OpenVPN client export 2.4.3 configuration lacks the certificate name in SUBJ



  • Greetings,
    I have the following setup related - OpenVPN server in Remote Access (SSL/TLS + User Auth) mode. LDAP authentication in place for the incoming VPN connections.

    Observations:

    • The (Win7) ovpn coniguration file, generated with the earlier versions of client-export package, includes the user certificate name for the "cryptoapicert" option, e.g. "SUBJ:user-cert".

    • The (Win7) ovpn coniguration file, generated with the latest version of client-export package, does not include the user certificate name for the "cryptoapicert" option, e.g. "SUBJ:". This makes impossible to use the connection, without manually editing the configuration file first.

    Additional notes:

    • This behavior has been spotted for Win7 client package only. No other OS installations, generated by the latest client-export package have been used/tested so far.

    • Unfortunately, I can't say for sure when the behavior changed, as there had been several client export package upgrades, before a new Win7 client was installed and the behavior observed.

    Please, advise if this is and expected behavior.

    TIA


  • LAYER 8 Global Moderator

    You mean 1.4.12, which is what I show as the current package - it has dep on

    Package Dependencies:
      openvpn-client-export-2.4.3_3   openvpn-2.4.3   zip-3.0_1   p7zip-16.02



  • Yep, that's correct.


  • LAYER 8 Global Moderator

    You sure this ever worked how you say?  There is bug filed in redmine that is over a year old.
    https://redmine.pfsense.org/issues/6339
    OpenVPN Client Export package option for "Use Microsoft Certificate Storage" does not specify which certificate to use

    There I have validated that it only puts in this option
    cryptoapicert "SUBJ:"

    For it to work shouldn't it need the FULL DN and not just a username anyway?

    I have never used openvpn cryptoapicert, wish could be of more help..



  • While I agree, the bug description matches 100% the issue I have, I can confirm, after N-times checking of installation packages, generated with earlier versions of client-export, the SUBJ is set correctly and installation works without any intervention.

    To be more specific about versions - OpenVPN GUI 11.4.0.0 works, the latest package includes 11.7.0.0, which doesn't.


  • LAYER 8 Global Moderator

    I am not using the install package.  Using just the file config download.



  • Thanks, but it seems it's "generate, then package" approach, e.g. same file.

    Anyway, the main purpose of this post was to understand if it was a pfSense issue or not. Believe the answer is "yes". One possible explanation for the different behavior over time is "fix and re-introduce" has happened.

    Appreciate the link from the bug database and the guidance provided.


Log in to reply