Export Utility File Contents

Wasca

Hi Guys

I've created a OpenVPN for my road warriors on a PFSense 2.01 install and now I'm using the client export utility. I click on the Client Export tab then for the client I want to export I select "Configuration archive" it downloads a zip file that contains only three files.

pyro-bri-udp-1194-tls.key
pyro-bri-udp-1194.ovpn
pyro-bri-udp-1194.p12

Here is the contents of the ovpn file, seems to be missing any reference to the .crt file and .key file

dev tun
persist-tun
persist-key
proto udp
cipher AES-256-CBC
tls-client
client
resolv-retry infinite
remote xxx.xxx.xxx.xxx 1194
tls-remote MAS-OPENVPN
auth-user-pass
pkcs12 pyro-bri-udp-1194.p12
tls-auth pyro-bri-udp-1194-tls.key 1

Are these all the files that are meant to be in the zip file? is the server.crt and server.key meant to be in that archive as well, or am I meant o manually download those from the Certificate Manager page.

Thanks

Wasca ???

Wasca

If I download the Viscosity Bundle zip file I see there is a ca.crt, cert.crt, key.key, and ta.key.

I want to be able to use OpenVPNGUI so I want the one that has the .ovpn config file.

Wasca

Hi Guys

I've sorted out my issue. All good now. I know understand that using the method of authentication I have does not need those files.

One thing I did discover. For Windows 7 machines you need to add these extra lines at the bottom of the client config.

route-method exe
route-delay 2

jimp

The ca, cert, and key are all inside of that .p12 file. Read up on PKCS #12.

If you really want to separate them, you can use the openssl command to break them up:
http://www.sslshopper.com/article-most-common-openssl-commands.html

jimp

@Wasca:

route-method exe
route-delay 2

Did you still have to run the client as Administrator with that? Or did it give a UAC prompt?

Normally the client works as-is but you have to run it as administrator.

Wasca

I did not have to specify to run as administrator, I have UAC turned off and my account is an Admin account.

jimp

Ah, ok. Having UAC off is probably why that worked for you then.

dhatz

@jimp:

Did you still have to run the client as Administrator with that? Or did it give a UAC prompt?

Normally the client works as-is but you have to run it as administrator.

Wrt to the UAC issue, you might want to check

https://vpnuk.info/scheduled-task.html
http://forums.untangle.com/openvpn/30901-bye-bye-uac-promts.html

jonallport

Try the Securepoint client (securepoint.cc); that runs the ovpn daemon as a service, so no UAC shenanigans, and a reasonable GUI too.

jimp

I just added the OpenVPN 2.3 beta to the export package (you can choose 2.2 or 2.3 now) and the 2.3 install does not produce a UAC prompt on my Win 7 box, and it does add the routes.

Nachtfalke

@jimp:

I just added the OpenVPN 2.3 beta to the export package (you can choose 2.2 or 2.3 now) and the 2.3 install does not produce a UAC prompt on my Win 7 box, and it does add the routes.

I created the OpenVPN Installer package 2.3beta on pfsense 2.0.1 i386 and using it on my Windows 7 Ultimate x64 and adding the routes is NOT working without admin rights.

jimp

Try uninstalling OpenVPN completely first - old and new versions - then reinstall just the 2.3 beta.

Nachtfalke

@jimp:

Try uninstalling OpenVPN completely first - old and new versions - then reinstall just the 2.3 beta.

Not working for me. Uninstalled all OpenVPN versions, rebooted and installed the new version, rebooted.
This is the log:

Wed Oct 03 18:41:31 2012 OpenVPN 2.3_beta1 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Sep 21 2012
Enter Management Password:
Wed Oct 03 18:41:31 2012 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Wed Oct 03 18:41:31 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Oct 03 18:41:31 2012 Control Channel Authentication: using 'A208808.key' as a OpenVPN static key file
Wed Oct 03 18:41:33 2012 Attempting to establish TCP connection with [AF_INET]111.111.111.111:1111
Wed Oct 03 18:41:33 2012 TCP connection established with [AF_INET]111.111.111.111:1111
Wed Oct 03 18:41:33 2012 TCPv4_CLIENT link local: [undef]
Wed Oct 03 18:41:33 2012 TCPv4_CLIENT link remote: [AF_INET]111.111.111.111:1111
Wed Oct 03 18:41:36 2012 [OpenVPN-RoadWarrior-Server] Peer Connection Initiated with [AF_INET]111.111.111.111:1111
Wed Oct 03 18:41:38 2012 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Oct 03 18:41:38 2012 open_tun, tt->ipv6=0
Wed Oct 03 18:41:38 2012 TAP-WIN32 device [LAN-Verbindung 11] opened: \\.\Global\{018BD089-27A7-4FBF-A90D-52B819EBE2D1}.tap
Wed Oct 03 18:41:38 2012 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.32.6/255.255.255.252 on interface {018BD089-27A7-4FBF-A90D-52B819EBE2D1} [DHCP-serv: 10.0.32.5, lease-time: 31536000]
Wed Oct 03 18:41:38 2012 Successful ARP Flush on interface [40] {018BD089-27A7-4FBF-A90D-52B819EBE2D1}
Wed Oct 03 18:41:43 2012 ROUTE: route addition failed using CreateIpForwardEntry: The Object already exists.   [status=5010 if_index=40]
Wed Oct 03 18:41:43 2012 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Adding the route failed: The Object already exists.

Wed Oct 03 18:41:43 2012 Initialization Sequence Completed
Wed Oct 03 19:39:26 2012 ROUTE: route deletion failed using DeleteIpForwardEntry: Element not found.  
Wed Oct 03 19:39:26 2012 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Deleting the route failed: Element not found.

Wed Oct 03 19:39:26 2012 SIGTERM[hard,] received, process exiting

jimp

Might help if that were in English ;-)

Nachtfalke

@jimp:

Might help if that were in English ;-)

Difficult on a german windows ;-)
I tried to translate the few sentences with my best school english in the original post.

jimp

So that's saying it's trying to add a route that already exists.

Sure you're connecting to the right VPN? From a location that isn't behind the firewall you're using for the VPN?

The old failure with UAC was different, it mentioned something about lacking permissions or rights.

Nachtfalke

I am trying this from at home behind my home router.

When I connect to the VPN server the connection will be established - the systray icon turns into green. But "netstat -rn" does not show me additional routes - just the route for the tunnel network.

When I run the OpenVPN client with admin rights the routes will be added.

But when I run it with admin rights I got a similar error message:

Wed Oct 03 21:17:58 2012 Successful ARP Flush on interface [50] {FBDB3111-D2E3-4899-A765-87EAFB843546}
Wed Oct 03 21:18:03 2012 ROUTE: route addition failed using CreateIpForwardEntry: The object still exists.   [status=5010 if_index=50]
Wed Oct 03 21:18:03 2012 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Wed Oct 03 21:18:03 2012 Initialization Sequence Completed

But then I can connect to the pfsense server and to the LAN clients behind pfsense.