"Quote from: Monviech (Cedrik) on January 07, 2026, 07:03:30 PMOne of you could open an issue on github and how to reproduce this issue:
https://github.com/opnsense/core/issues
Doing that now.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
25.7, 25.10 Series / Re: OPENVPN Export Archive 0 bytes
January 07, 2026, 07:46:32 PMDoing that now.
#2
25.7, 25.10 Series / Re: OPENVPN Export Archive 0 bytes
January 07, 2026, 05:40:43 PM
I have been having the same issue, I posted about it a couple days ago.
I did a work around for it. I use a protectli FW6 for mine, so I took another one I have and installed OpnSense(25.7) on the new one, then restored the configuration from the old one onto the new one, then exported from the new one successfully. I then used that export to connect to the old one through openvpn. The only slight issue had was that I couldn't see the legacy Server Instances on the new one, but I could export for them.
I was planning replacing the hardware on my current one in the fall, but I am moving that up and will be replacing it sooner and putting a new one in place with a new set of everything but not going beyond 25.7 until I can test more on the export functionality.
I did a work around for it. I use a protectli FW6 for mine, so I took another one I have and installed OpnSense(25.7) on the new one, then restored the configuration from the old one onto the new one, then exported from the new one successfully. I then used that export to connect to the old one through openvpn. The only slight issue had was that I couldn't see the legacy Server Instances on the new one, but I could export for them.
I was planning replacing the hardware on my current one in the fall, but I am moving that up and will be replacing it sooner and putting a new one in place with a new set of everything but not going beyond 25.7 until I can test more on the export functionality.
#3
25.7, 25.10 Series / Empty Archive Export for Client(solvedISH)
January 05, 2026, 10:48:38 PM
I sorta solved this by building a new firewall on new hardware, and then importing the config from the old one, and then exporting from the new one and then using the export to connect to the old one. Works for now, i was planning on replacing the hardware of the old one in the fall but am just gonna move that up to sooner.
So I am having some trouble with my OpenVPN on my OPNSense firewall.
I was on vacation and the certs expired on 12/30/2025 for the server.
I am trying to get it resolved now. I am working on just the AdminVPN at the moment, we have a DUO VPN with the DUO Proxy for regular users, but need this working before I try to get that one fixed.
I have re-issued and replaced the server cert, but when I try to export the client certs, the archive file is empty with nothing in it. I have googled and most results tell me that this is a result of some sort of mismatch between server and client which is why it exports nothing.
Here is what I have for settings(anonymized as best I can) when re-issuing. I have also tried creating a new CA, new server cert, new client cert, new OpenVPN server, and combining them in every possible combination of new and old, all with the same result.
Versions
OPNsense 25.7.10-amd64
FreeBSD 14.3-RELEASE-p7
OpenSSL 3.0.18
Description: ServerCertName
Key
Type: Server Certificate
Key Type: RSA-2048
Digest Algorithm: SHA256
Issuer: InternalCA in OpnSense
Lifetime: 397
General
Country Code: United States
State or Province: AA
City: Mine
Organization: MyCompany
OU: blank
Email: nobody@not.here
Common Name: ServerCertName OCSP uri: blank
Alternative Names all blank
Output(PEM format)
All Auto populated from before or when created.
Description: 2027
Key
Type: Client Certificate
Key type: RSA-2048
Digest Algorithm: SHA256
Issuer: InternalCA in OPNSense
Lifetime: 397
General
Country Code: United States
State or Province: AA
City: Mine
Organization: MyCompany
OU: blank
Email: nobody@not.here
Common Name: ServerCertName OCSP uri: blank
Alternative Names all blank
Output(PEM format)
All Auto populated from before or when created.
OpenVPN Server Info
Description: AdminVPN
Server Mode: Remote Access(User Auth)
Backend Authentication: Local Database
Enforce Local group: AdminVPN
Protocol: TCP
Device mode: tun
Interface: Any
Local Port: 587
Cryptographic Settings
TLS Authentication: Enabled Authentication Only
TLS Shared Key: shared key
Peer Certificate Authority: InternalCA in OPNSense
Peer Revocation list: None
Server Certificate: ServerCertName
Encryption Algorithm(deprecated: AES-128-CBC(128 bit key, 128 bit block)
Auth Digest Algorithm: SHA256(256-bit)
Certificate Depth: One(Client+Server)
Tunnel Settings: None of these should matter for this issue
Client settings: none of these should matter for this issue
Advanced Config: All blank
Client Export settings
Remote Access Server: AdminVPN TCP:587
Export Type: Archive
Hostname: our IP address
Port: 587
Use Random local port: TRUE
P12 Password/confirm: blank
Validate Server Subject: TRUE
Windows Certificate System Store: FALSE
Disable Password Save: FALSE
Enable Static Challenge(OTP) FALSE
Custom Config: blank
Then click download on the client certificate 2027 and we get the empty zip file with nothing in it. I can download the ovpn file, but that won't connect me either, just sits and I get a "dco connect error: The semaphore timeout period has expired."
So I am having some trouble with my OpenVPN on my OPNSense firewall.
I was on vacation and the certs expired on 12/30/2025 for the server.
I am trying to get it resolved now. I am working on just the AdminVPN at the moment, we have a DUO VPN with the DUO Proxy for regular users, but need this working before I try to get that one fixed.
I have re-issued and replaced the server cert, but when I try to export the client certs, the archive file is empty with nothing in it. I have googled and most results tell me that this is a result of some sort of mismatch between server and client which is why it exports nothing.
Here is what I have for settings(anonymized as best I can) when re-issuing. I have also tried creating a new CA, new server cert, new client cert, new OpenVPN server, and combining them in every possible combination of new and old, all with the same result.
Versions
OPNsense 25.7.10-amd64
FreeBSD 14.3-RELEASE-p7
OpenSSL 3.0.18
Description: ServerCertName
Key
Type: Server Certificate
Key Type: RSA-2048
Digest Algorithm: SHA256
Issuer: InternalCA in OpnSense
Lifetime: 397
General
Country Code: United States
State or Province: AA
City: Mine
Organization: MyCompany
OU: blank
Email: nobody@not.here
Common Name: ServerCertName OCSP uri: blank
Alternative Names all blank
Output(PEM format)
All Auto populated from before or when created.
Description: 2027
Key
Type: Client Certificate
Key type: RSA-2048
Digest Algorithm: SHA256
Issuer: InternalCA in OPNSense
Lifetime: 397
General
Country Code: United States
State or Province: AA
City: Mine
Organization: MyCompany
OU: blank
Email: nobody@not.here
Common Name: ServerCertName OCSP uri: blank
Alternative Names all blank
Output(PEM format)
All Auto populated from before or when created.
OpenVPN Server Info
Description: AdminVPN
Server Mode: Remote Access(User Auth)
Backend Authentication: Local Database
Enforce Local group: AdminVPN
Protocol: TCP
Device mode: tun
Interface: Any
Local Port: 587
Cryptographic Settings
TLS Authentication: Enabled Authentication Only
TLS Shared Key: shared key
Peer Certificate Authority: InternalCA in OPNSense
Peer Revocation list: None
Server Certificate: ServerCertName
Encryption Algorithm(deprecated: AES-128-CBC(128 bit key, 128 bit block)
Auth Digest Algorithm: SHA256(256-bit)
Certificate Depth: One(Client+Server)
Tunnel Settings: None of these should matter for this issue
Client settings: none of these should matter for this issue
Advanced Config: All blank
Client Export settings
Remote Access Server: AdminVPN TCP:587
Export Type: Archive
Hostname: our IP address
Port: 587
Use Random local port: TRUE
P12 Password/confirm: blank
Validate Server Subject: TRUE
Windows Certificate System Store: FALSE
Disable Password Save: FALSE
Enable Static Challenge(OTP) FALSE
Custom Config: blank
Then click download on the client certificate 2027 and we get the empty zip file with nothing in it. I can download the ovpn file, but that won't connect me either, just sits and I get a "dco connect error: The semaphore timeout period has expired."
Pages1
