I have been trying out the OpenVPN service option in Truenas 12, and I've come across a couple of things that I think are worth mentioning, but perhaps don't count as actual bugs:
1. When a CA Certificate is created with OpenVPN profile, it only sets the Server Auth purpose, which means that it cannot Authenticate Client Certificates. Is there a reason why Client Auth should not be set as well for an OpenVPN CA cert by default?
2. The downloading of a Client configuration file is a great idea, but I came across these issues:
The exported client config has the "remote" option set to the value of "server" option of the OpenVPN server configuration, which doesn't work well at all. I'm not sure exactly how the best address specification of the server gets determined for the Client unless perhaps there's a "local" option specified in the Server, which may not be alway suitable, but the 'server' value is never going to work.
Also all the Server Additional Parameters seem to get fully copied into the Client config, which may not always be appropriate. In the particular case of push options, I would suggest leaving them out of the Client config entirely, so that the Server can remain capable of dynamically adjusting these settings for the clients as time goes by. Other Server settings may also be confusing for a Client.
I've been enjoying doing the bit of testing I've been able to do and look forward to the Beta.
1. When a CA Certificate is created with OpenVPN profile, it only sets the Server Auth purpose, which means that it cannot Authenticate Client Certificates. Is there a reason why Client Auth should not be set as well for an OpenVPN CA cert by default?
2. The downloading of a Client configuration file is a great idea, but I came across these issues:
The exported client config has the "remote" option set to the value of "server" option of the OpenVPN server configuration, which doesn't work well at all. I'm not sure exactly how the best address specification of the server gets determined for the Client unless perhaps there's a "local" option specified in the Server, which may not be alway suitable, but the 'server' value is never going to work.
Also all the Server Additional Parameters seem to get fully copied into the Client config, which may not always be appropriate. In the particular case of push options, I would suggest leaving them out of the Client config entirely, so that the Server can remain capable of dynamically adjusting these settings for the clients as time goes by. Other Server settings may also be confusing for a Client.
I've been enjoying doing the bit of testing I've been able to do and look forward to the Beta.