At one point I had my OpenVPN working just fine and awhile back, it quit working, and I borked it so badly it has never worked since. I made the mistake of posting this question on an OLD thread. I finally found this place to post.
I finally decided to come back and revisit this and found that I had the wrong certificate in the Client export. It is showing "SSLVPN Server Certificate" and I believe it should be the user certificate. I can not for the life of me figure out where to change this. I thought that maybe if I deleted the linked user certificate under my user id might force it. Alas, when I went to select System/Access/User/User Certificate, I chose use existing certificate. Nothing came up. Just 2 boxes to past raw certificate data. I tried about 5 times, and all of a sudden it popped up. I am wondering if I have uncovered a bug?
More importantly, how do I change the certificate under VPN/OPENVPN/ClientExport/ at the very bottom where is shows Accounts/Certificates mine shows SSLVPN Server Certificate. Linked users are blank. I don't see anywhere in the documentation where to modify this. Anybody?
In client export only certficates are listed which were created by the same CA used by the openvpn server itself.
Just check if they are same
Okay, so if I understand... The exported certificate should be the same as the server certificate on the vpn server?
The documentation seemed to indicate that the exported Certificate should be a user certificate. The failure I'm seeing in the logs is: error=unsupported certificate purpose. So I was assuming this matched with what I saw in the docs.
The other thing that seems odd to me, is in VPN/OPENVPN/Client export/ under linked users: nothing. Should I not see the name of the user there?
No, they should both be created by the same CA
Your answer is cryptic, incomplete and confusing.
No, certificate should be the same. So server for the export, not user. ? The rest is unanswered
See my post in other thread
X509 PKI is fairly straightforward; https://techblognow.wordpress.com/2015/02/20/x-509-certificates-explained/
It is all just text and you can combine client cert, key and CA cert into a single .ovpn file with all the other options:
dev tun
cipher ...
client
remote ...
auth-user-pass
...
<ca>
-----BEGIN CERTIFICATE-----
...text...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...text...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...text...
-----END PRIVATE KEY-----
</key>
Full details are here: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Bart...
Thanks! I think that may make more sense. I'm not sure if there is a problem with the GUI or it isn't clear or what. I used openvpn in Pfsense for over a year. When I made the switch, I got it working and then after around 1 month it stopped after an upgrade. I've never got it working again in Opnsense.