OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: anomaly0617 on June 29, 2021, 09:52:30 pm
-
See https://forum.opnsense.org/index.php?topic=13354.0 (https://forum.opnsense.org/index.php?topic=13354.0). You cannot reply to archived threads, so I'm creating a new thread here.
Every once in awhile I have this problem as well, and figuring it out is a pain in the butt, because not everyone does OpenVPN the same. In our case, we use Active Directory as the back end authentication mechanism. When the "Client Export" page has no link at the bottom, you start to pull your hair out trying to figure out what you did wrong... so here's the answer...
Look at the certificate you linked to in your OpenVPN Server configuration. Grab it's name and then go to System > Trust > Certificates. Is it Self-Signed? If so, that's your issue.
Make sure you have a Certificate Authority for your firewall. Add one under Trust > Authorities > Add. It can be Self-Signed, because it's a Certificate Authority (ie: Something that can create and issue certificates).
Next, create a new Certificate under System > Trust> Certificates.
Create an Internal Certificate.
For Certificate Authority, choose the Certificate Authority you created above.
Under Type, make sure you select Server Certificate.
I usually set the Lifetime of this certificate to something like 3650 (10 Years). You likely don't want to have to reissue VPN profiles to users that often.
Fill in all the information. Under Common Name, give it something unique, like SSLVPN Certificate or something similar.
Save it, and let's go back to OpenVPN Servers.
VPN > OpenVPN > Servers
Edit Your Server.
Under the Cryptographic Settings section, look at Server Certificate and select the one you just created.
Go to the bottom and click Save.
Go to VPN > OpenVPN > Client Export. You should now have a link to select.
I'm a fan of "File Only" because it bundles everything up into one nice file for OpenVPN to import.
I also change the Hostname to a DNS resolvable name. This makes life easier when you change ISPs.
Hope this helps!