OpenVPN Config Problem (PIA)

Reddirt · June 2, 2025 at 3:25 AM

Not sure what's going on here so I defer to the LE Gurus. Just started today. This is a photo of the error log. Running RPi5 with nightly 13.0 20250201.

**chewitt** · June 2, 2025 at 4:40 AM

The OpenVPN config PIA distributes implements a Certificate Revocation List (CRL) check for security reasons, but the CRL data they embed in the config contains invalid dates and this causes connection failures with OpenSSL 3.3.0 or newer. Our master branch (LE13) bumped to 3.3.0 in April 2024 and is currently on 3.5.0, while the LE12 branch is currently on 3.2.4 - so I would assume you have moved from LE12 to LE13 and this introduced the issue.

See https://github.com/openssl/openssl/discussions/24301 - according to posts/reddit threads linked from that discussion thread the workaround is removing the <crl-verify> section from the PIA config.

Reddirt · June 2, 2025 at 6:07 PM

So if I understand this issue correctly would a clean install of LE13 with OpenSSL 3.5.0 solve this?

**chewitt** · June 3, 2025 at 1:41 PM

Quote from Reddirt

So if I understand this issue correctly would a clean install of LE13 with OpenSSL 3.5.0 solve this?

If the problem starts with OpenSSL 3.3.0 "and newer" and LE13 is running OpenSSL 3.5.0 .. then no.

Just edit the config and remove the offending <crl-verify> section.

Reddirt · June 3, 2025 at 4:22 PM

Got it. Thanks.

Reddirt · June 3, 2025 at 6:43 PM

I see this is a PIA issue so I contacted them. I found this issued has been around for some time so maybe it's time for them to correct it.

OpenVPN Config Problem (PIA)

Similar Threads

WireGuard - Experimental support for connecting via FQDN not IP

Invalid Key/WiFi issues on RaspberryPi with USB dongle