Can't figure out OpenVPN Roadwarrior config

IPFire version 2.25, Update 152

I’ve been trying to get the OpenVPN Roadwarrior set up for hours now and every time I try to import the .ovpn file within iOS, I get prompted for the pkcs12 password and when I enter it, I get “Error. Cannot parse the file.” I was able to get this working in pfSense, so I didn’t think it would be this difficult in Ipfire. The little documentation I was able to find didn’t really help. Can anyone point me in the right direction please? Not getting this to work is a dealbreaker. Thanks.

Also, I noticed that when I downloaded the client package, my only option was the client package zip file. If I tried to download the unsecure version of the client zip file, it just gave me an error message.

Hi,

first, welcome to the IPFire community. :slight_smile:

Do you have more detailed logs or error messages from your operating system than that?

IPFire’s OpenVPN documentation is available here. Erik (@ummeegge) is the “master of disaster” when it comes to OpenVPN, perhaps he can help in case we have found out what your problem exactly is.

As far as I can recall, this should have been fixed a while ago. @ummeegge: Has it or am I wrong on this?

Thanks, and best regards,
Peter Müller

I’ve noticed that if I create additional VPN users, sometimes I get the option to download the unsecured version of the zip package and sometimes I don’t (it’s not there). I don’t know what I’m doing wrong. I have blown away and recreated the root/host certs as well as the user cert, but I still can’t connect from iOS or from my MacBook using Tunnelblick. I still have the .ovpn file that I downloaded from pfSense a while back (which works on the iOS OpenVPN app) and I compared it against the .ovpn file that is generated from IPfire and they are way different. The IPfire .ovpn file is very sparse and has almost nothing in it. The pfSense .ovpn file has the CA cert embedded in it, along with the user cert, the private key, and the static tls key. As a last resort, I built a new .ovpn file from scratch modeling it after the pfSense .ovpn file, but inserting the cert information from the IPfire side. I tried importing it into Tunnelblick on my MacBook to test it out, but it won’t even import. Are there specific logs I could provide that would help? I’m not sure what else to do here.

I just created a new VPN user and imported the .ovpn file into Tunnelblick on my MacBook, but the OpenVPN connection won’t establish. I’m not sure if it will help, but here are the logs.

2020-12-08 10:42:32.637344 MANAGEMENT: >STATE:1607445752,RESOLVE,
2020-12-08 10:42:32.866182 TCP/UDP: Preserving recently used remote address: [AF_INET]75.132.x.x:1194
2020-12-08 10:42:32.867160 Socket Buffers: R=[786896->786896] S=[9216->9216]
2020-12-08 10:42:32.867213 UDP link local: (not bound)
2020-12-08 10:42:32.867248 UDP link remote: [AF_INET]75.132.x.x:1194
2020-12-08 10:42:32.867517 MANAGEMENT: >STATE:1607445752,WAIT,
2020-12-08 10:42:32.899142 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.15.254:1194[2], expected peer address: [AF_INET]75.132.x.x:1194 (allow this incoming source address/port by removing --remote or adding --float)
2020-12-08 10:42:35.117814 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.15.254:1194[2], expected peer address: [AF_INET]75.132.x.x:1194 (allow this incoming source address/port by removing --remote or adding --float)
2020-12-08 10:42:38.948350 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.15.254:1194[2], expected peer address: [AF_INET]75.132.x.x:1194 (allow this incoming source address/port by removing --remote or adding --float)
2020-12-08 10:42:40.086804 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.15.254:1194[2], expected peer address: [AF_INET]75.132.x.x:1194 (allow this incoming source address/port by removing --remote or adding --float)
2020-12-08 10:42:46.934151 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.15.254:1194[2], expected peer address: [AF_INET]75.132.x.x:1194 (allow this incoming source address/port by removing --remote or adding --float)
2020-12-08 10:42:48.072259 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.15.254:1194[2], expected peer

Hi all,
since i do not use Smart?phones i run a little into the researching fog… OK let´s give it a try.

sounds like the configuration parser cannot find the exact tag string in the ovpn. According to the OpenVPN FAQ → FAQ Regarding OpenVPN Connect IOS | OpenVPN you would need the certificate, ca, key and if configured the ta key in your client.ovpn . This can be made automatically if you do not enter a password while you create a client, by downloading the ZIP package use the right disc icon (not the left) and you should be fine with all that. Did tried it now and it should looks like this:

#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1500
remote ipfire.local 1194
;ca cacert.pem
;cert testios.pem
;key testios.key
cipher BF-CBC
auth SHA1
verb 3
remote-cert-tls server
verify-x509-name ipfire-prime.local name
mssfix 0

<ca>
-----BEGIN CERTIFICATE-----
MIIGmzCCBIOgAwIBAgIUMX/vozRIQhkfmaRN0ZxaoIkulaUwDQYJKoZIhvcNAQEN
BQAwgYcxCzAJBgNVBAYTAkRFMQswCQYDVQQIEwJCVzESMBAGA1UEBxMJS2FybHNy
dWhlMREwDwYDVQQKEwh1bW1lZWdnZTEOMAwGA1UECxMFRnplaXQxFDASBgNVBAMT
C3VtbWVlZ2dlIENBMR4wHAYJKoZIhvcNAQkBFg91bW1lZWdnZUB1ZS5vcmcwIBcN
MjAxMjA3MDUzODQ2WhgPNDc1ODExMDMwNTM4NDZaMIGHMQswCQYM6rS0oJGFBwm3
MAkGA1UECBMCQlcxEjAQB88LHSH5LL84lnwC86KdQTzmgwgccGA1UdIwSBvzCBs2
vIAUr1v88LHSH5LL84lnwC86KdQTzmihgY2kgYowghkiG9w0BAQEFAAOCAg8Asd3
MIICCgKCAgEAo8SnoUcaal39SUn/SYefrtlH59FmoDaMvWir5yyoZyIJE8umq4YY
Xo4aEgahAxVluydpflHoAKloM6rS0oJGFBwm34cQiKdODE2jikdW8zMEZejyNaJD
ArE/4r8JY210LCz5HUJhCKvgkx/q53aBLj5p4S9309RaXd12Inw5Kzpj+yZcOIEx
4pJg4PWzvymH9erH2OIyimb+/ozvYGVKYooaywBxf15dlp3nxqHgxlwtgKt+poB1
S0TWT/A18m3OEGUSyWbSY3w6i1XW6lrT+1aPrtVt4dCXUmsAgCYkr2wybjllGv6O
r4F//iTcICQfPHUGuZV5+v5eD0EboBomcbrULovtW2C79bg/M4Hyxdg/0Zf3cfb/
dusvK93ZE0Q0edI2Ul7yN06M8pLJVkdDDeV+C6e8ifQGRtJattALefFSBvxn4vNi
XcjaxUyNqHKVhBydhkpMmmbRQ3DRPdekQh2DI0eSRhWDmB76S7608VgEApplQ4JX
EsvxALEytb6F3Sv7/OHwbJELmGtD4bwczdEMkf6cbcgwxiHyOjZgYwwAgiiT+Ls1
CWzH8nJUtriLJm3kH5PQFx7/Cr9BEqOzJIc+K2cqgWeXSwUblLY7QHtlpY2O5HSr
61GlPduoFiYKkitEy7o1/XGz8r8NWAzqA+mLP52Z8rzSo5yWJCmNisMCAwEAAaOB
+jCB9zAdBgNVHQ4EFgQUr1v88LHSH5LL84lnwC86KdQTzmgwgccGA1UdIwSBvzCB
vIAUr1v88LHSH5LL84lnwC86KdQTzmihgY2kgYowgYcxCzAJBgNVBAYTAkRFMQsw
CQYDVQQIEwJCVzESMBAGA1UEBxMJS2FybHNydWhlMREwDwYDVQQKEwh1bW1lZWdn
ZTEOMAwGA1UECxMFRnplaXQxFDASBgNVBAMTC3VtbWVlZ2dlIENBMR4wHAYJKoZI
hvcNAQkBFg91bW1lZWdnZUB1ZS5vcmeCFDF/76M0SEIZH5mkTdGcWqCJLpWlMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBACFtVArUvq2YBHSlqrdMeW3O
fRwCU7D5/+Z7bi/Lq/iIxyF3+mkwnXpqi5RX14BFaUJy2wd8eORtFtiNqYbVRcm+
VfmP557PCAKuitQNwACTAL3HwRq0P4J28VmjewjiZv1oBuG4o9DY3vfa1yc+VYBx
sN1vbU4PyfwqReDdl3z1AqrKpKLUTSuSUe9XRhLn4dowjphiBohcwwZcZx6qJjVl
YeRwzNshtpXHe3nVgx1gUr7z7b5o6TKtaNZs8On3sK3BNqfDUt7El1OUMCR5QWnn
jKhwMDNKIhiA+F5V05azQY2anPK7+JnQ20V+D4m6cweyZAxM9PRJ5nc8d9ccd0bv
1SA/wmKHrXQCP4qBSFHHELBVms4vUx3roumSSe2lQojqjP6phVRYpKMIuGRpdoEn
2dDgIQTiFLYLbRIcFDkS471jT+kJ8WPo1e2cXpoQUXTfo0jTZR9dH6M8QMUTdMQi
Bsh0ioAGSZic2C0TlApHQnk1lNjvib1PlvA/Q31wG+3sbybNCvMxw9QT7C2WcWRw
KVOPblfEuBBsjZgVPdPpFSgGgJLWfvC1FBoD/RLeT5xdaCQhtiCoNfYnr8e4BIMy
gWbSLadGlpmyajPV7aUzT1J+x7l2AxDbh5DBUYXdA2pdfflArHf8lmsPdGwBySc/
oHRIgJJ71gMvb06c903k
-----END CERTIFICATE-----
</ca>

<cert>
Bag Attributes
    friendlyName: testios
    localKeyID: E0 08 02 42 D6 71 C1 12 88 63 31 1B 70 17 FF 54 35 56 D3 15 
subject=C = DE, ST = BW, O = ummeegge, OU = FZeit, CN = testios

issuer=C = DE, ST = BW, L = Hamburg, O = ummeegge, OU = Fzeit, CN = ummeegge CA, emailAddress = ummeegge@ue.org

-----BEGIN CERTIFICATE-----
MIIFnDCCA4SgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBhzELMAkGA1UEBhMCREUx
CzAJBgNVBAgTAkJXMRIwEAYDVQQHEwlLYXJsc3J1aGUxETAPBgNVBAoTCHVtbWVl
Z2dlMQ4wDAYDVQQLEwVGemVpdDEUMBIGA1UEAxMLdW1tZWVnZ2UgQ0ExHjAcBgkq
hkiG9w0BCQEWD3VtbWVlZ2dlQHVlLm9yZzAeFw0yMDEyMDgxNjQyMTRaFw0yMDEy
MTAxNjQyMTRaME8xCzAJBgNVBAYTAkRFMQswCQYDVQQIEwJCVzERMA8GA1UEChMI
dW1tZWVnZ2UxDjAMBgNVBAsTBUZaZWl0MRAwDgYDVQQDEwd0ZXN0aW9zMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCB8l0MRQwEgYDVQQDEwt1bW1lZWdnRezf
9e/LIR9HydWC7M69FILa6bwvIfgqLF1QggRlCDnVhrO6NWGUfa3iVTpSGyktv8ln
bH+FBVjLOdZ23NrPpkqWnLDq4YtNpQFGe5gOkEg9I23BH999CKxX2zfdIVJRuE7Q
kre9OnlWDc5O8Mpoo0J/1O0/zx/FSnlnsdvrMtJ78EEkeWMAK3qr1VgTQr2LSoj0
/3sWswea2qN1MmzPlCAyn1K+EQJTB7zzRyq/nLS4tw2FkbEeaRw5uZ/v38PVgBB8
YRFWlD5KDfu9iioWUV0kAu6qufXYHirKhURZnYmD0hFlcLp9heCY0+trzwIDAQAB
o4IBSDCCAUQwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5l
cmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFJVrPbQow2A7ZGDPUV+Xmmq7/6c8
MIHHBgNVHSMEgb8wgbyAFK9b/PCx0h+Sy/OJZ8AvOinUE85ooYGNpIGKMIGHMQsw
CQYDVQQGEwJERTELMAkGA1UECBMCQlcxEjAQBgNVBAcTCUthcmxzcnVoZTERMA8G
A1UEChMIdW1tZWVnZ2UxDjAMBgNVBAsTBUZ6ZWnLS4tw2FkbEeaRw5uZ/v38PVgB
ZSBDQTEeMBwGCSqGSIb3DQEJARYPdW1tZWVnZ2VAdWUub3JnghQxf++jNEhCGR+Z
pE3RnFqgiS6VpTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDQYJ
KoZIhvcNAQELBQADggIBAG3M1grUHJBU2ToDMaV7UxHFSRwW4m2tuDydiSHEH2ua
iHwUczzYRjuINKxeEg1lf/iIW+reoqJHQzYj2Kfne7U0wjoO3gRI8BwJBNmkOO/K
sXUBVmAfQRiiLOMCv+Xm+GEcsq9XB5npRG15c+SSU8VLRBztaeBtN3wXsdPns4Ud
h64Ih0TbctoYS/atN1S/zaHsAs/Y7kEqpT2tXFeMF9L3LmyTikhOxPhfuCeDIZVs
9rRhMj903MaqQNqSUdyyoK1re3G5+idvGJ7UgINJaGCODPfevnGED63PvHCg8tUZ
lOM4bHwauG/y6pr5VwvyPc1wAb7/mW262sA2yQnjMD1IUEVW7ZpEfdDTBcg6Shmw
9NLB8NPGPpYoZVkchVNQ6c1IoL4o0zArw2F5mLRbw5faCFU0dxZzllNUto5O74jU
+2fBvS/l6A/TK5CTedgRLO3VKVVhKlAjJ5n1M0SWfZq05YsLuq+Ja1n/vqmh+ZX+
Dh19npkyagWdyzOPCurtlXoCXy7kKTvk9ootalsBIgJKPPE39EV7S9MkPOR/vr1K
7t2HBIFUwczRNtQVH/xLim1BGLiOXWYR36uMHo9R+cKU17+LC3iToaPqjkbdtwLY
yFZUWkdqa/WWjO3k5Yp5/klRb+hZMBuSEdC4Hl18e5k2qQi77oZeo7dq1PFxCpdL
-----END CERTIFICATE-----
</cert>

<key>
Bag Attributes
    friendlyName: testios
    localKeyID: E0 08 02 42 D6 71 C1 12 88 63 31 1B 70 17 FF 54 35 56 D3 15 
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCwwYsiy0O/KxAi
YFF7N9l2gqnPDoX178shH0fJ1YLszr0UgtrpvC8h+CosXVCCBGUIOdWGs7o1YZR9
reJVOlIbKS2/yWdsf4UFWMs51nbc2s+mSpacsOrhi02lAUZ7mA6QSD0jbcEf330I
rFfbN90hUlG4TtCSt706eVYNzk7wymijQn/U7T/PH8VKeWex2+sy0nvwQSR5YwAr
eqvVWBNCvYtKiPT/exazB5rao3UybM+UIDKfUr4RAlMHvPNHKr+ctLi3DYWRsR5p
HDm5n+/fw9WAEHxhEVaUPkoN+72KJH67Fhs89qq59dgeKsqFRFmdiYPSEWVwun2F
4JjT62vPAgMBAAECggEAD/2igcZT3bKepg2CsZwO32rYw/OzaNmFzfxPeVIIozXc
40MnXOf6d59E6XiTtP+CyGi7CZGu8e9fCLO3ezBohy6FhglJgwZSWXZ8BEKDxF1D
Ve7/izNyPG9m2duwrbPG9YSji1X9l82XOTamSB3YspAI9pyiv/NBek3J3Dvi5mOy
w2qfBnsA+CejIX+ihzmDeZ8OEApUjXJvyvuOqb2tcNNfpOjL76pW1KuXH1TZp64Y
3etOsLa2RSCTeJqdlONCmHyweBQSodgF+ALHmFFO915a4hE8C65ABofdkI2iDPBV
Lt4Cb5W9ZiZX7gfb7dDCFJqDRMexS82I9zxtDHf2OQKBgQDqEIpEv96KqHIAvqEB
k8MYvVM2GpKUtlGRdzmIRGjbiF4cXQAgjauUIj/GROf0eSTg95tjOxTrfCNQ8M0z
UtGbTQ2srd834BzsSog7A4wzpteJ6AEHr6WuK+IEYkHOEPTW2ACRULiQS1DRf/2R
cfXLlvg3drZBEJqAlJXE7rrgDQKBgQDBUhv+wj3WkE7k7HGXhNCORpVZpitn1RLY
0QnuGXKDT24M2/xAEP6YabrXyI28Mxh/3DK/EcxPMvNy0YvfPIxJU0RjWds+Bhei
8Og1U6LmYKz8bmOPmKrAxPAbryD5bDz4soU7tfXP/7B26BsXEMXb5wW16dgCKE25
HtPngKDoSwKBgG+JnjoQrH2qs1jDfnn/7dJWNdbsZrlTAB+vjszuvIEQxLgDYVIh
8IdQos9aeqY3LGm/1F4/A0MMDtA9T6uLZbL5zvBgkqRPubin868bi635bXCcDBGb
k/ohkzy/jdgioGnY2LxmmOy51zNeKHkssxJnSLU1brgmr1lidNQ5ZvfpAoGAc51B
dNiB1wIyzKHDRVR+zbfUteq05sH9JYHOqIC7hWBJdpNRhpcjS89fmJEugrEkI8Ny
7eYdA/h6s94yAm3ZkDimG6yve6Z1GFNu7AV61MBYdBcon8YzyFl/J29TDxf2Vt2c
5JrryVsnE9W37dFwIxVEywhw0Ml9wgp3vGmm0YUCgYBjtT6dpUT/641BXB5Qqznw
zsJ5/xlcuPKbe/YHdP3CZQRI6r/v17dvDRvfmmsXDqQlxmYNF8xNmqriAyqlDzuX
HqoJJq3zsw5e+aoxiZiF+VVT/Ulz71+o8ZTwAGsnWGAMPoeUlf9jWRl8hfTem7nq
t7OhS/sV7RUDtZ45jlsrwg==
-----END PRIVATE KEY-----
</key>

have tested it on my Laptop and have here no problem at all.

It is always a ZIP file if it is secure (with PKCS#12) or insecure makes there no difference. As mentioned above, you just do not enter a password, in that case you should get an equal result as above. If not, please deliver the log error.

The wiki provides also a manual how to create the ovpn file → wiki.ipfire.org - Automatic Method to create a unified `.ovpn` file but am not sure why since the web interface provides it automatically but again, i do not use Smart?phones.

Best,

Erik

Erik, thanks for the information. I just created a new VPN user and did not specify a password and when I looked at the .ovpn file that was created afterward, it is very similar to the output you have above, with some minor differences, like tun-mtu 1500 (mine is 1400), the remote variable as well as verify-x509 (since we are using different names) and I don’t have the mssfix 0 line. However, when I imported that .ovpn config into Tunnelblick, I receive the below errors:

020-12-08 11:22:36.026891 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.15.254:1194[2], expected peer address: [AF_INET]75.132.x.x:1194 (allow this incoming source address/port by removing --remote or adding --float)
2020-12-08 11:22:38.295688 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.15.254:1194[2], expected peer address: [AF_INET]75.132.x.x:1194 (allow this incoming source address/port by removing --remote or adding --float)
2020-12-08 11:22:42.885243 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.15.254:1194[2], expected peer address: [AF_INET]75.132.x.x:1194 (allow this incoming source address/port by removing --remote or adding --float)
2020-12-08 11:22:50.319813 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.15.254:1194[2], expected peer address: [AF_INET]75.132.x.x:1194 (allow this incoming source address/port by removing --remote or adding --float)

You are welcome,
this can happens if your e.g. IP is changing but all authentication tests has passed, try it like outlined, write a float in one line in the client.ovpn under the other directives and give it a try to check if the first problem has been resolved…

Best,

Erik

Ok, so I added the float line into the .ovpn config and this time, it looks like the connection succeeded in Tunnelblick, although it complained about my internal DNS server not being public and said my configuration might be wrong, but it still connected. After I disconnected from Tunnelblick, I noticed that the OpenVPN server status is Stopped, which is weird because I just connected with Tunnelblick. I clicked the Start button, but it stays in a red Stopped status. However, on the IPfire home page, it reports the status as “Online” for OpenVPN. I’m not sure what’s going on. Is it running or not?

Edit: I just rebooted and the problem persists.

OK, let´s go step by step.
the first problem should then be solved ?
According to the --float directive, this should normally not needed except when you are connecting to a peer which holds a dynamic address such as a dial-in user or DHCP client since it allows the remote peer to change its IP address which should normally not so often be the case ?!

is Tunnelblick available for iOS ? Just know it from the Mac´s, did you changed your environment ?

So may this can be understand as a warning from Tunnelblick, don´t know what you have configured and what do you want to reach, reaching your client inside your LAN shouldn´t be no problem at all. Otherwise you can push the DNS also globally or client specific via CCD you just need to configure it.

What was the server status while you created and downloaded the client ? Did you changed something on the WUI or internally via commanline after that ? If the global status is stopped you should not be able to connect, in any case i am not.

Am getting a little confused, you wrote before it is stopped ???

OK an idea. Let´s not discuss a whole bunch of problems under one topic. Bring a little time in it and check may also the suggestions to deliver the next issue in an own topic if needed.

Best,

Erik

Sorry, I put a lot of information in there. Let me try to clarify it. I’m not sure the first issue is actually resolved. Even though it appeared to connect from Tunnelblick, when I move that same .ovpn profile onto the OpenVPN app on my iPhone, it will try to connect, but time out, which is still better than the “cannot parse” errors I was getting before.

Right now, the OpenVPN service is in a Stopped state on the OpenVPN page. However, if I go to to the IPFire main page (System > Home), the OpenVpn status is “Online.” I’m confused because in one place, it says it is Online but on the Services page, it says it is Stopped. I don’t think I can do any reliable testing with the system in this state.

You have wrote before that you are connected and imported succesfull the ZIP package to your iPhone. Is this still the case or not ?

If not. Please deliver the logs from server and client while starting and while connection attempt.

Best.

Erik

I was able to download the zip package and able to load the .ovpn file on my iPhone, but it timed out when trying to connect. Right now, I don’t know if OpenVPN is actually working since the service status is stopped, but. the status on the main page is Online. It seems odd that I’m seeing two completely different status messages. How can it be both Stopped and Online?

If you have this messages →

the OpenVPN instance is working :grinning: .

Best,

Erik

I don’t think that error indicates that it is working though because the connection status in Tunnelblick is Red and shows 0 bytes in and out. I don’t understand why this is so difficult. I’ve also watched a few YouTube videos on how to set this up and as far as I can tell, I did the same steps that they did in the video and it worked for them, but did not work for me. I really want to keep using IPfire, but if I can’t get OpenVPN working, I’ll have to go back to pfSense.

I’m also seeing this.

Screen Shot 2020-12-08 at 3.08.54 PM
Screen Shot 2020-12-08 at 3.08.32 PM

this is no error it just tells you that your IP address has been been changed but all authentication tests has been passed . Have here also no problem with this. Wish you all the best, PFSense is also a great solution.

Erik

This still doesn’t work properly on iOS and the OpenVPN status is still Stopped. This doesn’t make any sense. I’m going to have to go back to pfSense because I need OpenVPN to work. Luckily, it’s a VM on the same ESXi host that is running IPfire, so all I have to do is turn it on again. Thanks anyway. I really like IPfire, but this problem has cost me nearly two days of troubleshooting and it’s still not working, so I have to move on.

Just want to chime in here too. I urgently need open vpn to work and spent a whole day on this yesterday.
I can export the config from ipfire and import the ovpn file into android openvpn app and it just works as expected. Unfortunately what I need is Windows configs to work. Dropping the opvn file into the windows openvpn does not install the certificate so I also have to drop the pcks12 file in to the app which then silently installs the cert. I can then choose the cert when I edit the config in openvpn app.
I know this is not helpful not giving any other info but I too must bail ipfire and install pfsense as I need this working yesterday. This I am sure is easily replicable and seems to be an issue with the configs files being imperfect.
I’ve also tried getting this to work on Linux Mint and it also wont connect.
In the Windows ovpn log it says sss-context-error. openvpnSSLcontent CA not defined.
I hope this can be fixed real soon.

Also wanted to add that you ipfire does not allow you to connect to the VPN from the green interface. Obviously this is just for testing purposes and I can do this on a Sophos FW OK. Not sure of this is another potential issue altogether, or if the firewall rules need a tweak to make this work.
The only time my phone can connect is from the cell network, not wifi which is on green in my setup. So to test road warrior configs requires a mobile hotspot.
Potential trap for some. I can send windows logs if this would help.

I’m glad I’m not the only one experiencing this issue. Craig, I ended up seeing the same error as you on my phone using the OpenVPN app. No idea why it’s not working, but it is very frustrating. For what it’s worth, it works great within pfSense and I can connect to it from within my network at home or using my cellular data. I think I might give OPNsense a spin this time since I run these virtually. If I can’t get OpenVPN working there either, I can just turn it off and turn on pfSense and be up and running again.

Cheers Kevin,
I’m wondering if it may be an issue with the newer version of openVPN being incompatible with ipfires export files. It looks like openVPN has simplified their import method in recent versions and according to older videos ipfire is also not exporting the .ta file either. Maybe is not needed anymore?
I will be back to ipfire after this urgent VPN need is gone as I find ipfire simpler to manage than PFSense, but I’m off topic now.