OpenVPN Client Export TLS Key Direction Directive Location
pfSense Version: pfSense-CE-memstick-2.4.3-RELEASE-amd64.img.gz ( https://nyifiles.pfsense.org/mirror/downloads/pfSense-CE-memstick-2.4.3-RELEASE-amd64.img.gz )
It seems that, for whatever reason, Ubuntu's OpenVPN importing client does not like the way the .ovpn files are built. When attempting to import a config it fails to ever connect. My server uses TLS auth and when I download my configs from the OpenVPN Client Export tool it sticks the `key-direction X` after the `<tls></tls>` section which Ubuntu does not like for some reason. To fix this all I've had to do was move the key-direction above my keys.
Attached you should find 2 .ovpn files that display the change I have made.
Is there any way for OpenVPN Client Export to group the key-direction with the other OpenVPN directives at the top of the file? Are there any issues that fix would cause?
Thanks for your teams hard work. pfSense is amazing! The only router software I've actually enjoyed using.
#1 Updated by Jim Pingle 9 months ago
- Assignee set to Jim Pingle
- Priority changed from Normal to Very Low
- Affected Version changed from 2.4.3 to All
- Affected Architecture set to All
As long as we can prove that change will not negatively impact other clients it should be OK to make that change, but that will take a bit of testing to confirm.
The way the exporter crafts the file the directive it can't group the key direction with the other things at the top, but it should be possible to at least put it right above the key.
#4 Updated by Danilo Zrenjanin 12 days ago
built on Wed Dec 12 14:40:29 EST 2018
client export package version:
openvpn-client-export security 1.4.18
dev tun persist-tun persist-key cipher AES-256-CBC auth SHA256 tls-client client resolv-retry infinite remote xxxxx 1194 udp setenv opt block-outside-dns verify-x509-name "OVPN_cert" name auth-user-pass remote-cert-tls server passtos <ca> -----BEGIN CERTIFICATE----- xxxxxxxxxx -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- xxxxxxxxxx -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- xxxxx -----END PRIVATE KEY----- </key> key-direction 1 <tls-auth> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- xxxxxxxxx -----END OpenVPN Static key V1----- </tls-auth>
Config still needs to be edited in order to work properly on Ubuntu's OpenVPN importing client.