Openvpn-client-export - No 'Remote Access Server's' in list



  • I assume this is the correct location to post this ? My apologies if I've got it wrong…

    –-PROBLEM---

    I have 3x SG-2440 pfSense boxes where the 'Remote Access Server' list in the openvpn-client-export utility is either empty or not displaying correctly. Because i can't select a server, i can't use the utility! Please help, building client config's manually is wearing me down  :'(

    –-BACKGROUND---

    I have 5 pfSense box's running.
    All have a very similar setup (same packages, same services running, but different subnets, slightly different firewalls rules etc)

    All have the same version of pfSense (2.3.1-RELEASE-p1)
    All have the same version of the openvpn-client-export package ( 1.3.8 )

    2 of the devices are 64-bit PC's
    3 of the devices are SG-2440's

    3 of the devices have gone through an entire rebuild from factory settings to try identify any problem in setup. But this made no difference to the outcome. 1 of the boxes was a 64-bit PC (I wanted to see if this would stop working after a rebuild, however it worked just fine). The other 2 devices were SG-2440's, before and after the rebuilt, the export utility still wouldn't show a list.


  • Rebel Alliance Global Moderator

    What do you think the export is suppose to list?  Its going to list user certs that you have setup for use with your vpn connection.



  • @JAS85:

    I have 3x SG-2440 pfSense boxes where the 'Remote Access Server' list in the openvpn-client-export utility is either empty or not displaying correctly.

    This usually happens when you didn't selected PROPER certificate options in OpenVPN server settings.

    You should have:
    1 CA, selected as Peer Certificate Authority
    1 CRL for this CA, selected as Peer Certificate Revocation list
    1 Server certificate, issued by that CA, selected as Server certificate
    N User certificates, issued by that CA.



  • @johnpoz:

    What do you think the export is suppose to list?  Its going to list user certs that you have setup for use with your vpn connection.

    I don't believe this to be the case, it hasn't in the past and I can't imagine why it would now.
    "Remote Access Server" should be listing servers and even if it were meant to be listing client certs, it's not listing the client certs either.

    Client certs are listing at the bottom of the export utility anyway as it has done in the past.



  • @pan_2:

    @JAS85:

    I have 3x SG-2440 pfSense boxes where the 'Remote Access Server' list in the openvpn-client-export utility is either empty or not displaying correctly.

    This usually happens when you didn't selected PROPER certificate options in OpenVPN server settings.

    You should have:
    1 CA, selected as Peer Certificate Authority
    1 CRL for this CA, selected as Peer Certificate Revocation list
    1 Server certificate, issued by that CA, selected as Server certificate
    N User certificates, issued by that CA.

    I'm not entirely sure what you mean by PROPER ? is that meant to be some sort of setting that needs to be selected ? or do you mean proper as in, setup is wrong…

    Everything is setup as you've mentioned above, except I never had a CRL setup in the OpenVPN server.
    Despite not believing the CRL would make any difference, i tried it anyway. But as expected, servers still haven't been listed in the server list.

    As mentioned before, i have other machines (without CRL setup in the OpenVPN server) and client export utility is performing exactly as I expect



  • I have attached two images

    This is from pfSense on a 64bit PC. This is showing servers in the list and is behaving as i would expect

    The other is from a SG-2440. This list is blank, server won't show






  • I'm not entirely sure what you mean by PROPER

    By PROPER I mean a full certificate chain (CA, CA->Server, CA->Client) is in Certificates and correct certificates types (and issuance) are selected in OpenVPN configuration.

    Could you provide a screenshot of problematic OpenVPN settings and corresponding Certificates sections (CA, Server, Client)?



  • @pan_2:

    Could you provide a screenshot of problematic OpenVPN settings and corresponding Certificates sections (CA, Server, Client)?

    I have to reaffirm, the VPN setup is working. Working without any problems.
    As per the previously attached images, it's the Client Export Utility that doesn't list any servers. Seems to be no problem with the VPN server, clients can connect fine.

    Have attached requested screenshots. In addition to the screen shots, there is one setting selected for CSC Overrides, and that is a DNS server

    Cheers,
    James





    ![OpenVPN - General.PNG](/public/imported_attachments/1/OpenVPN - General.PNG)
    ![OpenVPN - General.PNG_thumb](/public/imported_attachments/1/OpenVPN - General.PNG_thumb)
    ![OpenVPN - Crypto.PNG](/public/imported_attachments/1/OpenVPN - Crypto.PNG)
    ![OpenVPN - Crypto.PNG_thumb](/public/imported_attachments/1/OpenVPN - Crypto.PNG_thumb)
    ![OpenVPN - Tunnel.PNG](/public/imported_attachments/1/OpenVPN - Tunnel.PNG)
    ![OpenVPN - Tunnel.PNG_thumb](/public/imported_attachments/1/OpenVPN - Tunnel.PNG_thumb)
    ![OpenVPN - Client-Advanced.PNG](/public/imported_attachments/1/OpenVPN - Client-Advanced.PNG)
    ![OpenVPN - Client-Advanced.PNG_thumb](/public/imported_attachments/1/OpenVPN - Client-Advanced.PNG_thumb)



  • Peer to peer OpenVPN server types don't show up in client export, by design. That's not a remote access type, so it won't be there.



  • @cmb:

    Peer to peer OpenVPN server types don't show up in client export, by design. That's not a remote access type, so it won't be there.

    Kill me now… only four letter swear words coming out of my mouth at this point. So annoyed with myself.

    You've spotted an error in my setup, should be 'Remote Access (SSL/TLS)'. Such an obvious mistake and I've managed to over look it about 1000x times.

    Cheers for your help, that has solved my issue.  :o



  • @JAS85:

    Kill me now… only four letter swear words coming out of my mouth at this point. So annoyed with myself.

    You've spotted an error in my setup, should be 'Remote Access (SSL/TLS)'. Such an obvious mistake and I've managed to over look it about 1000x times.

    Cheers for your help, that has solved my issue.  :o

    I had the same problem.
    I googled and found this thread.
    I used the same solution and a similar swear word to blame my configuration error :)

    Thank you for this post, it avoided me a second stupid post  :) :)