Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN client export 2.4.3 configuration lacks the certificate name in SUBJ

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bofh16
      last edited by

      Greetings,
      I have the following setup related - OpenVPN server in Remote Access (SSL/TLS + User Auth) mode. LDAP authentication in place for the incoming VPN connections.

      Observations:

      • The (Win7) ovpn coniguration file, generated with the earlier versions of client-export package, includes the user certificate name for the "cryptoapicert" option, e.g. "SUBJ:user-cert".

      • The (Win7) ovpn coniguration file, generated with the latest version of client-export package, does not include the user certificate name for the "cryptoapicert" option, e.g. "SUBJ:". This makes impossible to use the connection, without manually editing the configuration file first.

      Additional notes:

      • This behavior has been spotted for Win7 client package only. No other OS installations, generated by the latest client-export package have been used/tested so far.

      • Unfortunately, I can't say for sure when the behavior changed, as there had been several client export package upgrades, before a new Win7 client was installed and the behavior observed.

      Please, advise if this is and expected behavior.

      TIA

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        You mean 1.4.12, which is what I show as the current package - it has dep on

        Package Dependencies:
          openvpn-client-export-2.4.3_3   openvpn-2.4.3   zip-3.0_1   p7zip-16.02

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • B
          bofh16
          last edited by

          Yep, that's correct.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            You sure this ever worked how you say?  There is bug filed in redmine that is over a year old.
            https://redmine.pfsense.org/issues/6339
            OpenVPN Client Export package option for "Use Microsoft Certificate Storage" does not specify which certificate to use

            There I have validated that it only puts in this option
            cryptoapicert "SUBJ:"

            For it to work shouldn't it need the FULL DN and not just a username anyway?

            I have never used openvpn cryptoapicert, wish could be of more help..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • B
              bofh16
              last edited by

              While I agree, the bug description matches 100% the issue I have, I can confirm, after N-times checking of installation packages, generated with earlier versions of client-export, the SUBJ is set correctly and installation works without any intervention.

              To be more specific about versions - OpenVPN GUI 11.4.0.0 works, the latest package includes 11.7.0.0, which doesn't.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                I am not using the install package.  Using just the file config download.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • B
                  bofh16
                  last edited by

                  Thanks, but it seems it's "generate, then package" approach, e.g. same file.

                  Anyway, the main purpose of this post was to understand if it was a pfSense issue or not. Believe the answer is "yes". One possible explanation for the different behavior over time is "fix and re-introduce" has happened.

                  Appreciate the link from the bug database and the guidance provided.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.