Regression #13350


Client OpenVPN error when tunnel is specified

Added by Erik Osterholm 3 months ago. Updated 3 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:


Filing this on behalf of a client.

When an IPv4 Tunnel Network is defined on an OpenVPN Client in pfSense, we get the following error:

Options error: You must define certificate file (--cert) or PKCS#12 file (--pkcs12)

Removing the network, saving, and restarting the service allows the tunnel to come up.

This was reported working at one point.

Actions #1

Updated by Marcos M 3 months ago

  • Tracker changed from Bug to Regression
  • Project changed from pfSense Plus to pfSense
  • Category changed from OpenVPN to OpenVPN
  • Affected Plus Version deleted (22.05)
  • Affected Version set to 2.7.0
Actions #2

Updated by Jim Pingle 3 months ago

  • Assignee set to Jim Pingle

Normally in SSL/TLS with a client/server setup that has multiple clients the clients would never populate the tunnel network. If they need a static address the client wouldn't set it, it would be set in the override on the server side.

I'll have to check what might have changed here, but it probably wasn't a valid configuration before and was somehow given a pass. The only time that's typically valid is when both client and server are set to a /30 tunnel network and that's handled as a special case.

I suspect the difference might be from what changed in #11416 but I'll have to investigate.

Actions #3

Updated by Erik Osterholm 3 months ago

Does it make sense to remove this GUI element from the options then?

Actions #4

Updated by Jim Pingle 3 months ago

No, because there are valid cases where it should be set (e.g. to /30) at least for the time being. Since the client settings page can't know how the server is configured it can't validate that on its own so the burden has to be on the user to match what the server expects.

Eventually OpenVPN is removing that mode upstream but for now it's still valid.


Also available in: Atom PDF