Client export with multiple OpenVPN servers (one pfsense box)

Jackish · Aug 5, 2016, 5:56 PM

Hi,

I am currently running OpenVPN (remote access) on my Pfsense machine, and it is working great. I can export clients without any issues. I have however just added a secondary remote access server on the same box and the issue for me is that when Im on the dlient export page and pick the brand new OpenVPN instance under "Remote Access Server" drop down list, the "OpenVPN Clients" list is empty.

I created a new CA and a new server certificate for the new instance and I have added client certificates under the correct CA and Server but I still cant find any clients under the "OpenVPN Clients" area.

Is this some kind of bug or am I doing something wrong here? I have tried reinstalling the package and I have also rebooted the entire machine without success.

Any input on this matter is highlt appreciated, please let me know if you guys need me to provide any additional information.

Thank you!

/Jackish

EDIT: Im running 2.3.1 (amd64) release.

Derelict · Aug 6, 2016, 8:32 AM

It will only show users for export that have a User certificate issued by the Peer Certificate Authority of the selected server.

Jackish · Aug 6, 2016, 3:56 PM

First of all, thank you alot for your respone. Appreciated!

I currently have two CA's - One for my first VPN server where I also can export the user certificates and one for my new VPN server (different port).
When I look at the settings for the new VPN server, I have the new CA as "Peer Certificate Authority" and I have a a server certificate which is signed with the new CA.

When I create the user certificates for the new VPN server, I select the new CA. They do not however show up under client export, under neither server.

Any other suggestions or am I missing something? As stated previously, the first server is working fine and I can export client certificates without any issues.

Thank you.

Br
Jackish

Derelict · Aug 6, 2016, 6:46 PM

Screenshots I guess. You're mucking it up somewhere. If you were doing it as you describe it would be working.

Export the CA cert and the User cert and paste them in a PM and post a screen shot of the OpenVPN configuration. Don't need private keys.

Jackish · Aug 7, 2016, 5:17 AM

I managed to solve it, but not by messing with the CA or certificates. In fact, I did not even touch them.

The old VPN server and the new had four differences:

1. The new had new protocol (TCP)
2. The new had new port
3. The new had "local database" instead of Radius auth
4. The new had a different IP-range defined (192.168.50.0/24 instead of 192.168.10.0/24)

By making 3 & 4 above identical between the new and the old server (using Radius and 192.168.10.0/24 for the new aswell) made the certificates show up all of a sudden.

This doesnt not sound logical to me… How can these settings i.e "Backend for Authentification" and "IPv4 Tunnel Network" have anything to do with exporting user certificates?

Thanks.

Br
Jackish

EDIT: "Backend for Authentification" is the one that detmines if the client configs are visible in client export or not for me (radius = visible, local databse = not visible).

Derelict · Aug 7, 2016, 5:25 PM

How can these settings i.e "Backend for Authentification" and "IPv4 Tunnel Network" have anything to do with exporting user certificates?

The export wizard tries to limit exposing users for export that cannot possibly log in. If you had Local database selected in the server, had created the user certificate, but did not create the user in the local database, then that user would not be able to log in so the user is not exposed for export.

When you select the external authentication method then all it will check for is the presence of a certificate issued by the Peer Certificate Authority.