OPNsense Forum
English Forums => Virtual private networks => Topic started by: tsaG on July 20, 2022, 09:57:43 pm
-
Hey!I switched from WireGuard to OpenVPN. However Truenas Scale doesn't want to eat it. When I input the OpenVPN connection Details to use Truenas as a OpenVPN Client, I get the message "Root CA must have KeyUsage extension set." I exported the Client certificates (including CA, CERT and Private Key) from OPNSense in the OpenVPN Client export section. Any ideas how to fix that? As I see, there Is no specific option to add this.
I was following the Roadwarrior OpenVPN Tutorial: https://docs.opnsense.org/manual/how-tos/sslvpn_client.html
-
Seems to be a bug in OPNSense, not associated with your client cert, but (as the error message says) with your VPN Root CA, which as CA should indeed have a KeyUsage extension of type "critical" with values "Certificate Sign, CRL Sign". I just tested with OPNSense 22.1.10, internal CA's created via Webgui dont have this extension.
The only solution I can see right now, is to create a Root CA having a correct KeyUsage Extension with OpenSSL or any appropriate tool, import this into your OPNSense and reissue the client certificates using this Root CA.
-
The easiest job here would be to report it at least: https://github.com/opnsense/core/issues/new?assignees=&labels=&template=bug_report.md&title=
Cheers,
Franco
-
The easiest job here would be to report it at least: https://github.com/opnsense/core/issues/new?assignees=&labels=&template=bug_report.md&title=
done, see https://github.com/opnsense/core/issues/5912 (https://github.com/opnsense/core/issues/5912)
-
Thanks! We will look into it next week.
Cheers,
Franco