Windows OpenVPN Client win11 With IPFire connection problems

Firewall: IPFire 2.27 (x86_64) - Core-Update 172
OPEN VPN client : 3.3.6 (2752) (windows 11)

When I create an Connection (on the ipfire) with a password p12 file.
I download the zip package, i add the p12 file to certificates and tokens, import the .ovpn file.

When I try to connect I get the following error : opensslcontext: CA not defined

Is this a mistake in the ipfire (which makes the .ovpn and .p12 files) OR is it a mistake in the
OpenVPN client.

I can only import/create & Use connections that DO not have a password attached.

My goal Is to have the VPN protected with at least a password OR an OTP.

Both OTP Or passwords are not working with this combination of ipfire and OpenVPN Connectā€¦

Does anybody have any clue on what to change or do ?

THANKS,

Leo

Best

1 Like

No, this REPLY does not helpā€¦ (I allready saw these posts)

I tried several things, but nogo :frowning:

I use the latest version: OPEN VPN client : 3.3.6 (2752) (windows 11)

In the configuration i checked OTPā€¦ to get 2FA on the vpnā€¦

When I download the First (secure) package from ip fire you receive the following files:
A .p12 file and the .ovpn file

You need to add the .p12 file to certificates and tokensā€¦ via the userinterface (openvpn connect)

Then the next step is to import the ovpn file and attach the p12 file. (openvpn connect)

After import and attach

Connectā€¦ and it fails

fail

I cannot add more screenprintsā€¦ :frowning:

I was able to get the OTP question by adding:

auth-user-pass
static-challenge "Enter your OTP" 0

to the .ovpn file
After this I still get the failure: OpenSSLContext: CA not defined

There are NO certificates in the secure (first) ovpn fileā€¦
I guess that there should be something more in that safe file. !!

The ā€œUNSAFEā€ file there are ca, cert, key parts, and the UNSAFE file works :slight_smile:

But I need something more safeā€¦ 2FA or a working username/password

The ovpn file is as follows (that first ā€˜safeā€™ download option)

I added 2 lines myself:


#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1400
remote static.xxxxxx 1194
pkcs12 VPNTEST.p12
cipher AES-256-CBC
auth SHA512
verb 3
remote-cert-tls server
verify-x509-name static.xxxxxx name
mssfix 0
auth-nocache
auth-token-user USER
auth-token TOTP
auth-retry interact

auth-user-pass
static-challenge "Enter your OTP" 0

You can try to test the following steps

Best

Hiā€¦
The global TLS version is checked (TLS 1.3)
Yes I added a test connection to roadwarriorā€¦
Yes I added the .p12 file to certificate & Tokens
Then imported the .ovpn And linked the .p12 certificate to the connection

Still the same result : OpenSSLContext: CA not defined :frowning:

Somehow i get the feeling that the information INSIDE the ovpn file is missing the CA and/or other data

see screen of comparison:

you can try to embed the certificate authority inside the .ovpn configuration file.

Briefly, make sure you have openssl, open a console and extract the ca cert from the .p12 file:

openssl pkcs12 -in name.p12 -cacerts -nokeys -out ca.crt

You can do this also in a console of IPFire if you do not have Linux or MacOS available (no idea if or how to do this in windows) .

Now you can embed the content of the file ca.crt at the bottom of your .ovpn in between the BEGIN CERTIFICATE and END CERTIFICATE :

<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>

Once imported by the client, it should acquire the ca cert.

1 Like

This should be done by fireIP ?!
just as the OTP challenge should be included in the .ovpn fileā€¦ (so that the OTP question pops up)

but thats just my 2 cents

Like this it is less secure because the certificate is in plain text. Normally the client and the OS would find the certificates from the .p12 file and everything would work smoothly. For some reason this is failing in your setting, but this is not normal. IPFire could create automatically an .ovpn with all the certificates embedded if you go for the unsecure route.

I tried to add the certificate using the ca tags from a .ovpn file from an insecure packageā€¦
This was not working :frowning:

It all looks so nice in specs, but if its not working and our VPNā€™s are working without any form of name/passwords or OTP challengesā€¦ It is simply insecure so NOT usable !!

If somebody gains access to our ā€œunsecureā€ vpn connection files or our windows machines they gain access to our environment. (this is NOT an option)

something is very wrong with your setting, the certificate cannot be missed if embedded in the .ovpn This has never failed before in ios, macos or android, in my tests.

EDIT: try to extract it from a secure .p12 as highlighted in the post above. Openssl before writing in clear text it will ask for the password.

1 Like

maybe its just the windows client ??? so the openvpn client that makes the trouble.

But i cannot be the only one using windows :stuck_out_tongue:

you are not, but you are the first to report this issue. If you search the forum you will find several windows users that had trouble importing the certificates that were solved by following the instructions given by other members of this forum.

Edit, this is a recent one: Cannot find .p12 file in Windows 11? - #5 by tphz

2 Likes

I guess that this is an older openvpn client in windows (2.x.x ??).
The folder that they use is also not ā€˜normalā€™ in windows.

3.3.6 uses something like :

C:\Users<username>\AppData\Roaming\OpenVPN Connect\profiles

I always stand on the Bleeding edge (first one te get into trouble :stuck_out_tongue: )

My environment is very new, so i download all the latest en greatest versions

v3

I would just like to remind you that there are two editions/versions of the openvpn client available on openvpn.net .

  1. the ā€œofficialā€ version - OpenVPN Connect
  2. the Community Edition version

These editions, differ in the way they are configured.
Differences in configuration, have been a source of trouble, reported and explained on the IPFire forum.

OTP works only on the community editions.

3 Likes

I will try the ā€˜otherā€™ version nowā€¦

I was always clear which version i used (first post)