Messages

Update - got it working. I think the problem was that the fully qualified domain name didn't match.

But possibly you get the same error if the client cannot use the private key. Is it installed properly?

Depends on what "properly" means. On the client side, isn't everything in the file generated by the client export?

Which client software are you using?
Does it use a recent OpenSSL version?

OpenVPN 2.6.3, OpenSSL 3.0.16 (11 Feb 2025)

So search for it in OPNsense > System > Trust > Certificates.

Is it shown there as "in use" by a user?
And is the purpose "clientAuth"?

It is shown as "in use", but only as a tick mark, not a user. The purpose is "clientAuth".

Which certificate is mentioned in the error message? Is it the server cert or the client cert?

Don't know how to tell from the error message.

The error mentioned the whole cert details like common name (CN) and organisation (O). You should be able to determine which it is from this.

All the certs I have generated have the same CN and O.

CNs have to be unique for each client and the server.

Ah, yes, you are right, I confused C with CN. Seems it is the client cert it is complaining about.

Which certificate is mentioned in the error message? Is it the server cert or the client cert?

Don't know how to tell from the error message.

The error mentioned the whole cert details like common name (CN) and organisation (O). You should be able to determine which it is from this.

All the certs I have generated have the same CN and O.

Which certificate is mentioned in the error message? Is it the server cert or the client cert?

Don't know how to tell from the error message.

I generated a client certificate, then set up an OpenVPN instance

This could be a server or a client.
??

Where do you see the error??

The certificate I generated was a client one. I see the error on the linux client that tries to connect to the VPN.

[error=unsuitable certificate purpose]

error=unsuitable certificate
purpose

This should be the hint.

Did you assign a server certificate?

Ummh, doesn't the client use a client certificate?

Yes.

However, you were not clear about what you really did and where you get this error.

I generated a client certificate, then set up an OpenVPN instance (actually two - one for an UDP and one for a TCP connection, just in case). I get the error on the client when I try to connect to the opnsense box.

[error=unsuitable certificate purpose]

error=unsuitable certificate
purpose

This should be the hint.

Did you assign a server certificate?

Ummh, doesn't the client use a client certificate?

A couple of years ago I successfully set up OpenVPN with a couple of road warrior clients, but I was using the legacy ("Servers") method, that is reaching the end of the line. Now I tried to set up a new VPN using the new "Instances" method, after setting up certificates.

The VPN fails, with

Code Select Expand

2025-06-03 16:54:10 VERIFY ERROR: depth=0, error=unsuitable certificate
purpose: C=NL, ST=NH, L=Amsterdam, O=#########,
emailAddress=#########, CN=######, serial=4
2025-06-03 16:54:10 OpenSSL: error:0A000086:SSL routines::certificate
verify failed
(sensitive information replaced with "########".

Any ideas of what I might be doing wrong?

Is it possible the menu is exceeding available screen real estate? Try expanding the menu (">" button at the top) if it's expanded, and see if that helps? Otherwise, screenshots?

Ah, yes, that did it! Thanks!

I have come across a strange thing. I have added a bunch of VLAN interfaces, assigned them, set IP settings and DCHP services for them. They all work fine, but when trying to set firewall rules, one of the interfaces is missing in the Firewall / Rules menu. I can't see anything being different with this interface compared to the other ones.

Hmm, yes... Interfaces/Overview/WAN shows that the OPNsense box only gets a /57.

Will do that tomorrow morning - it is not entirely trivial, as the machine I use to access the opnsense box doesn't talk to the Internet...

I did try changing to SLAAC, but the client machines on the LAN still only have link-local addresses.