I am still in the learning phase and currently conducting research. My objective is to access the network behind IPFire. I am following the provided instructions, but when attempting to connect using the OpenVPN client, I receive a “CA not defined” error. I am using IPFire version 2.29 - Core Update 200 and OpenVPN Connect version 3.8. I have already generated the necessary certificates.
anyone please help?
I also had difficulties with OpenVPN Connect.
I use OpenVPN for Android and it works well.
Edit : And for Windows, the community version
3 Likes
Since switching from OpenSSL to 3.6.0 in OpenVPN, I could only connect but no data traffic was getting through. Switching to OpenVPN for Androidon my phone, as suggested by Phil, solved the problem.
1 Like
I’m not sure if I can help you or if my suggested solution is the right one:
We use the OpenVPN Community client for our VPN connection. I wanted to see if it was possible to establish a connection to IPFire using OpenVPN Connect. After doing some Googling and consulting AI, I came up with the following solution, which worked:
IPFire exports in PKCS12 format (.p12)—which contains the CA, client certificate, and key all in one file.
The problem is that OpenVPN Connect has issues with PKCS12, especially the newer versions (connection failed ssl_context_error OpenSSLContext:CA not defined?) I don’t know why or what the reason is… maybe someone else has an answer to that.
The solution —> extract the individual files from the P12 and put it into the .ovpn-file:
- Extract CA certificate
openssl pkcs12 -in user.p12 -cacerts -nokeys -out ca.crt
- Extract client certificate
openssl pkcs12 -in user.p12 -clcerts -nokeys -out user.crt
- Extract private key
openssl pkcs12 -in user.p12 -nocerts -nodes -out user.key
Then modify the .ovpn file:
Remove this line:
remove the hole pkcs12 block (can´t put it here as text?)
Add these lines:
<ca>
(Content of ca.crt)
</ca>
<cert>
(Content of user.crt)
</cert>
<key>
(Content of user.key)
</key>
After that, there was another error regarding the entry #auth-token-user USER
which I commented out.
I find this process really cumbersome, and for us, it’s not yet a practical “automatic” solution when we want or need to create new clients and have to rewrite the entire file first.
Hallo @thms
Welcome to the IPFire community.
The problem is that OpenVPN decided that for the OpenVPN Connect client which was designed to go with the commercial OpenVPN Access Server, that you have to pay for, they would no longer use pkcs12 for their certificate container for server or client. They would not use any container at all.
However for their Community version OpenVPN Server, the one used in IPFire, they still use and accept pkcs12 certificate container.
The problem with auth-token-user USER is similar in that they do not accept it in the commercial OpenVPN Access Server but they do in the community OpenVPN Server used in IPFire.
You would have to ask OpenVPN why they decided to not make their free commercial client (Connect) fully compatible with their community Server.
1 Like
Hello,
Thanks for the welcome. I came across this thread yesterday while doing some research and thought I’d share my experience.
I wasn’t aware that OpenVPN had made that decision—too bad! But thanks for the clarification and the info.
But before, IPfire had the “insecure package” button, which exported the ovpn file in exactly the way the client wants. Now this exact package have to be assembled manually, which is a step backwards to even IPcop times (where this cumbersome procedure was needed to get connection on iOS). Why not just allow the old export again?
I have modified my old ipcop script to make an “insecure” package again. Save as ioscert and chmod u+x. You might have to modify this file to your taste:
#!/bin/bash
# Usage: ./ioscert CertName
CERT_NAME=“$1”
FILE=“/var/ipfire/ovpn/certs/${CERT_NAME}.p12”
OVPN_FILE=“${CERT_NAME}.ovpn”
if \[ -z “$CERT_NAME” \]; then
echo “Error: Missing certificate name” >&2
echo “Syntax: $0 CertName” >&2
echo “CertName = what you input as cert name in the IPFire dialog” >&2
exit 1
fi
if \[ ! -f “$FILE” \]; then
echo “File $FILE does not exist” >&2
echo “Syntax: $0 CertName” >&2
echo “CertName = what you input as cert name in the IPFire dialog” >&2
exit 1
fi
# Start fresh
> “$OVPN_FILE”
cat <> “$OVPN_FILE”
client
dev tun
remote !!!YOUR_IP_OR_DOMAIN_NAME_HERE!!! 1194
verify-x509-name !!!YOUR_IP_OR_DOMAIN_NAME_HERE!!! name
proto udp
remote-cert-tls server
mssfix 0
auth SHA256
EOF
# === CA CERTIFICATE ===
echo “” >> “$OVPN_FILE”
# Extract the exact PEM block from cacert.pem
sed -n ‘/^-----BEGIN CERTIFICATE-----/,/^-----END CERTIFICATE-----/p’ /var/ipfire/ca/cacert.pem >> “$OVPN_FILE”
echo “” >> “$OVPN_FILE”
# === CLIENT CERTIFICATE ===
echo “” >> “$OVPN_FILE”
# openssl outputs extra “Bag Attributes” lines before the actual cert.
# awk grabs ONLY the PEM block (BEGIN → END inclusive).
openssl pkcs12 -in “$FILE” -clcerts -nokeys -passin pass: 2>/dev/null
| awk ‘/^-----BEGIN/,/^-----END/’ >> “$OVPN_FILE”
echo “” >> “$OVPN_FILE”
# === PRIVATE KEY ===
echo “” >> “$OVPN_FILE”
# Same trick works perfectly for the private key (RSA PRIVATE KEY or PRIVATE KEY block)
openssl pkcs12 -in “$FILE” -nocerts -nodes -passin pass: 2>/dev/null
| awk ‘/^-----BEGIN/,/^-----END/’ >> “$OVPN_FILE”
echo “” >> “$OVPN_FILE”
# === TLS KEY ===
echo “” >> “$OVPN_FILE”
less /var/ipfire/ovpn/certs/ta.key >> “$OVPN_FILE”
echo “” >> “$OVPN_FILE”
echo “Generated $OVPN_FILE successfully!”
I am a bit surprised that iOS cannot work with secure certificates.
I don’t have any iOS based products, only Android but they have been able to use secure OpenVPN certificates for several years.
I would have expected that in these days of needing to secure things that iOS would also be able to work with secure certificates rather than needing to have an open certificate.
EDIT:
I just did a quick search and I found that you can upload secure openvpn certificates into the iOS keychain in the same way as is done with the Android keychain as long as you have iOS 9.0 or newer.
I would expect that the iOS OpenVPN apps are able to use the certs from the iOS keychain.
2 Likes