Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
OpenVPN Client Export: does not generate any client config for download
« previous
next »
Print
Pages: [
1
]
Author
Topic: OpenVPN Client Export: does not generate any client config for download (Read 5294 times)
sja1440
Jr. Member
Posts: 86
Karma: 6
OpenVPN Client Export: does not generate any client config for download
«
on:
July 06, 2020, 03:05:07 pm »
I have OPNSense 20.1.8_1 on which I have a fully working OpenVPN server.
When I access the OpenVPN Client Export GUI function and select my OpenVPN server, there are no buttons to allow download of the client configuration. I attach a screenshot.
This worked until very recently.
Are there any server configuration parameters that could prevent the client config export?
Can someone point me in the right direction to help me resolve this issue please?
Logged
tiermutter
Hero Member
Posts: 1102
Karma: 61
Re: OpenVPN Client Export: does not generate any client config for download
«
Reply #1 on:
July 06, 2020, 03:30:05 pm »
Buttons for download will be behind the user in "Linked users" section on the bottom of your screenshot.
Is your list empty? Are your VPN users and certificates still configured?
Logged
i am not an expert... just trying to help...
sja1440
Jr. Member
Posts: 86
Karma: 6
Re: OpenVPN Client Export: does not generate any client config for download
«
Reply #2 on:
July 06, 2020, 04:15:01 pm »
Thanks for the very fast response.
Client authentication on the server requires:
* acceptable client certificate
* password
* TOTP
I have a configured user which can successfully access the VPN.
On the OPNsense I have installed the following certificates and keys:
* my root CA certificate (without the private key which is kept on a separate machine)
* the OpenVPN server TLS certificate (with its private key). This certificate is signed by my root CA.
I have not installed on OPNsense the client's certificate for two reasons:
* there should be no need - the server should accept any notrevoked certificate that has been signed by the CA.
* even if I wanted to install it I am unable to do so because OPNsense insists that I provide the client certificate private key which should only be on the client machine.
To come back to your question: I am afraid I do not know how to "link" the user to this OpenVPN server instance. How can I do it?
Just in case it might be helpful, here is my server config:
# cat /var/etc/openvpn/server3.conf
dev ovpns3
verb 1
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_server3.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-GCM
auth SHA384
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
local XXX
engine rdrand
client-disconnect "/usr/local/etc/inc/plugins.inc.d/openvpn/attributes.sh server3"
tls-server
server XXX
client-config-dir /var/etc/openvpn-csc/3
username-as-common-name
auth-user-pass-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify user 'XXX TOTP access server' 'true' 'server3'" via-env
tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls 'XXX' 1"
lport 1194
management /var/etc/openvpn/server3.sock unix
push "route XXX"
push "dhcp-option DNS XXX"
push "register-dns"
push "dhcp-option NTP XXX"
push "redirect-gateway def1"
ca /var/etc/openvpn/server3.ca
cert /var/etc/openvpn/server3.cert
key /var/etc/openvpn/server3.key
dh /usr/local/etc/dh-parameters.4096.sample
reneg-sec 0
Logged
sja1440
Jr. Member
Posts: 86
Karma: 6
Re: OpenVPN Client Export: does not generate any client config for download
«
Reply #3 on:
July 07, 2020, 08:31:57 am »
To work around this problem, I construct by hand my ovpn client configuration files or sometimes manually configure the client.
I would guess that there is a GUI bug somewhere - I have tried pinning it down, but with no success
Logged
mimugmail
Hero Member
Posts: 6767
Karma: 494
Re: OpenVPN Client Export: does not generate any client config for download
«
Reply #4 on:
July 07, 2020, 04:14:36 pm »
If you don't see any users in export view then:
- users are in wrong group
- users have no certificate if one required
- you have multiple openvpn instances and selected the wrong one
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
sja1440
Jr. Member
Posts: 86
Karma: 6
Re: OpenVPN Client Export: does not generate any client config for download
«
Reply #5 on:
July 08, 2020, 08:55:40 am »
Thanks for the suggestions. Indeed, through experiment, I see that the problem is that I have not imported into Opnsense my client certificate. I will not do this because I do not want my client's certificate private key to leave the client machine - that's why I am using a PKI.
Thinking about it, it is clear that to generate a complete client configuration Opnsense does require the private key. So I suppose what I am asking for is a way of exporting a client configuration with place holders for the certificate and private key. This would be useful since it ensures that I have the correct tunnel parameters on the client system without needing to configure them manually.
I guess this would be a change request - it is not a bug.
Thank you all for you help in getting me to understand.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
OpenVPN Client Export: does not generate any client config for download