Missing External Certificate and another OpenVPN client error

[road hazard]

When i had my ASUS router up and running, I enabled OpenVPN in it, set everything up and exported the .ovpn and imported in into the OpenVPN Connect Client (v3.x) and everything worked perfectly.

I put the ASUS router in AP mode and put it behind a fresh install of OPNsense (23.1) and am trying to setup OpenVPN. I followed the guide on setting it up (not using MFA or anything fancy....just username/pass) and I'd like to use the OpenVPN client and not Viscosity.

I can import the .ovpn file into the OpenVPN client but when I try to connect, I get a 'missing external certificate' error. If I click 'continue', I get the following error: SSL_context_error: OpenSSLContext: CA not defined

I found some fixes from a year or two ago but the parts in the .ovpn file that are usually referenced don't exist in the file that OPNsense 23.1 creates.

Next up, I found somebody talking about using the OpenVPN GUI version (aka, community edition). I installed that and imported my .ovpn file and I'm getting this error: (from the client)

Code Select Expand


2023-01-28 23:47:18 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
2023-01-28 23:47:18 Cannot pre-load keyfile (VPN_Server_SSLVPN_Server_Certificate-tls.key)
2023-01-28 23:47:18 Exiting due to fatal error


Any ideas? (Besides using Viscosity :) )

[bartjsmit]

Both client and server need to agree on a certificate chain. Have you imported the root CA cert and any intermediate cert(s)?

The most portable way is to add them to the ovpn file inside <ca> ... </ca>

Bart...

[road hazard]

Both client and server need to agree on a certificate chain. Have you imported the root CA cert and any intermediate cert(s)?

The most portable way is to add them to the ovpn file inside <ca> ... </ca>

Bart...

I followed the instructions in the OPNsense documentation and it isn't working. If I need to manually add something to that ovpn file, this tells me the documentation is wrong or how OPNsense is generating the .ovpn file is broken and I should report this as a bug.

In the mean time, please forgive my ignorance but, can you give me some step-by-step commands on adding the cert inside the file?  I have no idea what needs pasted in there. :(

With my ASUS router, setting up OpenVPN was dead simple. The resulting .ovpn file it generated was correctly imported into my OpenVPN connect client and away I went. With OPNsense, something appears to be broken.

[bartjsmit]

Let's start from the beginning :)

You are looking for an OpenVPN road warrior configuration with OPNsense as the server and external clients connecting from the WAN side to it, right?
There's about as many queries on this forum for running an OpenVPN client to an external VPN provider (Surfshark, PIA, etc.)

I set up my OpenVPN server on OPNsense using Kirk's guide (crypto references ever so slightly outdated) https://www.kirkg.us/building-an-openvpn-server-with-opnsense/

My downloads from VPN: OpenVPN: Client Export do include the <ca> ... </ca> text block in the ovpn file.

Check your steps against the guide and make sure you haven't missed any.

Bart...

[road hazard]

Thanks for sticking with me but I tried your guide and I re-did the OPNsense guide and same, exact end result. My .ovpn file looks like this every time:

Code Select Expand


dev tun
persist-tun
persist-key
proto tcp-client
cipher AES-256-CBC
auth SHA512
client
resolv-retry infinite
remote x.x.x.x xxxxx tcp
lport 0
verify-x509-name "C=US, ST=Ohio, L=XXXXX, O=HomeVPN, emailAddress=nobody@cares.org, CN=HomeVPN Server Certificate" subject
remote-cert-tls server
auth-user-pass
pkcs12 VPN_access_HomeVPN_Server_Certificate.p12
tls-auth VPN_access_HomeVPN_Server_Certificate-tls.key 1


Since your resulting .ovpn file has all the CA stuff in it, I'm curious if we're doing an apples to apples comparison? Are you using a fresh install of 23.1 like I am or did you upgrade to it or are you stilling an older version of OPNsense?

[bartjsmit]

Are you using a fresh install of 23.1 like I am or did you upgrade to it or are you stilling an older version of OPNsense?

Mine is ancient and has been upgraded in situ for many years. If nobody else chimes in on this thread with their experiences, I might have some time this week to create a fresh test VM.

Does it work when you add the CA stanza manually to the files? https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV

Bart...

[road hazard]

All fixed. :) Another user on here, Ramsense, sent me this guide: https://homenetworkguy.com/how-to/configure-openvpn-opnsense/ and following that (even though it was created on an older version of OPNsense and had a few, minor deviations) I was able to FINALLY get a valid .ovpn file that included the ca, key and cert!

The big difference from my point of view is I didn't use the OpenVPN wizard and did it manually and it's working perfectly now. But if you have the time, I'd be curious what your tests reveal..... wondering if the wizard is indeed busted and not doing something correctly on a fresh install?!