pfSense » pfSense Packages

Intro:
Hello this is my first bug entry. I hope I have done a good job reporting the specifics of what I believe to be a bug with the ovpn client export package. It's possible this could be a core openvpn issue -- I am not certain. If I missed some information or if there is more info I may provide, please let me know.

Summary:
If you set up Open VPN with a more secure auth method, such as RSA-SHA256, and then use the ovpn client export utility to export an inline configuration (ovpn config file) for Andoid, then the config file will include the following line (without double quotes):
"auth RSA-SHA256"

Note, however, this is incorrect as the android client must use auth SHA256 (or any client I believe).
This is evidenced by this forum post on openvpn forums: https://forums.openvpn.net/viewtopic.php?f=4&t=23241 and also by my fix by following the instructions to manually change this line to "auth SHA256" without double quotes. The "auth RSA-SHA256" method is only for server config, not client config -- or at least according to the forum post.

Steps to reproduce:
- Set up OpenVPN with defaults except choose the RSA-SHA256 auth crypto option. Ensure you have set up certs for your user(s) as well. (if my config info is needed please notify me and I will obfuscate it accordingly and send it your way; or send redacted screenshots)
- Using the client export utility (/vpn_openvpn_export.php), attempt to export an inline configuration for Android by clicking the "Android" button.
- Inspect the contents of the .ovpn file in a text editor. Notice the "auth RSA-SHA256" line is incorrect it should be "auth SHA256"
- Note, if you export to the current windows installer this will work correctly on a windows client.
- Note, if you simply export the "Config Only" under "Standard Configuration" this ovpn file is also incorrect as it states "auth RSA-SHA256"
- Manually change the auth method to SHA256 instead of RSA-SHA256 and attempt to load the configuartion on an Android device such as with the official OpenVPN Connect app.
- Note, only after manually changing the auth method to SHA256 in the .ovpn file will you then be able to connect to the vpn. Otherwise OpenVPN Connect app will report the following error:
"crypto_alg: RSA-SHA256: not found"

Version info:
pfsense 2.3.4-RELEASE build on Wed May 03 15:13:29 CDT 2017
FreeBSD 10.3-RELEASE-p17
openvpn-client-export 1.4.12
openvpn (latest as of 7/8/17)

Additional:
If RSA-SHA256 is indeed a correct option for most clients, it may not be for android devices. My Android device would not work with "auth RSA-SHA256" method until I changed it to "auth SHA256"
My Android device is a Samsung Galaxy S8+
If more information is needed please let me know.