PfSense to OpenVPN server - nowhere to specify a server cert



  • Hi - Every other OpenVPN client I have worked with allows me to specify a server cert. Although I can specify a server cert in the pfSense certificate screens, there is nowhere to specify this cert in the OpenVPN client setup screens.

    I see this in the OpenVPN logs:

    Aug 22 20:18:31 	openvpn[51948]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    

    Any help would be appreciated.



  • Someone correct me if I'm wrong, but I believe that error is related to not having a "Peer Certificate Revocation List" configured on the server side.



  • @ilium007:

    … there is nowhere to specify this cert in the OpenVPN client setup screens....

    Any help would be appreciated.

    Edit your Client Settings => Cryptographic Settings => Client Certificate



  • @Satras:

    @ilium007:

    … there is nowhere to specify this cert in the OpenVPN client setup screens....

    Any help would be appreciated.

    Edit your Client Settings => Cryptographic Settings => Client Certificate

    Thats the client certificate, yes. I want to be able to specify the server certificate. When I have configured any other OpenVPN setup I generate CA certs, Diffie Hellman key, server certs and the client certs.



  • System –> Cert Manager --> Certificates
    press + and import your already existing certificate.



  • @GruensFroeschli:

    System –> Cert Manager --> Certificates
    press + and import your already existing certificate.

    Yes, understand that. I have imported both the client and server certs. There is nowhere in the OpenVPN config to specify the server cert.



  • Ah now i see where you're coming from.
    But you misunderstand. You don't add the server certificate on the client.
    Instead you configure the client to verify that the server is actually a server.
    If you read the link which is provided in the warning you can see that you could extend your configuration with some options. (on pfsense the "Advanced configuration" field)
    Scroll down a bit here: http://openvpn.net/index.php/open-source/documentation/howto.html#pki to see in the table "Key Files" what is required where.



  • @GruensFroeschli:

    Ah now i see where you're coming from.
    But you misunderstand. You don't add the server certificate on the client.
    Instead you configure the client to verify that the server is actually a server.
    If you read the link which is provided in the warning you can see that you could extend your configuration with some options. (on pfsense the "Advanced configuration" field)
    Scroll down a bit here: http://openvpn.net/index.php/open-source/documentation/howto.html#pki to see what is required where.

    I'll have a read, but in my experience every openvpn client I have configured takes in a server cert as shown below in a Viscosity screen shot of an openvpn client I have used for the past 4 years:

    In this screenshot cert.crt is the server certificate.



  • That's not the server certificate but the certificate of the CA which created the keys/certs for both the server and clients.

    You can export the certificate of the CA of the machine where you created the server/client files and import it on the client.

    Afterwards you can select this cert in the "Peer Certificate Authority" dropdown.



  • @GruensFroeschli:

    That's not the server certificate but the certificate of the CA which created the keys/certs for both the server and clients.

    No, that would be the ca.crt also pictured.



  • Well then in the screenshot something is missing and would not be able to work.

    the "CA:" field is for the CA certificate.
    the "Cert:" field is for the client certificate
    the "Key:" field is for the client key.



  • @GruensFroeschli:

    Well then in the screenshot something is missing and would not be able to work.

    the "CA:" field is for the CA certificate.
    the "Cert:" field is for the client certificate
    the "Key:" field is for the client key.

    Yes, my apologies. It is the client cert as you have pointed out.

    I'll keep messing with the pfSense openvpn client config. I should have enough for it to work but I can;t for the life of me get a connection to come up.


  • LAYER 8 Global Moderator

    "I'll keep messing with the pfSense openvpn client config"

    What are you messing with?  Did you just install the client export package, and then download the viscosity bundle and you should good to go.



  • No. The pfSense box is the client (I already have it running just fine as a server using the method you describe).

    I have imported the external CA certs and client cert etc but the tunnel won't establish. I'll pull some logs together and post here.


Log in to reply