[SOLVED] OpenVPN breaks after upgrade from 18 to 19

[seamus]

So I've been using v 18.X for some time. My OpenVPN server on OPNsense had always worked just fine with my `Viscosity` client. Recently, I upgraded OPNsense from v 18.X to v 19.X. Everything seems to work except my OpenVPN client refuses to connect.

And it's a "quick disconnect": as soon as the authentication is entered (userid + 2FA password), the client reports the connection as "down". I've double-checked my password, and my IP address (dynamic IP), and they're correct. The timing makes me wonder if the client config that I exported over a year ago is now deprecated in some way.

Any ideas? Did something change between v 18 and v 19 that would have broken an existing OpenVPN configuration?

[newsense]

If you do 12 in the console do you find any updates ? You might be on 19.1.1

[seamus]

If you do 12 in the console do you find any updates ? You might be on 19.1.1

From the Dashboard, I see this:

Versions    
OPNsense 19.1.2-amd64
FreeBSD 11.2-RELEASE-p9-HBSD
OpenSSL 1.0.2q 20 Nov 2018

A "check for updates" fm Dashboard reports "There are no updates available on the selected mirror."

It's as if something was blocking the VPN connection. But my fw rules haven't changed.

[newsense]

Try reexporting the configuration and try both Viscosity and Tunnelblick. At the very least you should get some error messages that could narrow it down.

[seamus]

The System:Access:Tester has confirmed that my OTP generator, userid & Password are working as they should.

However... Looking at my self-signed CA and the certificates I generated last year, I see they are all expired. I am really fuzzy on the roles (and even the necessity for) Certs given that my OTP/2FA is in place, but it seems clear that they (Certs) must be required as they're included in the "How-To" guide.

Unless someone has a suggestion for eliminating the need for these Certs, I'll close this question. Once I've worked through the cert renewals, I'll post another question if I have difficulties.

[seamus]

Just to close this out, expired certs was the source of my breakage,; the version upgrade was coincidental. Once I installed a new CA and generated new certs for the user and the server, things fell into place. I had to edit my user config, VPN server config to add the new certs, then export a new Viscosity client package. After installing the new Viscosity profile, I was able to make a connection.

And FWIW, I'd like to suggest that OPNsense incorporate a feature to flag expired certs for the admin. (Am I spoiled?