OPNsense Forum
English Forums => General Discussion => Topic started by: seamus on March 03, 2019, 11:53:54 pm
-
So I've been using v 18.X for some time. My OpenVPN server on OPNsense had always worked just fine with my `Viscosity` client. Recently, I upgraded OPNsense from v 18.X to v 19.X. Everything seems to work except my OpenVPN client refuses to connect.
And it's a "quick disconnect": as soon as the authentication is entered (userid + 2FA password), the client reports the connection as "down". I've double-checked my password, and my IP address (dynamic IP), and they're correct. The timing makes me wonder if the client config that I exported over a year ago is now deprecated in some way.
Any ideas? Did something change between v 18 and v 19 that would have broken an existing OpenVPN configuration?
-
If you do 12 in the console do you find any updates ? You might be on 19.1.1
-
If you do 12 in the console do you find any updates ? You might be on 19.1.1
From the Dashboard, I see this:
Versions
OPNsense 19.1.2-amd64
FreeBSD 11.2-RELEASE-p9-HBSD
OpenSSL 1.0.2q 20 Nov 2018
A "check for updates" fm Dashboard reports "There are no updates available on the selected mirror."
It's as if something was blocking the VPN connection. But my fw rules haven't changed.
-
Try reexporting the configuration and try both Viscosity and Tunnelblick. At the very least you should get some error messages that could narrow it down.
-
The System:Access:Tester has confirmed that my OTP generator, userid & Password are working as they should.
However... Looking at my self-signed CA and the certificates I generated last year, I see they are all expired. I am really fuzzy on the roles (and even the necessity for) Certs given that my OTP/2FA is in place, but it seems clear that they (Certs) must be required as they're included in the "How-To" guide.
Unless someone has a suggestion for eliminating the need for these Certs, I'll close this question. Once I've worked through the cert renewals, I'll post another question if I have difficulties.
-
Just to close this out, expired certs was the source of my breakage,; the version upgrade was coincidental. Once I installed a new CA and generated new certs for the user and the server, things fell into place. I had to edit my user config, VPN server config to add the new certs, then export a new Viscosity client package. After installing the new Viscosity profile, I was able to make a connection.
And FWIW, I'd like to suggest that OPNsense incorporate a feature to flag expired certs for the admin. (Am I spoiled? :)