorno lunedì 16 settembre 2013 16:36:24 UTC+2, jkbull...gmail.com ha scritto:

On Monday, September 16, 2013 9:55:37 AM UTC-4, soft...@gmail.com wrote:

sometimes I find in the log the word "fatal" (other times only "tal") so I suppose some chars were "eaten" in the process of logging.

Good point. That's probably what happened.

 

I made several test changing the order of commands and the error message changed somewhat until I realized that the error string (tal, non-fatal, etc.) were belonging to this line of config:

# 1 -- mostly quiet, but display non-fatal network errors.

So the line EOFs were not detected well.

The only other thing I can think of is CR characters in one of the files. I have seen OpenVPN fail with very unusual results for certain types of files if the file contain CR-LF line endings (instead of LF line endings). I doubt that's it, but it might be worth looking at.

This was exactly the problem. I changed all EOF from Mac CR to Unix LF and all started to work.
Thanks for your help and greetings from Italy,
Andrea
 

[jkbull...gmail.com]

On Tuesday, September 17, 2013 5:44:22 AM UTC-4, soft...@gmail.com wrote:

This was exactly the problem. I changed all EOF from Mac CR to Unix LF and all started to work.

Ah. So it is the old Mac CR without LF line endings that are the problem, not Windows CR-LF line endings. That makes sense.

Motivated by this thread, I did some testing and verified that CR without LF is a problem in config files, and also in .crt, .key, .pem, and script files.

So I have just committed changes to the source code (r2603) to remove or replace CR characters in those files when installing a .tblk. This should standardize to Unix line endings -- just a LF. The changes will be in the next release.

For simplicity, I do it as follows: First CR-LF is replaced by LF, then CR is replaced by LF. There might be CR-CR-LF sequences which get changed into LF-LF, but they shouldn't exist, and if they do, the change should be cosmetic and still function properly.

Thanks for reporting this, trying things out, finally finding the problem, and then reporting back!

[soft...@gmail.com]

Il giorno martedì 17 settembre 2013 16:44:41 UTC+2, jkbull...gmail.com ha scritto:

Thanks for reporting this, trying things out, finally finding the problem, and then reporting back!

You welcome !
Good job
Andrea