Is the OpenVPN: Client Export Utility supposed to work?

kronos0815 · Jan 3, 2010, 6:48 PM

I'm running 2.0-BETA1 built on Sat Jan 2 13:36:09 EST 2010
I installed the OpenVPN Client Export Utility and I've set up an OpenVPN Remote Access SSL/TLS Server and the appropriate certificates, CA, server cert and client cert.
But on the OpenVPN Client Export Utility Tab I can't select anything from the Remote Access Server dropdown.
Couldn't find any bug reports or anything mentioned in the forums about this specific problem.

jimp · Jan 3, 2010, 7:30 PM

I just tried it again on a text box and it is working for me. I only have one remote access openvpn server setup and it is already selected on that page, and downloading the client seems to work ok, though I haven't tried to install from it yet.

kronos0815 · Jan 3, 2010, 8:14 PM

Ok, I'll reset it to factory defaults and try again
Thank you for testing it.

cmb · Jan 5, 2010, 4:15 AM

It works. If you don't have anything in the drop down, you're missing a server cert or client cert or don't have the server configured properly.

DisturbedKT · Jan 5, 2010, 11:33 PM

I had this behavior, so I dug into the code to see the cause…

Bottom line appears to be some missing sanity-checking code. Inside of the "foreach" block that constructs the $ras_server array, there is a "foreach" block that is supposed to make the contents of $ras_server['users']. This block uses the $a_user array (sourced from the users config.xml file), and appears to fail because it has a line like so:


if (!is_array($user['cert']))
                        continue;

The problem, at least on my brand new pfsense 2.0 Beta install is that the var_dump of the $user array looks like this:


array(9) { ["scope"]=> string(4) "user" ["password"]=> string(34) "$1$SIIcygED$RWcmAP1NetwzluMBYC3ts1" ["md5-hash"]=> string(32) "ebf0e1bff185f8c2a8dfaa3706e10956" ["nt-hash"]=> string(32) "c362cba141a5d426dd454f7f932351fa" ["name"]=> string(5) "kevin" ["fullname"]=> string(12) "Kevin Taylor" ["expires"]=> string(0) "" ["authorizedkeys"]=> string(0) "" ["uid"]=> string(4) "2000" }

Bottom line, after digging through this, what cmb said was right-on. However, what I didn't realize is that the reason I was having trouble figuring out how to add it was because I was still using on the "admin" account and it does NOT have the ability to add a user cert. I made a second user, added it's client cert, and all was well. After I become more familiar with pfsense, I will probably contribute a patch to do better sanity-checking and subsequent improved user help and on-page instruction for this package.

I believe the desired functional behavior would be for "Remote Access Server" to be populated as long as the server is configured, but then for an informational message to show up in the section which becomes "Client Install Packages" to instead say "No users with client certs were found, please add client certificates for each user under User Manager".

kronos0815 · Jan 6, 2010, 8:59 PM

Hi there DisturbedKT,
thanks for pointing this out. My problem was indeed the setup of the user / user certificate. I've been using certificate based OVPN for some time and always created all certificates on my windows laptop. Therefore I didnt even think about using the user manager to create a proper user. I only created another certificate with my desired OVPN username.
Now I created a new user and a proper cert for the user and finally the client export dropdown is populated.
Thanks for the help DisturbedKT and cmb.

cmb · Jan 7, 2010, 4:07 AM

We're going to fix this up a bit to make it more usable. Too many steps in different screens as is right now.

focalguy · Jan 7, 2010, 6:49 AM

Ok, please point me in the right direction if there is more documentation around but I didn't see much for 2.0. I'm trying to get this working and I think I followed the clues in this thread to get the drop-down populated but underneath I still have no options to export. I feel like I'm missing something very simple. Screen-shot attached.

jimp · Jan 7, 2010, 12:37 PM

In the certificate manager, do you have any client keys created/imported using the server certificate from that openvpn instance?

For me they just show up at the bottom of that screen.

focalguy · Jan 7, 2010, 2:58 PM

I think so. I created a new internal CA and then created a certificate using that CA. Then in the OpenVPN configuration, I have that CA and certificate selected. I also generated a cert for my user using that CA.