What is the difference between “Download Client Package” and “Download Insecure Client Package” when generating a OpenVPN connection package under “Connection Status and Control” of the OpenVPN page?
What dependencies are there between the “Global Settings” and the “Certificate Authorities and Keys” sections. For instance, If I modify any settings in the Global Settings, do I then have to re-generate the x509 keys (ie root & host certificates, etc), or regenerate the client packages again?
Is the Global Settings “Local VPN Hostname/IP” only used in the client .ovpn file line:
REMOTE [appears to be what is in that global setting field] 1194
or does it have deeper implications?
jps
Download Client Package is used for when you have provided a password for the client certificate.
The package contains separate pem files for the ca certificate and the client certificate and the client key and tls authentication key (if used). None of these files are password protected.
The .ovpn file has the certificates inline but you can use them as separate files ny editing the ovpn file.
Download Insecure Client Package is for when you have not provided a password for the client certificate.
The package contains a p12 file that holds the CA and client certificates and the client key. The file is password protected. The tls authentication file is separately provided (if used).
The .ovpn file uses the .p12 file name for the certificates.
There is a bug in the code for that Connection Status and Control table https://bugzilla.ipfire.org/show_bug.cgi?id=11048
There should only ever be one icon shown. The Download Client package if a password has been used or the Download Insecure Client Package if no password has been used. The bug means that if you edit a client connection then both icons get shown.
If you have used a password and then click on the Download Insecure Client Package you will get an Internal Server Error message.
I had been hopefull to have a fix for that bug in Core Update 175 but the version in testing turned out to have some remaining issues, which I am working on. Likely will end up in Core Update 176.
Meanwhile, if you used a password only use the Download Client Package and if you didn’t use a password then only use the Download Insecure Client Package icons.
None.
The x509 certificate set for the server only needs to be created once. You can then change the server settings as you wish.
However, if you do change the server global settings (or advance options) then you will need to recreate all the client connections again.
I do not know. I would have to search through the perl code for the OpenVPN cgi page to find that out.
I will try and look for that later, when I get a bit more time.
I do not know. I would have to search through the perl code for the OpenVPN cgi page to find that out.
I will try and look for that later, when I get a bit more time.
[/quote]
I have checked through the code.
The value is also stored in /var/ipfire/ovpn/server.conf and in /var/ipfire/ovpn/settings
and is used in /usr/local/bin/openvpnctrl which is used to start and stop the OpenVPN Server and any net2net configurations.