OpenVPN why so hard to download config file?

Gertjan

Youtube ?

Use the official Netgate channel. There are OpenVPN videos.

lmh1

https://www.youtube.com/watch?v=lp3mtR4j3Lw

this one is the only one.
I think the other video is more to help:
https://www.youtube.com/watch?time_continue=1&v=kK29dMnRDC8

did you think pfsense only set local not access from local internet as default?

Gertjan

@lmh1 said in OpenVPN why so hard to download config file?:

this one is the only one.

Noop.

Check again : take the entire list https://www.youtube.com/channel/UC3Cq2kjCWM8odzoIzftS04A/videos and do a Ctrl-F. All OpenVPN questions are being discussed.

lmh1

Still did not get it to works:

PHP errors

    PHP ERROR: Type: 1, File: /usr/local/share/openssl_x509_crl/X509_CERT.php, Line: 56, Message: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56
    Stack trace:
    #0 /usr/local/share/openssl_x509_crl/X509_CRL.php(100): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('')
    #1 /etc/inc/certs.inc(1000): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Resource id #80, false)
    #2 /etc/inc/openvpn.inc(1181): crl_update(Array)
    #3 /etc/inc/openvpn.inc(1320): openvpn_reconfigure('client', Array)
    #4 /etc/inc/openvpn.inc(2091): openvpn_restart('client', Array)
    #5 /etc/inc/service-utils.inc(806): openvpn_restart_by_vpnid('client', '3')
    #6 /usr/local/www/status_services.php(41): service_control_restart('openvpn', Array)
    #7 {main}
    thrown @ 2019-05-13 17:31:00

NogBadTheBad

It might help if you don't title your posts why so hard to

johnpoz

@lmh1 said in OpenVPN why so hard to download config file?:

Its a easy way to download config file to server pfsense?

So your trying to download some vpn services ovpn file to pfsense directly via cli??

????

your wanting ot use vpn service X.. Then download the file they give you - open it up and put the info into the openvpn client gui settings.

It will take you all of 2 minutes to setup, and is a 1 time thing... Which vpn service are you trying to connect too... Can almost bet they have specific instructions for pfsense..

lmh1

Its more way to download it ( OpenVPNClient Export Utility)

If a client is missing from the list it is likely due to a CA mismatch between the OpenVPN server instance and the client certificate, the client certificate does not exist on this firewall, or a user certificate is not associated with a user when local database authentication is enabled.

OpenVPN 2.4 requires Windows Vista or later
The "win6" Windows installers include the tap-windows6 driver which requires Windows Vista or later.
The "XP" Windows installers work on Windows XP and later versions. 

What is needed or not with openVPN setting?
OpenVPN Servers
WAN UDP / 1194
WAN TCP / 1195
Did firewall need to be setup, its show its do it automatic if i select that.
But worst of all, pfsense did not check that i selected is correct, its easy to see in DNS Dynamic DNS Clients if name is wrong i did not get error message only without ip adress, but that is fixed.

Can someone explan:
Status OpenVPN
[error] Unable to contact daemon Service not running? 0 0 B / 0 B

johnpoz

Dude I can not tell what your even trying to do... Are you wanting to run openvpn on pfsense and have your clients connect, or you trying to get pfsense connected to some vpn service?

To get a road warrior to connect to vpn server you run on pfsense - run through the wizard. Install the export client and export the correct ovpn file or exe for your client.. Its that simple..

lmh1

I try to set up openVPN server, to run with DNS name, from https://www.noip.com/
That know its works, but i did not understand why its need that? And how to connect.
I have before issue with netgear AD7200 netgear openvpn server

So i guess its not more easy to do that with PFsense.

May explan why its not use email signing?So its be more easy?
Or why pfsense did make this more easy?

johnpoz

I'm done... How hard is it to download a ovpn file from a gui??

Your asking why the admin has pick from a drop down on what should be in the ovpn file for resolution???

lmh1

I did not get openvpn files.
Open VPN server:
WAN UDP / 1194 10.0.8.0/24
fe80::/64 Crypto: AES-128-CBC/SHA256
D-H Params: 2048 bits remote access (tun)
WAN UDP4 / 1195 10.1.8.0/24
Crypto: AES-128-CBC/SHA256
D-H Params: 2048 bits openvpnserver (tun)

client:
WAN UDP 10.0.8.0:1195
WAN UDP 10.1.8.0:1194

Is this correct config, or did it give issue?

I only get:

OpenVPN Clients
User Certificate Name Export

If a client is missing from the list it is likely due to a CA mismatch between the OpenVPN server instance and the client certificate, the client certificate does not exist on this firewall, or a user certificate is not associated with a user when local database authentication is enabled.

OpenVPN 2.4 requires Windows Vista or later
The "win6" Windows installers include the tap-windows6 driver which requires Windows Vista or later.
The "XP" Windows installers work on Windows XP and later versions.

no files config.

johnpoz

If you need help setting up vpn server on pfsense - I suggest you read the docs, or ask in your native language section...

https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/openvpn-remote-access-server.html

I still for the life of me can not figure out what your trying to do...

If your trying to create a openvpn server - then run through the wizard... It takes all of 2 freaking seconds..

If you do not see a client for export - they you prob never created the users cert signed by the ca your using for openvpn

That is what this is saying
"If a client is missing from the list it is likely due to a CA mismatch between the OpenVPN server instance and the client certificate, the client certificate does not exist on this firewall, or a user certificate is not associated with a user when local database authentication is enabled."

Is the pfsense web gui not set for your native language? Set the gui language to your native - it might be helpful!!!

lmh1

Yes its on norwegian but that is not the biggest issue, the biggers issue is that software did not give corrrect error message. And documents is hard to understand what is wrong.

they you prob never created the users cert signed by the ca your using for openvpn

But can you show that.
I did not find a way to add certifiate to a user.
its only email not username in CA.
https://www.youtube.com/watch?v=vZpAIKJ9jyA

Did you also know if some packages that you install mess up this system, in yesterday i need to reset to default setting becauce i install some packes for trying but its give debug issue php files corrupt.
So why did pfsense add poor packages that mess up this system? Its poor.

Gertjan

@lmh1 said in OpenVPN why so hard to download config file?:

Did you also know if some packages that you install mess up this system, in yesterday i need to reset to default setting becauce i install some packes for trying but its give debug issue php files corrupt.
So why did pfsense add poor packages that mess up this system? Its poor.

Norwegian or not, why talking of "poor" instead of naming the package ?

An OpenVPN server setup isn't a good example of click-click-click and done - but it can be done in a couple of minutes.
Millions are using it every day so I guess it was removed from the rocket science status ages ago.

I do not remember if I used a email or a user name in my auto generated certs, needed for my VPN to work (I do not use User/password auth, only Cert/TLS). This boils down to : I generate a lock and a key. The key will be part of the OVPN file I hand over to the remote user. The OpenVPN server has the lock. If the two fits, the user can connect. Basta. That's it.
I don't bother email addresses or host names and don't know what's in that certificate.

@lmh1 I : as @johnpoz : I still do not understand what your issues are.
Maybe it's the language barrier ^^ (I'm Dutch, live in France and pas most of my time on English and German forums).

johnpoz

@lmh1 said in OpenVPN why so hard to download config file?:

I did not find a way to add certifiate to a user.

What do you mean - it gives you step by step info the link I provided..

Adding a User with a Certificate
If the mode has been left at the wizard’s default or on a mode that includes local user authentication, a user must be created in the user manager.

Navigate to System > User Manager
Click fa-plus To add a user
Fill in Username
Fill in Password / Confirm password
Check Click to create a user certificate.
Fill in the Descriptive Name as the username
Choose the appropriate Certificate Authority

Stop watching nonsense videos from years ago - from idiots, and follow the documentation given.

Did you think to look in the pfsense book?
https://docs.netgate.com/manuals/pfsense/en/latest/the-pfsense-book.pdf#section.20.3

did not give corrrect error message.

Why should it give you an error message? But it clearly told you that if you don't see the certs why that might be! You posted it yourself

If a client is missing from the list it is likely due to a CA mismatch between the OpenVPN server instance and the client certificate, the client certificate does not exist on this firewall, or a user certificate is not associated with a user when local database authentication is enabled.

Sorry its not written at a 3rd grade level - but that is CRYSTAL CLEAR to why you might not see a cert listed in users in the export package..

If that is the info you do not understand - then why not just ask that?

Or ask hey there are no users listed in the export tool? etc... Sorry but pretty much all your doing is gibberish pointing out nonsense videos..

lmh1

Thx for help guys but i have this issue again:

The following input errors were detected:

Microsoft Certificate Storage cannot be used with an Inline configuration.
Could not locate the CA reference for the server certificate.
Failed to export config files!

johnpoz

@lmh1 said in OpenVPN why so hard to download config file?:

Microsoft Certificate Storage cannot be used with an Inline configuration.
Could not locate the CA reference for the server certificate.

And what do you not understand with that plain english?? You can not grab a inline config and use MS storage..

What server cert are you using in your configuration?? Where did you get it?

Follow the instructions given..

Or vs posting up links to stupid guides you have said you have followed - how about posting your actual config..

lmh1

self-signed 	2 	unknown

Valid From:
Valid Until: OpenVPN Server
OpenVPN Client
LDAP Server

I get config file from port 1195 but not from 1194.
But it say no can not read ca files, did i need with vpn files or its pfsense issue is?

johnpoz

Dude are you freaking serious??? I think your just trolling now.

That is just freaking gibberish.. Valid until Openvpn server - What??

The freaking wizard walks you through creating a CA on pfsense to use - and then walks you through creating the server cert to use!

All of which is gone over in the doc I linked you too.