OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: rsloan on August 14, 2017, 03:18:34 pm

Title: SSL VPN Road Warrior
Post by: rsloan on August 14, 2017, 03:18:34 pm
Hi,

This is my first post and I'm a new user to opnSense, replacing my DD-WRT router.

I have been trying to set up the SSL VPN Road Warrior and everything works OK until it gets to the point:

VPN / OpenVPN / Client Export

The install client packages only shows 'Authentication Only (No Cert). Clicking on the 'i' provides the following information: "If you expect to see a certain client in the list but it is not there, it is usually due to a CA mismatch between the OpenVPN server instance and the client certificates found in the User Manager. "

I have been through this process methodically twice but get the same issue both times.

Any assistance pointing me in the right direction to resolve this issue would be greatly appreciated.

Regards,

Robert.
Title: Re: SSL VPN Road Warrior
Post by: JohnDoe17 on August 14, 2017, 04:56:02 pm
Welcome to OPNsense and the forums!

I am a relatively new user too, but I just went through this procedure too.

Step 1
--------
Go to System > Access > Users and find a user authorized for the VPN.
Edit that user by clicking on the pencil icon.
Scroll down to the "User Certificates" section and note the "CA" listed there.  It should be "SSL VPN CA" if you're using the same names as the "How To."

Step 2
--------
Now, go to VPN > OpenVPN > Servers and edit the entry for the newly created VPN server by clicking on the pencil icon.
Scroll down to the "Description" section and note the text there and the port number just above it.  For example, "My SSL VPN Server" and port 1194 if you're using stuff from the "How To."
Scroll further down to the "Peer Certificate Authority" section and note the CA listed there.  It should match the CA you recorded in Step 1 above (i.e. "SSL VPN CA").

Step 3
--------
Go to VPN > OpenVPN > Client Exports and select the Remote Access Server that matches the description and port number from Step 2 above.  For example, "My SSL VPN Server:1194".
Scroll down to "Client Install Packages" and your stuff should be listed there.

If it STILL isn't listed, then my guess is you made a mistake in the "Adding a User" steps.  You MUST "Create an internal Certificate" with the correct certificate authority selected here ("SSL VPN CA") or it won't work.

NOTE!!!

I believe there is an error in the How To's "Step 2 - Firewall Rules" section.  I posted about that in the "Documentation and Translation" Forum.  Check that out too.

Good luck!  ;)

[EDIT: for a small typo and added clarity]
Title: Re: SSL VPN Road Warrior
Post by: rsloan on August 15, 2017, 08:17:42 am
Hi,

Many thanks for your reply, I have gone through all the steps you mentioned and everything is correct but still nothing in the client install packages. I shall have to delete entries in each section and try again.

Thank you for your guidance.

Regards,

Robert.
Title: Re: SSL VPN Road Warrior
Post by: monstermania on August 15, 2017, 11:27:10 am
Hi,
i set up my OpenVPN with this tutorial with OPNsense 16.7.x:
https://www.kirkg.us/posts/building-an-openvpn-server-with-opnsense/
Everything is working fine. Also the client export.

Cheers
Dirk