OpenVPN Config Problem (PIA)

    The OpenVPN config PIA distributes implements a Certificate Revocation List (CRL) check for security reasons, but the CRL data they embed in the config contains invalid dates and this causes connection failures with OpenSSL 3.3.0 or newer. Our master branch (LE13) bumped to 3.3.0 in April 2024 and is currently on 3.5.0, while the LE12 branch is currently on 3.2.4 - so I would assume you have moved from LE12 to LE13 and this introduced the issue.

    See https://github.com/openssl/openssl/discussions/24301 - according to posts/reddit threads linked from that discussion thread the workaround is removing the <crl-verify> section from the PIA config.

    Quote from Reddirt

    So if I understand this issue correctly would a clean install of LE13 with OpenSSL 3.5.0 solve this?

    If the problem starts with OpenSSL 3.3.0 "and newer" and LE13 is running OpenSSL 3.5.0 .. then no.

    Just edit the config and remove the offending <crl-verify> section.

    Meantime I decided to have a go at the edit option. This can be done using ssh only? I was looking for way to edit the config file on a pc but can't find the file anywhere on the micro sdcard. Probably a dumb question but I'm in the dark here.

    Here you go, config file is one you downloaded from PIA.

    Open the .ovpn file: Locate the PIA OpenVPN configuration file (usually with a .ovpn extension) and open it with a text editor.

    Locate the <crl-verify> section: Search for the <crl-verify> tag and the corresponding </crl-verify> tag.

    Delete the section: Delete the entire block of text between these two tags, including the tags themselves.

    Save the file: Save the modified .ovpn file.

    File is not on SD card as this is the libreelec operating system files. The file you want to edit is a .ovpn file that you obtained from PIA that you then use to setup your vpn.

    PC in a USB port running Linux Mint and or Win11

    Maybe I'm missing something here. Normal setup has always been:

    Install OpenVPN from zip file

    OpenVPN then offers Manual or Wizard

    I select Wizard the Private Internet Access then select a server to use. Never once had any issues in a dozen years but it seems

    PIA had a bad entry in OpenVPN? I'm just guessing at this. Per Chewitt PIA provided OpenVPN a defective file entry?

    Edited once, last by Reddirt: Merged a post created by Reddirt into this post. (June 4, 2025 at 1:25 AM).