OpenVPN support limitations

Support for OpenVPN VPNs in TMS 8.2.0 and TLXOS 4.8.0/4.9.0 is very basic.  In later releases we will provide interactive controls for VPN configuration, and support other schemes such as L2TP/IPSEC, but at present VPN setup is entirely configuration-file driven and subject to some limitations:

• At present we only support an OpenVPN configuration that uses SSL certificates as the sole means of authentication.  If your OpenVPN server requires a password (other than the private key passphrase) as well as or instead of SSL certificates, then you will need to make manual alterations to your OVPN configuration file to get OpenVPN working.  Specifically, you may need to add "auth-user-pass /somewhere/password-file" and then place the password in the referenced  /somewhere/password-file file.  This will undermine any two-factor security intent and weaken security, but that can't be helped (see below).

• The public and private keys for the client certificate, and the public key for the Certificate Authority needed to validate your OpenVPN server, must be embedded in the OVPN configuration file using <cert>, <key> and <ca> tags respectively.

• The private key must be unencrypted, i.e. must have had its passphrase removed.  We realize that this defeats the intent of two-factor authentication and means that anyone who has access to your TLXOS device has access to your VPN, but interactively prompting for a passphrase at boot-time causes too many problems, in terms of both implementation difficulty and logistics (e.g. you may not be able to remotely manage a device using TMS until the console operator enters the passphrase to bring the VPN up, which would be undesirable for many).

The ovpn file you upload is live-tested against your OpenVPN server, so your OpenVPN server must be running and reachable by the client at the time that you upload the ovpn file. What the "Invalid OpenVPN Config File" error really means is that the live test failed for some reason.

Specifically, the test performed is "/usr/sbin/openvpn --config ovpn-file --ifconfig-noexec --route-noexec --inactive 1" (substitute correct pathname for ovpn-file). You can run that in a terminal window (started using <ctrl><alt>t) to get more detail on what went wrong.