OPNsense Forum
Archive => 19.7 Legacy Series => Topic started by: jljb66 on September 26, 2019, 08:23:20 pm
-
running:
OPNsense 19.7.4_1-amd64
FreeBSD 11.2-RELEASE-p14-HBSD
OpenSSL 1.0.2s 28 May 2019
I have configured the authoritative and server certificates, user name and cert but when I try to perform the client export i do not see "link to openvpn clients" at the bottom of the page. In addition I see an option "export type" which is not in the documentation.
AM I missing something? see screenshot for info.
-
bump..
any ideas please?
-
The same exact issue here. Anyone know how to work around this or what I may have missed?
OPNsense 19.7.4_1-amd64
FreeBSD 11.2-RELEASE-p14-HBSD
OpenSSL 1.0.2s 28 May 2019
-
I had mine working just fine, but due to a major configuration issue with the DMZ and LAN we had to restore back to an earlier version and had to redo the OpenVPN. Mine is multi-factor and I could connect fine, but could not get out to the internet or internal net. It should have worked, but I think I made the mistake of assuming something was corrupt and deleted my OpenVPN server, reinstalling OpenVPN and starting "over".
Well now I'm really hosed. I have lost the user link to export. I even created a new certificate in an attempt to redo everything. Still no go. So at this point, I don't know if an update has borked it, I have corrupted something, or the process has changed and the docs don't reflect it.
-
I have the exact same isue
There is no "Client Install Packages" entry under "VPN: OpenVPN: Client Export" after configuring VPN Server
OPNsense 19.7.6-amd64
FreeBSD 11.2-RELEASE-p14-HBSD
OpenSSL 1.0.2t 10 Sep 2019
This installation is some years old and has always been updated. Maybe we lost some features on this way?
Thanks
Jan
-
I'll take a chance someone will see this. I finally decided to come back and revisit this and found that I had the wrong certificate in the Client export. It is showing "SSLVPN Server Certificate" and I believe it should be the user certificate. I can not for the life of me figure out where to change this. I thought that maybe if I deleted the linked user certificate under my user id might force it. Alas, when I went to select System/Access/User/User Certificate, I chose use existing certificate. Nothing came up. Just 2 boxes to past raw certificate data. I tried about 5 times, and all of a sudden it popped up. I am wondering if I have uncovered a bug?
More importantly, how do I change the certificate under VPN/OPENVPN/ClientExport/ at the very bottom where is shows Accounts/Certificates mine shows SSLVPN Server Certificate. Linked users are blank. I don't see anywhere in the documentation where to modify this. Anybody?
-
I'll take a chance someone will see this. I finally decided to come back and revisit this and found that I had the wrong certificate in the Client export. It is showing "SSLVPN Server Certificate" and I believe it should be the user certificate. I can not for the life of me figure out where to change this. I thought that maybe if I deleted the linked user certificate under my user id might force it. Alas, when I went to select System/Access/User/User Certificate, I chose use existing certificate. Nothing came up. Just 2 boxes to past raw certificate data. I tried about 5 times, and all of a sudden it popped up. I am wondering if I have uncovered a bug?
More importantly, how do I change the certificate under VPN/OPENVPN/ClientExport/ at the very bottom where is shows Accounts/Certificates mine shows SSLVPN Server Certificate. Linked users are blank. I don't see anywhere in the documentation where to modify this. Anybody?
It seems you have 2 CA's and the server certificate the server runs is from a different CA than the one from the client, so it will not be shown.
Just be sure to use one CA and no groups at the beginning to have a first success
-
I've not added or changed certificates. It did work originally, but then after some unknown issues, it quit working. I have never managed to get it working right since.
-
Screenshots of OpenVPN Server, Client Export and certificates
-
Well they say a picture is worth a 1,000 words, so hopefully this will help.
Pic 1
-
pic2
-
pic 3
-
pic4
-
You set Server Mode to User Auth, this means there is no client certificates required. Thats it :)
-
This is confusing to me. So if no client certificate required, does this explain why there are no linked users?
-
When you don't use client certificates every config file is the same. You can just distribute one file to all users and only facor is user/pw
-
Uh oh.. that is not good then. I was using the Google authenticator to make it more secure, but I think I should change the setup, so each has their own key.
-
Hm, I just checked the official guide and there is the error too, I'll fix that:
https://docs.opnsense.org/manual/how-tos/sslvpn_client.html
Just use User Auth + Certificate, then you'll also see the users in client export
-
I thought I would come back and report back what some of my problems were, since one of the querstions I asked was never really answered.
Under OpenVPN client export I thought it was odd that a username was not "linked". I new it had to be a certificate issue and I was loath to start creating new ones, since I was sure it worked before. I followed instructions awhile back that said to use an intermediate CA. I kind of forgot about and kept going in a rotary fashion until I started reading up on the OpenVPN website about certificates and it finally dawned on me. Select the Intermediate CA for Peer Certificate of Authority. Boom!!! Now it shows the linked user as it should.
I am now multi factor again, and working. Thanks all for helping
I'll back this sucker up and save it in case it borks again.
One more little question. They talk about talking the main CA and removing it and putting it on a thumb drive and storing. Does anyone do that? I did find where the server CA's are stored, but I'm not anxious to bork things right away. Will enjoy my newfound freedom on the road next week. :)
-
The key for the CA is saved without password and sits on your outside border. This is usually not a safe design for enterprises.
-
Well if it weren't for bad luck I would not have any.
I got the system working, backed it up immediately. I then proceeded to try to do some work on the internal NAS. No connection. Nobody could see the internal network from the wireless. It is segmented and rules allow trusted devices only to connect. After some trouble shooting, I decided to pull a previous backup config file in case I had messed it up. System never came back up.
I hooked up a monitor and keyboard and the derned thing was hung in boot. I assumed the /root was corrupt. fiddled with it for hours and could not fix it. Fortunately I had a spare box, and pulled the data onto this new box.
So at least I'm up and running for work today, but.... VPN is hosed again. I am assumed each instance of an installation gets a unique hash/fingerprint, so that I will need to redo just the export for the client, or do I have to run new CA's? I am just now back up after 4 hours sleep and thought I'd ask, since there is an off chance it might help someone else.