Bug #8476
closedOpenVPN Client Export TLS Key Direction Directive Location
0%
Description
pfSense Version: pfSense-CE-memstick-2.4.3-RELEASE-amd64.img.gz ( https://nyifiles.pfsense.org/mirror/downloads/pfSense-CE-memstick-2.4.3-RELEASE-amd64.img.gz )
It seems that, for whatever reason, Ubuntu's OpenVPN importing client does not like the way the .ovpn files are built. When attempting to import a config it fails to ever connect. My server uses TLS auth and when I download my configs from the OpenVPN Client Export tool it sticks the `key-direction X` after the `<tls></tls>` section which Ubuntu does not like for some reason. To fix this all I've had to do was move the key-direction above my keys.
Attached you should find 2 .ovpn files that display the change I have made.
Is there any way for OpenVPN Client Export to group the key-direction with the other OpenVPN directives at the top of the file? Are there any issues that fix would cause?
Thanks for your teams hard work. pfSense is amazing! The only router software I've actually enjoyed using.
Files
Updated by Jim Pingle about 6 years ago
- Assignee set to Jim Pingle
- Priority changed from Normal to Very Low
- Affected Version changed from 2.4.3 to All
- Affected Architecture All added
- Affected Architecture deleted (
)
As long as we can prove that change will not negatively impact other clients it should be OK to make that change, but that will take a bit of testing to confirm.
The way the exporter crafts the file the directive it can't group the key direction with the other things at the top, but it should be possible to at least put it right above the key.
Updated by Jim Pingle almost 6 years ago
See also https://github.com/pfsense/FreeBSD-ports/pull/529 but I plan on committing a slightly different fix.
Updated by Jim Pingle almost 6 years ago
- Status changed from New to Feedback
Done in v1.4.16, will be in snapshots shortly.
Updated by Danilo Zrenjanin over 5 years ago
Tested on:
2.4.4-RELEASE-p2 (amd64)
built on Wed Dec 12 14:40:29 EST 2018
FreeBSD 11.2-RELEASE-p6
client export package version:
openvpn-client-export security 1.4.18
dev tun persist-tun persist-key cipher AES-256-CBC auth SHA256 tls-client client resolv-retry infinite remote xxxxx 1194 udp setenv opt block-outside-dns verify-x509-name "OVPN_cert" name auth-user-pass remote-cert-tls server passtos <ca> -----BEGIN CERTIFICATE----- xxxxxxxxxx -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- xxxxxxxxxx -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- xxxxx -----END PRIVATE KEY----- </key> key-direction 1 <tls-auth> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- xxxxxxxxx -----END OpenVPN Static key V1----- </tls-auth>
Config still needs to be edited in order to work properly on Ubuntu's OpenVPN importing client.
Updated by Danilo Zrenjanin about 5 years ago
- Status changed from Feedback to Resolved
ovpn configuration file exported from:
2.4.5-DEVELOPMENT (amd64)
built on Wed Feb 13 06:09:38 EST 2019
FreeBSD 11.2-RELEASE-p8
OpenVPN importing client tested on:
RELEASE=18.3
CODENAME=sylvia
EDITION="Cinnamon 64-bit"
DESCRIPTION="Linux Mint 18.3 Sylvia"
DESKTOP=Gnome
TOOLKIT=GTK
The config file is the same as before, it works like a charm on updated Linux version. Looks like Linux has fixed OVPN importing client.
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote xxxxx 1194 udp
setenv opt block-outside-dns
verify-x509-name "OVPN_cert" name
auth-user-pass
remote-cert-tls server
passtos
<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxx
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
xxxxxxxxxx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
xxxxx
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
xxxxxxxxx
</tls-auth>