Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN users don't show up for export in 2.0.1

    OpenVPN
    2
    8
    2893
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dszp last edited by

      When using the Client Export Utility, no users show up. This is a fresh 2.0.1 NetGate box. I created a CA, set that CA as the CA for the OpenVPN utility (CA was created using OpenVPN Wizard). I edited the "admin" user and checked the "Create a certificate" box and set common name to "admin" and days to 1095, and saved. No client certificate is generated.

      So I generated a new certificate manually (from Cert Manager) from the CA I created with the same details. The certificate shows up in Cert Manager but the Users download area is still blank for the OpenVPN Client Export page.

      I've done this on like 20 pfSense installations before, I've double-checked everything, so unless I'm blind or my brain is scrambled (I got a good night's sleep last night though :-) there seems to be a bug in the 2.0.1 certificate/OpenVPN Client Export code, possibly related to the certificate checking changes in the 2.0.1 update? Or something else, but it's not working! Any thoughts?

      David Szpunar

      1 Reply Last reply Reply Quote 0
      • D
        dszp last edited by

        OK nevermind. I had a second OpenVPN tunnel set up (site to site) and I changed that to Shared Key and all of a sudden things started working. Must have been a conflict between the two tunnels' configurations (one remote worker and one site-to-site). Still possibly a bug (at least that it allows the config of two tunnels that doesn't work properly, with no warnings) but it's not preventing what I'm trying to do now :-)

        David Szpunar

        1 Reply Last reply Reply Quote 0
        • D
          dszp last edited by

          OK nevermind, bug is back :-) But a little different:

          If I set the OpenVPN tunnel to Remote Access (SSL/TLS) then I get the download in Client Export, and it works, but doesn't prompt for a username/password (correct).
          If I set the OpenVPn tunnel to Remote Access (SSL/TLS + User Auth) then I get NO usernames listed to download. However, I assume this is related to not being able to generate a certificate for the user from User Manager, and the manually-generated one (even with the same CN as the username) is not being linked to the user, so it's not showing any certificates available. Any ideas why I can't auto-generate a User certificate from User Manager?

          David Szpunar

          1 Reply Last reply Reply Quote 0
          • D
            dszp last edited by

            OK one more update. If I create a NEW user, not named admin, I can generate a user certificate (at least as part of the new user creation process) just fine, and it works. If I edit the admin user, and click the Generate certificate box and fill out the details, NO certificate is generated or linked to the user.

            David Szpunar

            1 Reply Last reply Reply Quote 0
            • jimp
              jimp Rebel Alliance Developer Netgate last edited by

              I'm not sure making an admin cert has never been supported, probably a way of actively discouraging using the firewall administrator's credentials for anything other than the firewall…

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • D
                dszp last edited by

                I don't know that I've ever noticed it not working before, but it failing silently is a bug. Either the UI should not let me try and generate an admin cert, or it should return a warning, or something. When it works perfectly except nothing happens, you get forum posts like this and I waste 30+ minutes trying to figure it out :-)

                David Szpunar

                1 Reply Last reply Reply Quote 0
                • jimp
                  jimp Rebel Alliance Developer Netgate last edited by

                  Actually it looks like this was a simple case of an incorrect variable test. It was testing if ($var) which was failing because the uid was 0, when it should have been checking with isset() or is_numeric.

                  It's fixed now, and the same bug was also keeping it from showing admin's effective permissions so that's fixed too.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • D
                    dszp last edited by

                    Awesome, I feel useful again! :-) Thank you. That was easy enough I should have dug into the code and submitted a patch to say I've actually done dev work :-)

                    David Szpunar

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post