After an in-place upgrade from 6.6 to 7 (FPBX 13 to 14) I am experiencing a lot of trouble with the VPN server module and would like some guidance on next troubleshooting steps. Here are the issues I’m having:
When I go into a single active directory user and set the VPN permission Auto Create & Link FreePBX creates a VPN profile for all 300ish of my active directory users when it should only be creating the VPN profile for the single user. Setting the group permission doesn’t have this issue, the profiles are only created for the group members
All of the auto-generated VPN client certificates (user OR group) are of 0 size (empty) in /etc/openvpn/clients. Creating a VPN client manually doesn’t have this issue.
When manually creating a VPN client, linking it to a user, and then setting the VPN client value to the linked VPN client in a Yealink extension mapping the VPN profile isn’t being created in /tftpboot and the openvpn.url value in the config file is blank and network.vpn_enable is set to 0
I’ve tried completely deleting all VPN clients, disabling and reenabling the VPN server, deleting and re-adding the extension, deleting and re-adding all groups and users (yuck) and I’m out of ideas on how to make the endpoint manager generate the VPN profiles.
Yes, verified it’s enabled and running, it’s not the underlying openvpn system that’s the issue, it’s the generation of certs/configs and the endpoint manager linking the vpn clients to the phones that’s the trouble.
I believe I figured out what part of the problem is: FreePBX isn’t copying the CA certificate and the DH parameters file into /etc/openvpn and it can’t start because of that, but I’m not entirely convinced that’s causing all the issues.
FreePBX is still generating empty client certificates. There’s something very wrong under the hood but I don’t really have a way of seeing where the issue lies.
I also think I’ve got some database weirdness going on because in endpoint manager I’m now seeing other users VPN profiles in the VPN client dropdown box.
At this point you can reenable the VPN and it will recreate the CA and certificates. You can then reset your group permission to auto-assign VPN clients and then you can assign them to phones.
The original bug of creating VPN clients for every single user in the system when dealing with a single user is still a problem though.