Openvpn-client-export - No 'Remote Access Server's' in list

johnpoz · Jun 15, 2016, 4:32 PM

What do you think the export is suppose to list? Its going to list user certs that you have setup for use with your vpn connection.

Soyokaze · Jun 18, 2016, 11:30 AM

@JAS85:

I have 3x SG-2440 pfSense boxes where the 'Remote Access Server' list in the openvpn-client-export utility is either empty or not displaying correctly.

This usually happens when you didn't selected PROPER certificate options in OpenVPN server settings.

You should have:
1 CA, selected as Peer Certificate Authority
1 CRL for this CA, selected as Peer Certificate Revocation list
1 Server certificate, issued by that CA, selected as Server certificate
N User certificates, issued by that CA.

JAS85 · Jun 19, 2016, 3:12 AM

@johnpoz:

What do you think the export is suppose to list? Its going to list user certs that you have setup for use with your vpn connection.

I don't believe this to be the case, it hasn't in the past and I can't imagine why it would now.
"Remote Access Server" should be listing servers and even if it were meant to be listing client certs, it's not listing the client certs either.

Client certs are listing at the bottom of the export utility anyway as it has done in the past.

JAS85 · Jun 19, 2016, 3:19 AM

@pan_2:

@JAS85:

I have 3x SG-2440 pfSense boxes where the 'Remote Access Server' list in the openvpn-client-export utility is either empty or not displaying correctly.

This usually happens when you didn't selected PROPER certificate options in OpenVPN server settings.

You should have:
1 CA, selected as Peer Certificate Authority
1 CRL for this CA, selected as Peer Certificate Revocation list
1 Server certificate, issued by that CA, selected as Server certificate
N User certificates, issued by that CA.

I'm not entirely sure what you mean by PROPER ? is that meant to be some sort of setting that needs to be selected ? or do you mean proper as in, setup is wrong…

Everything is setup as you've mentioned above, except I never had a CRL setup in the OpenVPN server.
Despite not believing the CRL would make any difference, i tried it anyway. But as expected, servers still haven't been listed in the server list.

As mentioned before, i have other machines (without CRL setup in the OpenVPN server) and client export utility is performing exactly as I expect

JAS85 · Jun 19, 2016, 3:30 AM

I have attached two images

This is from pfSense on a 64bit PC. This is showing servers in the list and is behaving as i would expect

The other is from a SG-2440. This list is blank, server won't show

Soyokaze · Jun 19, 2016, 11:19 PM

I'm not entirely sure what you mean by PROPER

By PROPER I mean a full certificate chain (CA, CA->Server, CA->Client) is in Certificates and correct certificates types (and issuance) are selected in OpenVPN configuration.

Could you provide a screenshot of problematic OpenVPN settings and corresponding Certificates sections (CA, Server, Client)?

JAS85 · Jul 25, 2016, 6:53 AM

@pan_2:

Could you provide a screenshot of problematic OpenVPN settings and corresponding Certificates sections (CA, Server, Client)?

I have to reaffirm, the VPN setup is working. Working without any problems.
As per the previously attached images, it's the Client Export Utility that doesn't list any servers. Seems to be no problem with the VPN server, clients can connect fine.

Have attached requested screenshots. In addition to the screen shots, there is one setting selected for CSC Overrides, and that is a DNS server

Cheers,
James

![OpenVPN - General.PNG](/public/imported_attachments/1/OpenVPN - General.PNG)
![OpenVPN - General.PNG_thumb](/public/imported_attachments/1/OpenVPN - General.PNG_thumb)
![OpenVPN - Crypto.PNG](/public/imported_attachments/1/OpenVPN - Crypto.PNG)
![OpenVPN - Crypto.PNG_thumb](/public/imported_attachments/1/OpenVPN - Crypto.PNG_thumb)
![OpenVPN - Tunnel.PNG](/public/imported_attachments/1/OpenVPN - Tunnel.PNG)
![OpenVPN - Tunnel.PNG_thumb](/public/imported_attachments/1/OpenVPN - Tunnel.PNG_thumb)
![OpenVPN - Client-Advanced.PNG](/public/imported_attachments/1/OpenVPN - Client-Advanced.PNG)
![OpenVPN - Client-Advanced.PNG_thumb](/public/imported_attachments/1/OpenVPN - Client-Advanced.PNG_thumb)

cmb · Feb 24, 2021, 9:38 PM

Peer to peer OpenVPN server types don't show up in client export, by design. That's not a remote access type, so it won't be there.

JAS85 · Jul 26, 2016, 1:08 AM

@cmb:

Peer to peer OpenVPN server types don't show up in client export, by design. That's not a remote access type, so it won't be there.

Kill me now… only four letter swear words coming out of my mouth at this point. So annoyed with myself.

You've spotted an error in my setup, should be 'Remote Access (SSL/TLS)'. Such an obvious mistake and I've managed to over look it about 1000x times.

Cheers for your help, that has solved my issue. :o

giox · Mar 22, 2017, 1:01 PM

@JAS85:

Kill me now… only four letter swear words coming out of my mouth at this point. So annoyed with myself.

You've spotted an error in my setup, should be 'Remote Access (SSL/TLS)'. Such an obvious mistake and I've managed to over look it about 1000x times.

Cheers for your help, that has solved my issue. :o

I had the same problem.
I googled and found this thread.
I used the same solution and a similar swear word to blame my configuration error :)

Thank you for this post, it avoided me a second stupid post :) :)

sangomab · Jan 25, 2020, 10:41 PM

Same shit here from 2020.
old post but gold never delete this one.

tristangrimaux · Feb 24, 2021, 9:38 PM

@cmb

I've modified the client exporter to allow peer to peer openvpn servers and it works wonderfully. I really do not understand why it's not a remote access type. In my configuration I need to bridge two networks but still need to allow users to access it