First issue (minor?) - on the dashboard it shows vpn_disabled (Screen 1) - but in services openvpn is running (Screen 2):
Second issue (major) - using the OpenVPN settings (Screen 3) - bad openvpn config for user.
I generated a new user and got this ovpn file to download.
dev tun client remote gw1.dmginc.com port float auth-user-pass <ca> -----BEGIN CERTIFICATE----- MIIEOjCCAyKgAwIBAgIEV2LBVjANBgkqhkiG9w0BAQsFADCBtTEQMA4GA1UEAwwH Z2F0ZXdheTEgMB4GA1UECgwXRGFudmlsbGUgTWF5IEdyb3VwIEluYy4xCzAJBgNV <...removed...> qjRfK/C7Ov6sy5LCtMIBdBSuijX3QyerLliCVnz0 -----END CERTIFICATE----- </ca> comp-lzo explicit-exit-notify 1 verb 3 persist-key persist-tun nobind
Knowing that it was wrong, I looked at config show and got this listing.
openvpn= openvpn@host-to-net=service AuthMode=certificate BridgeEndIP= BridgeName=br0 BridgeStartIP= ClientToClient=disabled Compression=enabled Mode=routed Netmask=255.255.255.0 Network=192.168.33.0 Remote=gateway.dmginc.com RouteToVPN=disabled TapInterface=tap0 UDPPort=1194 access=public status=enabled
Why both openvpn= with nothing and openvpn@host-to-net with something?
I went directly to /var/lib/nethserver/certs and removed all user certs (three residual .p12 not removed before), reset serial and certindex. I deleted and regenerated the user. Got this screen.
Went to the download and requested ovpn download and was told it was a zero length file:
Forget this path - I need my vpn access. Knowing that I had an old vpn (alpha2) file that did work, I copied and removed the keys/certificates like so:
NethServer OpenVPN client configuration ######### dev tun client remote gateway.dmginc.com port 1194 float # Authentication: certificate <cert> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----- </key> <ca> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </ca> comp-lzo explicit-exit-notify 1 verb 3 persist-key persist-tun nobind
Then I downloaded a PEM file, copied and pasted the certificates/key from it and then my client could connect.