Import openVPN from pfSense 1.2.3
-
Hi,
is it possible to import and reuse the settings, certificates and keys from an pfSense 1.2.3 installation into pfSense 2.0 ?
Thanks in advance,
Markus
-
It is possible, but last I knew, there were still a couple quirks in the upgrade code that may prevent things from working as desired right away.
We still haven't had enough people try it and report what doesn't work like they want, and provide before-and-after configuration files for comparison.
-
I would be glad to help and provide the before and after config files.
The big question for me is: How do I start the import process ?
And which files do you need (/var/etc/openvpn/*.conf) ? -
Just backup your config.xml from Diagnostics > Backup/Restore, save that somewhere, and then you can restore that to a 2.0 install.
Or if you install 2.0 on top of 1.2.x, it upgrades/converts automatically.
We'd just need copies of config.xml before and after the upgrade, and if something doesn't work, we'd need to know what you had to change to make it work. (and possibly another config showing that)
you can remove passwords from the config, and any really private info.
-
I just upgraded my home router from 1.2.3 to 2.0 last night and fixed an OpenVPN upgrade quirk when I did it, and found a couple more.
The only thing that prevented my tunnels from coming back up was the fact that the LZO compression setting didn't carry over. I checked in a fix for that last night.
The other things I found were that the Dynamic IP setting for servers, and the CRL list for servers, were not present in 2.0. I fixed the dynamic IP choice, but the CRL will take a bit more time/effort.
-
I tried to get my config.xml imported into 2.0 but this would only give me an error, so I had to import the settings by hand.
I had a openVPN configuration with Public Key Infrastructure (PKI) which is not present with this name in pfsense 2.0 Beta1.
I quess it is now called "Remote Access (SSL/TLS)" but I'm not sure of that.I think I can insert my CA, certificate and private key files, but how can I do this with my DH file?
Is this the same on every system? Unlikely, so I guess I have to replace the dh1024 file on the filesystem itself. -
Correct, that is Remote Access (SSL/TLS)
You do not need to import the same DH parameters, you can generate new ones and it shouldn't hurt anything. They aren't tied to the CA or Cert.