Upgrade 1.2.3.-> 2.0 -> 2.0.1 OpenVPN Working, but WHY???

  • I am now using PFSense 2.0.1 using OpenVPN for road warrior access to local LAN.  I must have missed something about the upgrade path with the current version of PFSense 2.0.1.  I have 12 road warrior clients on one PFSense box and when I upgraded from 1.2.3 to 2.0 they where all there and happy after the upgrade, I could see each client certificate.  But now after installing 2.0.1 they are all gone, but they all still work.  After doing a little digging, I find that I’m supposed to create user accounts and client machine certs, which I had already done previous to even PFSense, but they don’t seem to be there anymore.  To be more precise all my server certs and client certs where all created with zerina on IPCop, I then manually migrated all the server and client certs over to PFSense 1.1.X back in 2007, all went well, up to now, and actually it’s all still working, every client can still VPN into the network, when they establish a connection.

    Can someone help me out with some technical advice on were all my certs went? Right now on my box with the 12 working road warriors, the client Tab on OpenVPN is completely empty, nothing showing.  Under the certificate manager, there is one CA and and two server Certs, looks like a duplication of some kind, and one client cert. Should I add all the client certs back in?  If I do, how do to connect the dots of client certs, client connections, and user accounts?  In the past I never set up User accounts.  And certificate management and connection management went hand in hand, I managed them together.

    My big question is this, can I recover from this mess without having to regenerate all new CA’s and Certs?  If so, is there some reading I could do on walking me through where stuff is, so far I’ve inspected /var/etc/ folder and there isn’t much there.  Could it be that the current clients are connecting through server certs only?

    Thank you in advance for any advice you may be able to give.


  • When you start on 1.2.3 the client certs aren't on the firewall at all, they're where ever you generated them. 1.2.3 had no ability to manage client certs. You would have to import them manually from where they were generated after upgrading to 2.0, so I'm guessing you're mis-remembering them being there. The only certs that will exist are the CA cert, and the server cert, which it sounds like you have. The clients tab will be blank unless you have actual client OpenVPN instances defined (not clients that connect to your server instance). Sounds like it's all fine, just a fact of how you originally had everything setup.

  • You are most likely very correct.  One question still remains for me, how do Revocate a cert?  It sure seems like I used to have a list of all the clients that could connect and I could turn each one on or off as needed.

    Thank you for your reply, I kinda freaked out there for a while.


  • You'll have to revoke them and create a CRL from where ever you originally created the certs. Your CA's private key, client keys, and other info necessary to do so only exists there.

  • cmb hay thanks for the reply I really do appreciate it.

    I looked and I do have the CRL certificates for each of the road warrior client machines, do I enter them in the cert manager?

    Then what about the user accounts, is that something on top of OpenVPN authentication? Is it optional (must be)?

    That's all my questions, thanks again for shedding light on this for me.  And Oh I looked back and it was back with IPCop that I had individual control over the each client cert, I've not been able to do that sense I moved over to PFSense, until now.

    Take Care


Log in to reply