Help with creating server certificate for OpenVPN

[WolfpactVI]

Hello all,

Wondering if you could help with a little problem I'm having.  Probably end up to be some stupid oversight on my part, but I'm prepared to be humbled.  Recently upgraded to 24.7, imported all my settings, but my OpenVPN connection no longer worked.  The clients on remote PCs just hung and then timed out.  I'm using DDNS to Cloudflare on one of my subdomains.  That seems to be fine.  I can ping the subdomain and my home IP from my ISP remotely.  Not sure what broke, but thought maybe it had something to do with the certificates.  So I decided to try starting from scratch using the new "instance" version of OpenVPN.

I was following the instructions in the documentation here https://docs.opnsense.org/manual/how-tos/sslvpn_instance_roadwarrior.html .  Step 1, create certificate authority.  No problem, created one called OpenVPN_CA.  Step 2, generate a certificate for the CA.  Here's where I'm getting confused.  The second bullet point says "Choose the just created authority in Certificate authority".  However, on the certificate creation window there is no field called "Certificate Authority" from which to select the newly created OpenVPN_CA.  See attached screenshot.  What am I missing here??

Thanks!

[bartjsmit]

You don't need to create a cert for the CA, it comes with one. You need to request a cert for your server (i.e. the firewall) and later on for your clients (the VPN users)

- create a CSR with the CN which will match your DNS FQDN
- sign it with OpenVPN_CA
- configure OpenVPN to use it

Bart...

[dseven]

The second bullet point says "Choose the just created authority in Certificate authority".  However, on the certificate creation window there is no field called "Certificate Authority" from which to select the newly created OpenVPN_CA.

The place to choose your newly-created CA is under Key->Issuer. Not sure if this is a change in 24.7 (I don't have anything older to compare to right now), but it's a doc bug (now) anyway....

[WolfpactVI]

You don't need to create a cert for the CA, it comes with one. You need to request a cert for your server (i.e. the firewall) and later on for your clients (the VPN users)

- create a CSR with the CN which will match your DNS FQDN
- sign it with OpenVPN_CA
- configure OpenVPN to use it

Bart...

Thanks for the clarification on server (firewall) vs CA.  I was wondering about the FQDN too.  In previous (working) iterations, I noticed that under Common Name it just said "internal-ca" and I saw some places in the interwebs saying to use that.  When you say to use a Common Name that will match my DNS FQDN, do you mean put in "subdomain.mywebsite.com"?  Because the instructions said to use the FQDN of this machine.  Which as far as I know, my firewall doesn't have one.

[WolfpactVI]

The place to choose your newly-created CA is under Key->Issuer. Not sure if this is a change in 24.7 (I don't have anything older to compare to right now), but it's a doc bug (now) anyway....

Thanks for the clarification!  I guess the docs haven't been updated to match the new interface layout yet?

[bartjsmit]

I was wondering about the FQDN too.  In previous (working) iterations, I noticed that under Common Name it just said "internal-ca" and I saw some places in the interwebs saying to use that.  When you say to use a Common Name that will match my DNS FQDN, do you mean put in "subdomain.mywebsite.com"?  Because the instructions said to use the FQDN of this machine.  Which as far as I know, my firewall doesn't have one.

It is the FQDN from the client perspective, i.e. your Cloudflare DDNS name.

[WolfpactVI]

It is the FQDN from the client perspective, i.e. your Cloudflare DDNS name.

Interesting, because I know I have setups still on previous versions of Opnsense where it just says "internal-ca" for the CN and (seems to be) working just fine.  But I'll definitely try putting my domain address in there and see what happens.  Thanks again!

[bartjsmit]

You can play around with the client tolerance for mismatched CN and FQDN through the OpenVPN config file. The main thing is that the client cert and the server cert share a chain of trust.