Messages

I noticed that in 24.7.3_1 there is an inconsistency in System: Trust: Certificates.
Valid user certificates are indicated with "x" and revoked certificates are indicated with check mark.
Exactly the opposite of what happens for Web GUI SSL certificate and CA certificate.
Please take a look at the attached screenshot.
Greetings.
Dario
P.S. sorry for my broken English.

Hello,
my environment:

2 OPNsense 24.7.3_1 in High Availability (CARP and pfsync work fine)
1 Public ip shared byy the firewalls
OpenVPN server 2.6.12
OpenVPN client 2.5.9

OpenVPN server configured on each firewalls
With OpenVPN client I get connection to both firewalls

Issue:
When the master firewall goes down OpenVPN client doesn't reconnect automatically (I must force reconnection from the client)

I would like to have a client automatic reconnection.
I tried with "persist-tun persist-key keepalive 2 10" but doesn't work

Can please anyone help me to solve this issue?

Greetings
Dario

configuring vpn server with Device mode = tap it works fine

environment:
OPNsense 24.7.1-amd64
FreeBSD 14.1-RELEASE-p3
OpenSSL 3.0.14
Vicosity client 1.11.2 (1820)
PC Windows 11

target:
always assign the same IP to the VPN client

Hello folks,
until today for VPN road warrior I used the OpenVPN client and to always assign the same IP address to the clients I configured the file /var/etc/openvpn-csc/1/username with the directive
ifconfig-push <client IP> <netmask>.

Following https://docs.opnsense.org/manual/how-tos/sslvpn_client.html I tried using the Viscosity client and the solution (/var/etc/openvpn-csc/1/username) doesn't work so I ask for help to solve the issue.

Thanks so much for the kind help.
Greetings.
Dario

I solved using Viscosity client
Kind regards
Dario

Hello Meyergru,
Thanks so much for your reply.
I'm still expertize problems with the new users certificate generation method but I'm working around.
Thanj you a lot
Dario

Hello,
is there a doc explaning how to configure VPN (better OpenVPN) road warrior on release 24.7_9?

Kind regards
Dario

Great job Patrick, now it works fine
have you a nice day
thanks a lot
Dario

Hi Patrick,
I only create the CRL under:
System / Trust / Revocation
(and I revoked the cert, the cert associated to the user is marked as "Revoke")

I toke a look under OpenVPN Server but I don't found the way to configure the CRL

Can you please show me the way / give me instructions?

Thanks a lot
Dario

Hello folks,
I'm stuck on certificate revocation.

I always used username and cert to create VPN clients:
1) create user / password
2) create user-cert
3) bind user and user-cert
4) OpenVPN client export

I revoked a cert:
1) create CA Revocation List
2) revoke the cert

but the user still connetcs using VPN

This is embarazing.
Can someone please help me to solve this issue?

Greetings
Dario

Hello Monviech,
thank you for your quick response.
what you suggest seems to be the solution.
I'll test it soonest.
Greetings
Dario

Hello to all,
my environment:
- a LAN interface that hosts approximately 10 PCs
- two public interfaces connected to two different Internet accesses (A and B)
from all the PCs connected to the LAN I want to be able to direct a specific traffic (https) towards network B while all Internet browsing must go out through network A.
I guess this is fixable by configuring static routing in the firewall.
The problem is that to access the web app on network B Imust use a proxy made available by the manager of network B and I ask if there is the possibility to configure communication through the proxy on the firewall so I don't have to change the browser configuration every time that change Internet access.
Thank so much for your gracefull help.
Greetings
Dario

Hello adn77, nice to read from you.
what you suggest to me is a solution that I had already identified but it is not applicable because each user can download all the certificates.
I am looking for a solution to enable each user to be able to download only the certificate linked to its username, but apparently this is not possible.
Thanks for your kind cooperation.
Best regards.
Dario.

Thank you adn77 but this's not what I'm lookig for.
I need to connect from remote with my credential (stored into the firewall) and download only my certificte, like Watchguard and PaloAlto done.
Best regards.
Dario

Hello folks,
Opnsense 21.7.8
Is there a way to remotely download the VPN client configuration?
Currently I have to connect to the firewall as root, go to VPN - OpenVPN - Client Export and choose the certificate to download in Archive format then pass the file to the user to insert it in the OpenVPN client.
I wish customers could download the certificate by connecting remotely to the firewall (Palo Alto Global Protect style).
Thanks for your help
Best regards
Dario