OpenVPN Client Export
-
I've got a problem. Ever since the upgrade to 2.3.1 the Client Export package doesn't show any clients even though I have several..
I'm not sure if it's related, but when I upgraded to 2.3.1 the upgrade trashed my configuration, I reloaded from a backup and since then no client export.
-
So you see your users with certs in user manager?
YOur saying something happened on your upgrade, guessing your users got trashed too.
-
Actually all you need are user type certificates in Certificate manager, no need to actually create users (unless you want to).
I agree though, it's likely a fault of a corrupted/mangled config.
-
^ this is true.. If your only going to do cert auth then all you need is the user certs created by your CA your openvpn server is using. You do not need to have actual users in the Pfsense user manager for them to show up in the export util.
I should of worded that a bit better, thanks for the clarification divsys
-
My client certs are fine, I don't think the configuration issue is related. I brought it up to be thorough in case the upgrade was related to package corruption somehow. In this case I even copied in a client cert in from outside that was lost because the backup wasn't new enough. None of the client show up in the export client list.
I've even made new client certs and they don't show up either in client export. I've uninstalled the package, reinstalled the package. I don't know what's going on. I can't be sure but I think everything disappeared in client export before the upgrade that trashed my configuration (2.3.1), I think it was from 2.2 to 2.3 where it was lost.
Anyway, I've been watching to see if anyone else has the issue and no one's posted anything so it's not a general bug at least. But the question is what do I need to check. I've blown away and recreated certs, the VPN service, uninstalled the export package and reinstalled. I'm stumped. Though I'm not a BSD user I've been using Linux for years so I'm not scared to get in on the command line but obviously my command and config experience is with Linux.
I need a pointer on what to check, it's very odd that it lists nothing.
-
The OpenVPN server is listed there? That eliminates one of the possibilities, a server config type that can't be used.
From there, if you have user auth enabled on the OpenVPN server, then you must have users with certs associated with them (or set to external auth). Usually it's that your OpenVPN server is using a diff CA than your user certs.
-
Server's listed, clients listed, the clients have certs based on the same CA as the server. Hell I've made new client certs to test it. The only thing I haven't done is build an entirely new CA, client certs and OpenVPN server all in one. I've done all of them except build a new CA just not all together in one shot.
It damn confusing. It feels like the client export configuration can't see the client certs but they are listed in the client list and the server can see them because I can connect for clients that existed in the backup. But I can't export a config using the client export package because nothing is in the client export list. And exporting manually is a serious pain.
If no one can think of a reason I'll trash the whole CA and clients and start from scratch, I was hoping for a simple error but the logs are devoid of anything. I'm not even confident rebuilding the entire OpenVPN config and certs will help.
-
Which OpenVPN "server mode" is chosen?
-
Bingo. That's what I needed. I had configured it from a tablet in trying to troubleshoot and must have set it to SSL/TLS + UserAuth, switching it back brought back the client export list.
Thanks,
