4. OpenVPN client export 2.4.3 configuration lacks the certificate name in SUBJ

OpenVPN client export 2.4.3 configuration lacks the certificate name in SUBJ

  • B

    Greetings,
    I have the following setup related - OpenVPN server in Remote Access (SSL/TLS + User Auth) mode. LDAP authentication in place for the incoming VPN connections.

    Observations:

    • The (Win7) ovpn coniguration file, generated with the earlier versions of client-export package, includes the user certificate name for the "cryptoapicert" option, e.g. "SUBJ:user-cert".

    • The (Win7) ovpn coniguration file, generated with the latest version of client-export package, does not include the user certificate name for the "cryptoapicert" option, e.g. "SUBJ:". This makes impossible to use the connection, without manually editing the configuration file first.

    Additional notes:

    • This behavior has been spotted for Win7 client package only. No other OS installations, generated by the latest client-export package have been used/tested so far.

    • Unfortunately, I can't say for sure when the behavior changed, as there had been several client export package upgrades, before a new Win7 client was installed and the behavior observed.

    Please, advise if this is and expected behavior.

    TIA

    0
  • LAYER 8 Global Moderator

    You mean 1.4.12, which is what I show as the current package - it has dep on

    Package Dependencies:
      openvpn-client-export-2.4.3_3   openvpn-2.4.3   zip-3.0_1   p7zip-16.02

    0
  • B

    Yep, that's correct.

    0
  • LAYER 8 Global Moderator

    You sure this ever worked how you say?  There is bug filed in redmine that is over a year old.
    https://redmine.pfsense.org/issues/6339
    OpenVPN Client Export package option for "Use Microsoft Certificate Storage" does not specify which certificate to use

    There I have validated that it only puts in this option
    cryptoapicert "SUBJ:"

    For it to work shouldn't it need the FULL DN and not just a username anyway?

    I have never used openvpn cryptoapicert, wish could be of more help..

    0
  • B

    While I agree, the bug description matches 100% the issue I have, I can confirm, after N-times checking of installation packages, generated with earlier versions of client-export, the SUBJ is set correctly and installation works without any intervention.

    To be more specific about versions - OpenVPN GUI 11.4.0.0 works, the latest package includes 11.7.0.0, which doesn't.

    0
  • LAYER 8 Global Moderator

    I am not using the install package.  Using just the file config download.

    0
  • B

    Thanks, but it seems it's "generate, then package" approach, e.g. same file.

    Anyway, the main purpose of this post was to understand if it was a pfSense issue or not. Believe the answer is "yes". One possible explanation for the different behavior over time is "fix and re-introduce" has happened.

    Appreciate the link from the bug database and the guidance provided.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy