VPN profiles not being generated in Endpoint Manager after SNG7/FPBX14 upgrade

After an in-place upgrade from 6.6 to 7 (FPBX 13 to 14) I am experiencing a lot of trouble with the VPN server module and would like some guidance on next troubleshooting steps. Here are the issues I’m having:

  • When I go into a single active directory user and set the VPN permission Auto Create & Link FreePBX creates a VPN profile for all 300ish of my active directory users when it should only be creating the VPN profile for the single user. Setting the group permission doesn’t have this issue, the profiles are only created for the group members
  • All of the auto-generated VPN client certificates (user OR group) are of 0 size (empty) in /etc/openvpn/clients. Creating a VPN client manually doesn’t have this issue.
  • When manually creating a VPN client, linking it to a user, and then setting the VPN client value to the linked VPN client in a Yealink extension mapping the VPN profile isn’t being created in /tftpboot and the openvpn.url value in the config file is blank and network.vpn_enable is set to 0

I’ve tried completely deleting all VPN clients, disabling and reenabling the VPN server, deleting and re-adding the extension, deleting and re-adding all groups and users (yuck) and I’m out of ideas on how to make the endpoint manager generate the VPN profiles.

Any ideas?

Never used the built-in VPN. Is the service running?

Yes, verified it’s enabled and running, it’s not the underlying openvpn system that’s the issue, it’s the generation of certs/configs and the endpoint manager linking the vpn clients to the phones that’s the trouble.

I believe I figured out what part of the problem is: FreePBX isn’t copying the CA certificate and the DH parameters file into /etc/openvpn and it can’t start because of that, but I’m not entirely convinced that’s causing all the issues.

FreePBX is still generating empty client certificates. There’s something very wrong under the hood but I don’t really have a way of seeing where the issue lies.

I also think I’ve got some database weirdness going on because in endpoint manager I’m now seeing other users VPN profiles in the VPN client dropdown box.

OK I figured out what I needed to do for the VPN system to start generating VPN clients properly:

  • Disable VPN permission for all groups
  • Disable the VPN service under System Admin
  • Remove all VPN clients

Run the following commands from the CLI:

rm -rf /etc/openvpn/clients/*
rm -rf /etc/openvpn/client/*
rm -rf /etc/openvpn/ccd/*
rm -rf /etc/openvpn/sysadmin_*
rm -rf /etc/openvpn/ipp.txt
/etc/openvpn/easyrsa3/easyrsa init-pki

At this point you can reenable the VPN and it will recreate the CA and certificates. You can then reset your group permission to auto-assign VPN clients and then you can assign them to phones.

The original bug of creating VPN clients for every single user in the system when dealing with a single user is still a problem though.

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.