IPFire 2.27 (x86_64) - Core-Update 172
OPEN VPN client : 3.3.6 (2752) (windows 11)
When I create an Connection (on the ipfire) with a password p12 file.
I download the zip package, i add the p12 file to certificates and tokens, import the .ovpn file.
When I try to connect I get the following error :
opensslcontext: CA not defined
Is this a mistake in the ipfire (which makes the .ovpn and .p12 files) OR is it a mistake in the
I can only import/create & Use connections that DO not have a password attached.
My goal Is to have the VPN protected with at least a password OR an OTP.
Both OTP Or passwords are not working with this combination of ipfire and OpenVPN Connect…
Does anybody have any clue on what to change or do ?
No, this REPLY does not help… (I allready saw these posts)
I tried several things, but nogo
I use the latest version: OPEN VPN client : 3.3.6 (2752) (windows 11)
In the configuration i checked OTP… to get 2FA on the vpn…
When I download the First (secure) package from ip fire you receive the following files:
A .p12 file and the .ovpn file
You need to add the .p12 file to certificates and tokens… via the userinterface (openvpn connect)
Then the next step is to import the ovpn file and attach the p12 file. (openvpn connect)
After import and attach
Connect… and it fails
I cannot add more screenprints…
I was able to get the OTP question by adding:
static-challenge "Enter your OTP" 0
to the .ovpn file
After this I still get the failure: OpenSSLContext: CA not defined
There are NO certificates in the secure (first) ovpn file…
I guess that there should be something more in that safe file. !!
The “UNSAFE” file there are ca, cert, key parts, and the UNSAFE file works
But I need something more safe… 2FA or a working username/password
The ovpn file is as follows (that first ‘safe’ download option)
I added 2 lines myself:
#OpenVPN Client conf
remote static.xxxxxx 1194
verify-x509-name static.xxxxxx name
static-challenge "Enter your OTP" 0
3 February 2023 00:16
You can try to test the following steps
Today I downloaded and installed the openvpn-connect-v3-windows.msi version
To run the v3 version, I performed the following steps:
WUI–>OpenVPN → Global Settings
check the TLS Channel Protection option
Add the RoadWarrior connection
with PKCS12 File Password
Download Client Package(zip)
and unzip to separate folder
Following the below of wiki instructions, copy the downloaded file …
The global TLS version is checked (TLS 1.3)
Yes I added a test connection to roadwarrior…
Yes I added the .p12 file to certificate & Tokens
Then imported the .ovpn And linked the .p12 certificate to the connection
Still the same result : OpenSSLContext: CA not defined
Somehow i get the feeling that the information INSIDE the ovpn file is missing the CA and/or other data
see screen of comparison:
3 February 2023 12:02
you can try to embed the certificate authority inside the
.ovpn configuration file.
Briefly, make sure you have openssl, open a console and extract the ca cert from the
openssl pkcs12 -in name.p12 -cacerts -nokeys -out ca.crt
You can do this also in a console of IPFire if you do not have Linux or MacOS available (no idea if or how to do this in windows) .
Now you can embed the content of the file
ca.crt at the bottom of your
.ovpn in between the
BEGIN CERTIFICATE and
END CERTIFICATE :
Once imported by the client, it should acquire the ca cert.
This should be done by fireIP ?!
just as the OTP challenge should be included in the .ovpn file… (so that the OTP question pops up)
but thats just my 2 cents
3 February 2023 12:14
Like this it is less secure because the certificate is in plain text. Normally the client and the OS would find the certificates from the
.p12 file and everything would work smoothly. For some reason this is failing in your setting, but this is not normal. IPFire could create automatically an .ovpn with all the certificates embedded if you go for the unsecure route.
I tried to add the certificate using the ca tags from a .ovpn file from an insecure package…
This was not working
It all looks so nice in specs, but if its not working and our VPN’s are working without any form of name/passwords or OTP challenges… It is simply insecure so NOT usable !!
If somebody gains access to our “unsecure” vpn connection files or our windows machines they gain access to our environment. (this is NOT an option)
3 February 2023 12:24
something is very wrong with your setting, the certificate cannot be missed if embedded in the .ovpn This has never failed before in ios, macos or android, in my tests.
EDIT: try to extract it from a secure .p12 as highlighted in the post above. Openssl before writing in clear text it will ask for the password.
maybe its just the windows client ??? so the openvpn client that makes the trouble.
But i cannot be the only one using windows
3 February 2023 12:29
you are not, but you are the first to report this issue. If you search the forum you will find several windows users that had trouble importing the certificates that were solved by following the instructions given by other members of this forum.
Edit, this is a recent one:
Cannot find .p12 file in Windows 11? - #5 by tphz
I guess that this is an older openvpn client in windows (2.x.x ??).
The folder that they use is also not ‘normal’ in windows.
3.3.6 uses something like :
I always stand on the Bleeding edge (first one te get into trouble
My environment is very new, so i download all the latest en greatest versions
3 February 2023 15:05
OTP works only on the community editions.
I will try the ‘other’ version now…
I was always clear which version i used (first post)