Project

General

Profile

Bug #8476

OpenVPN Client Export TLS Key Direction Directive Location

Added by Joshua Katz about 1 year ago. Updated 3 months ago.

Status:
Resolved
Priority:
Very Low
Assignee:
Category:
OpenVPN Client Export
Target version:
-
Start date:
04/21/2018
Due date:
% Done:

0%

Estimated time:
Affected Version:
All
Affected Architecture:
All

Description

pfSense Version: pfSense-CE-memstick-2.4.3-RELEASE-amd64.img.gz ( https://nyifiles.pfsense.org/mirror/downloads/pfSense-CE-memstick-2.4.3-RELEASE-amd64.img.gz )

It seems that, for whatever reason, Ubuntu's OpenVPN importing client does not like the way the .ovpn files are built. When attempting to import a config it fails to ever connect. My server uses TLS auth and when I download my configs from the OpenVPN Client Export tool it sticks the `key-direction X` after the `<tls></tls>` section which Ubuntu does not like for some reason. To fix this all I've had to do was move the key-direction above my keys.

Attached you should find 2 .ovpn files that display the change I have made.

Is there any way for OpenVPN Client Export to group the key-direction with the other OpenVPN directives at the top of the file? Are there any issues that fix would cause?

Thanks for your teams hard work. pfSense is amazing! The only router software I've actually enjoyed using.

BROKEN.ovpn (447 Bytes) BROKEN.ovpn Generated by OpenVPN Client Export Joshua Katz, 04/21/2018 02:14 PM
WORKING.ovpn (448 Bytes) WORKING.ovpn My fixed working version Joshua Katz, 04/21/2018 02:14 PM

History

#1 Updated by Jim Pingle about 1 year ago

  • Assignee set to Jim Pingle
  • Priority changed from Normal to Very Low
  • Affected Version changed from 2.4.3 to All
  • Affected Architecture set to All

As long as we can prove that change will not negatively impact other clients it should be OK to make that change, but that will take a bit of testing to confirm.

The way the exporter crafts the file the directive it can't group the key direction with the other things at the top, but it should be possible to at least put it right above the key.

#2 Updated by Jim Pingle 10 months ago

See also https://github.com/pfsense/FreeBSD-ports/pull/529 but I plan on committing a slightly different fix.

#3 Updated by Jim Pingle 10 months ago

  • Status changed from New to Feedback

Done in v1.4.16, will be in snapshots shortly.

#4 Updated by Danilo Zrenjanin 4 months ago

Tested on:

2.4.4-RELEASE-p2 (amd64)
built on Wed Dec 12 14:40:29 EST 2018
FreeBSD 11.2-RELEASE-p6

client export package version:
openvpn-client-export security 1.4.18

dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote xxxxx 1194 udp
setenv opt block-outside-dns
verify-x509-name "OVPN_cert" name
auth-user-pass
remote-cert-tls server
passtos

<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxx
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
xxxxxxxxxx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
xxxxx
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
xxxxxxxxx
-----END OpenVPN Static key V1-----
</tls-auth>

Config still needs to be edited in order to work properly on Ubuntu's OpenVPN importing client.
‚Äč

#5 Updated by Danilo Zrenjanin 3 months ago

  • Status changed from Feedback to Resolved

ovpn configuration file exported from:
2.4.5-DEVELOPMENT (amd64)
built on Wed Feb 13 06:09:38 EST 2019
FreeBSD 11.2-RELEASE-p8

OpenVPN importing client tested on:

RELEASE=18.3
CODENAME=sylvia
EDITION="Cinnamon 64-bit"
DESCRIPTION="Linux Mint 18.3 Sylvia"
DESKTOP=Gnome
TOOLKIT=GTK

The config file is the same as before, it works like a charm on updated Linux version. Looks like Linux has fixed OVPN importing client.

dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote xxxxx 1194 udp
setenv opt block-outside-dns
verify-x509-name "OVPN_cert" name
auth-user-pass
remote-cert-tls server
passtos

<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxx
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
xxxxxxxxxx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
xxxxx
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
xxxxxxxxx
</tls-auth>

Also available in: Atom PDF