Can't get OpenVPN to work

viragomann

@pixel24 said in Can't get OpenVPN to work:

What surprises me is that the Client Export field says "No Cert":

This regards to the user cert.
So there might no client cert be assigned to that user.

But not clear, how this should be accepted by the client. When you set up an SSL OpenVPN a client cert is required.

viragomann

@pixel24
Just noticed that your server is in "user auth" mode. So it doesn't require any CA and cert at all.
But I'm wondering why it is providing the CA and server cert stuff in this mode.

You have to set the server into SSL/TLS (+Auth) mode to use SSL certificates.

It should include all needed certs.
If you use PEM style files, you have to combine CA
and intermediate manually.

How exactly do I have to proceed here?

pixel24

@viragomann said in Can't get OpenVPN to work:

Just noticed that your server is in "user auth" mode. So it doesn't require any CA and cert at all.
But I'm wondering why it is providing the CA and server cert stuff in this mode.
You have to set the server into SSL/TLS (+Auth) mode to use SSL certificates.

That's how I've always done it so far and never had any problems. However, it was version 2.5. Now I have 2.6.

I have removed the access on the laptop again, changed the OpenVPN server to "SSL/TLS (+Auth) mode" and activated the password protection for thed pkcs12 file.

However, the option to download the package for the client is missing under "OpenVPNClient -> Export Utility".

pixel24

viragomann

@pixel24 said in Can't get OpenVPN to work:

However, the option to download the package for the client is missing under "OpenVPNClient -> Export Utility".

This is only available if there is any user on the system who has assigned a certificate from the same CA as the selected server.

As you upper screeshot shows you're using an external user database. But I don't know how to assign a user certs in this case.

pixel24

@viragomann I have specified the Let's Encrypt CA and the real certificate of the host in the OpenVPN server. This does not work although the certificate has been signed and is valid.

I have now set up an internal CA for OpenVPN again. Auth: User & Pass. Package imported on the client.

Works.

viragomann

@pixel24 said in Can't get OpenVPN to work:

I have specified the Let's Encrypt CA and the real certificate of the host in the OpenVPN server.

No, not this.
The client needs both, the CA cert and the intermediate cert to verify the server certificate, as far as I know. That's what the client error log hints to me.

So when you use p12 file both should be included. When using PEM file (crt) you can simply bundle both with an text editor.

Gertjan

@pixel24 said in Can't get OpenVPN to work:

OpenVPN 2.4.7

pfSense uses OpenVPN 2.5.4

I won't say : it couldn't work.
I will say : only experts will try to mix 2.5.x series with the 2.4.x series ;)

Btw : no need to use a certificate from Letsencrypt.
See the Netgate channel on Youtube, the official OpenVPN video's. These videos are old, but still very valid.

viragomann

@gertjan said in Can't get OpenVPN to work:

pfSense uses OpenVPN 2.5.4
I won't say : it couldn't work.
I will say : only experts will try to mix 2.5.x series with the 2.4.x series ;)

So I'm an expert, obviously.

We never had issues here with OpenVPN 2.5.2 on pfSense and 2.4.x and 2.5.x on Windows and 2.4.x Linux clients.

Gertjan

@viragomann said in Can't get OpenVPN to work:

obviously

Very possible

I guess you've been cheating, that is, reading the OpenVPN release notes so you knew what 2.4.x option (server or client) can be used with a 2.5.x server or client.

JKnott

@gertjan

That setting doesn't work for me in the issue I've been having.