Export Utility File Contents



  • Hi Guys

    I've created a OpenVPN for my road warriors on a PFSense 2.01 install and now I'm using the client export utility. I click on the Client Export tab then for the client I want to export I select "Configuration archive" it downloads a zip file that contains only three files.

    pyro-bri-udp-1194-tls.key
    pyro-bri-udp-1194.ovpn
    pyro-bri-udp-1194.p12

    Here is the contents of the ovpn file, seems to be missing any reference to the .crt file and .key file

    
    dev tun
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    tls-client
    client
    resolv-retry infinite
    remote xxx.xxx.xxx.xxx 1194
    tls-remote MAS-OPENVPN
    auth-user-pass
    pkcs12 pyro-bri-udp-1194.p12
    tls-auth pyro-bri-udp-1194-tls.key 1
    

    Are these all the files that are meant to be in the zip file? is the server.crt and server.key meant to be in that archive as well, or am I meant o manually download those from the Certificate Manager page.

    Thanks

    Wasca ???



  • If I download the Viscosity Bundle zip file I see there is a ca.crt, cert.crt, key.key, and ta.key.

    I want to be able to use OpenVPNGUI so I want the one that has the .ovpn config file.



  • Hi Guys

    I've sorted out my issue. All good now. I know understand that using the method of authentication I have does not need those files.

    One thing I did discover. For Windows 7 machines you need to add these extra lines at the bottom of the client config.

    route-method exe
    route-delay 2


  • Rebel Alliance Developer Netgate

    The ca, cert, and key are all inside of that .p12 file. Read up on PKCS #12.

    If you really want to separate them, you can use the openssl command to break them up:
    http://www.sslshopper.com/article-most-common-openssl-commands.html


  • Rebel Alliance Developer Netgate

    @Wasca:

    route-method exe
    route-delay 2

    Did you still have to run the client as Administrator with that? Or did it give a UAC prompt?

    Normally the client works as-is but you have to run it as administrator.



  • I did not have to specify to run as administrator, I have UAC turned off and my account is an Admin account.


  • Rebel Alliance Developer Netgate

    Ah, ok. Having UAC off is probably why that worked for you then.



  • @jimp:

    Did you still have to run the client as Administrator with that? Or did it give a UAC prompt?

    Normally the client works as-is but you have to run it as administrator.

    Wrt to the UAC issue, you might want to check

    https://vpnuk.info/scheduled-task.html
    http://forums.untangle.com/openvpn/30901-bye-bye-uac-promts.html



  • Try the Securepoint client (securepoint.cc); that runs the ovpn daemon as a service, so no UAC shenanigans, and a reasonable GUI too.


  • Rebel Alliance Developer Netgate

    I just added the OpenVPN 2.3 beta to the export package (you can choose 2.2 or 2.3 now) and the 2.3 install does not produce a UAC prompt on my Win 7 box, and it does add the routes.



  • @jimp:

    I just added the OpenVPN 2.3 beta to the export package (you can choose 2.2 or 2.3 now) and the 2.3 install does not produce a UAC prompt on my Win 7 box, and it does add the routes.

    I created the OpenVPN Installer package 2.3beta on pfsense 2.0.1 i386 and using it on my Windows 7 Ultimate x64 and adding the routes is NOT working without admin rights.


  • Rebel Alliance Developer Netgate

    Try uninstalling OpenVPN completely first - old and new versions - then reinstall just the 2.3 beta.



  • @jimp:

    Try uninstalling OpenVPN completely first - old and new versions - then reinstall just the 2.3 beta.

    Not working for me. Uninstalled all OpenVPN versions, rebooted and installed the new version, rebooted.
    This is the log:

    
    Wed Oct 03 18:41:31 2012 OpenVPN 2.3_beta1 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Sep 21 2012
    Enter Management Password:
    Wed Oct 03 18:41:31 2012 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
    Wed Oct 03 18:41:31 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Wed Oct 03 18:41:31 2012 Control Channel Authentication: using 'A208808.key' as a OpenVPN static key file
    Wed Oct 03 18:41:33 2012 Attempting to establish TCP connection with [AF_INET]111.111.111.111:1111
    Wed Oct 03 18:41:33 2012 TCP connection established with [AF_INET]111.111.111.111:1111
    Wed Oct 03 18:41:33 2012 TCPv4_CLIENT link local: [undef]
    Wed Oct 03 18:41:33 2012 TCPv4_CLIENT link remote: [AF_INET]111.111.111.111:1111
    Wed Oct 03 18:41:36 2012 [OpenVPN-RoadWarrior-Server] Peer Connection Initiated with [AF_INET]111.111.111.111:1111
    Wed Oct 03 18:41:38 2012 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Wed Oct 03 18:41:38 2012 open_tun, tt->ipv6=0
    Wed Oct 03 18:41:38 2012 TAP-WIN32 device [LAN-Verbindung 11] opened: \\.\Global\{018BD089-27A7-4FBF-A90D-52B819EBE2D1}.tap
    Wed Oct 03 18:41:38 2012 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.32.6/255.255.255.252 on interface {018BD089-27A7-4FBF-A90D-52B819EBE2D1} [DHCP-serv: 10.0.32.5, lease-time: 31536000]
    Wed Oct 03 18:41:38 2012 Successful ARP Flush on interface [40] {018BD089-27A7-4FBF-A90D-52B819EBE2D1}
    Wed Oct 03 18:41:43 2012 ROUTE: route addition failed using CreateIpForwardEntry: The Object already exists.   [status=5010 if_index=40]
    Wed Oct 03 18:41:43 2012 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
    Adding the route failed: The Object already exists.
    
    Wed Oct 03 18:41:43 2012 Initialization Sequence Completed
    Wed Oct 03 19:39:26 2012 ROUTE: route deletion failed using DeleteIpForwardEntry: Element not found.  
    Wed Oct 03 19:39:26 2012 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
    Deleting the route failed: Element not found.
    
    Wed Oct 03 19:39:26 2012 SIGTERM[hard,] received, process exiting
    
    

  • Rebel Alliance Developer Netgate

    Might help if that were in English ;-)



  • @jimp:

    Might help if that were in English ;-)

    Difficult on a german windows ;-)
    I tried to translate the few sentences with my best school english in the original post.


  • Rebel Alliance Developer Netgate

    So that's saying it's trying to add a route that already exists.

    Sure you're connecting to the right VPN? From a location that isn't behind the firewall you're using for the VPN?

    The old failure with UAC was different, it mentioned something about lacking permissions or rights.



  • I am trying this from at home behind my home router.

    When I connect to the VPN server the connection will be established - the systray icon turns into green. But "netstat -rn" does not show me additional routes - just the route for the tunnel network.

    When I run the OpenVPN client with admin rights the routes will be added.

    But when I run it with admin rights I got a similar error message:

    
    Wed Oct 03 21:17:58 2012 Successful ARP Flush on interface [50] {FBDB3111-D2E3-4899-A765-87EAFB843546}
    Wed Oct 03 21:18:03 2012 ROUTE: route addition failed using CreateIpForwardEntry: The object still exists.   [status=5010 if_index=50]
    Wed Oct 03 21:18:03 2012 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
    Wed Oct 03 21:18:03 2012 Initialization Sequence Completed
    
    

    But then I can connect to the pfsense server and to the LAN clients behind pfsense.


Log in to reply