OpenVPN Client Export error about PKCS#11, auto-adding of explicit exit notify in client conf
-
#1
Error Message:
This message pops up with a simple OpenVPN RAS style server configured with User/Pass only(!). So no certificates should be used. But exporting a config throws this error around and fails.
#2
Wanted to export a simple user/pass only config to test, if the exported config still has "explicit exit notify" automatically set when it's a UDP server and if that option is disabled if one manually adds another remote statement via custom options.If not: that is still a big problem for various customers that are running bigger configurations of OpenVPN with fallback to a TCP-style server. Typical scenario: default dial in is UDP/1194, fallback is TCP/443. As the bigwigs don't like multiple VPN connections to choose from, put both / multiple remote statements in it to do an automatic fallback it the initial one fails (in bad hotel Wifis that block UDP). That worked up until 2.4.x and changed with the introduction of the auto added "explicit-exit-notify" for UDP servers in 2.5.x.
Please consider adding an option to disable the auto-addiction! We have multiple customers with hundreds(!) of Client configs, that have to manually edit each and every file to remove the line so the users doesn't end up with an error message after their VPN deployment.
Cheers
\jens -
If there aren't already redmine entries for those, create them. A bug report for the first one, a feature request for the second.
-
The error appears to have been caused by the changes made to fix https://redmine.pfsense.org/issues/12475, and that issue was still open, so I will reuse that and commit a fix shortly.