OVPN Client asks for Password

A Former User

Hi guys!

I recently did an upgrade to Debian 12 (Bookworm) on a remote server which is connected through OpenVPN to my pfSense box. This worked really fine and reliable.
My OVPN-server is configured to SSL/TLS authentication and thus no user credentails needed:

Bildschirmfoto 2023-06-12 um 14.06.56.png

Since the upgrade I am getting ask about a password and I do not have a clue what is going on there:

Broadcast message from root@piholedns (Mon 2023-06-12 14:06:02 CEST):

Password entry required for 'Enter Private Key Password:' (PID 1948).
Please enter password with the systemd-tty-ask-password-agent tool.

I tried several things like disabling the systemd-tty-ask-password-agent or reconfiguring openssl in some way.

I do not remember having set a password for the key file.

Anyone an idea how to solve?

Thanks a lot!

/KNEBB

viragomann

@knebb said in OVPN Client asks for Password:

I do not remember having set a password for the key file.

Maybe you have to set one now, however.

At least the Network Manager OpenVPN plugin requires a password for the private key, even if you don't have stated one.
So you will have to reexport the P12 file as encrypted.

A Former User

@viragomann
Thanks, yes I might need a password. Just a really dumb question arises:
How to set a password?

I went to "System -> Cert. Manager", set a password on the client certificate. Then I wen to "VPN -> OpenVPN -> Cleint Export" and downloaded the bundled package which contains:

*.ovpn configuration file
*.p12 file
*-tls.key

I added to the .conf a line:
askpass /etc/openvpn/auth.txt
created the auth.txt containing a single line with the password I set above:
password
followed by
chmod 0600 auth.txt
and restarted the openvn-client:
systemctl restart openvpn@router-UDP4-1234-pihole.ovpn.service
which brings me errors in syslog:

OpenSSL: error:0308010C:digital envelope routines::unsupported
OpenSSL: error:11800071:PKCS12 routines::mac verify failure
Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
Error: private key password verification failed
Exiting due to fatal error

So there seems to be some ssl misconfiguration (as the password is now correct).

Any further idea?
Thanks!
/KNEBB

viragomann

@knebb
You have to pull the pkcs12 file from the client export utility.

Check "Password Protect Certificate" and enter a password below.
Then download the bundled archive.

Note that the pkcs12 file contains the client certificate and the private key and also the CA certificate.

A Former User

@viragomann
Hi again,

well, indeed I was not aware of this option and did as suggested:
Bildschirmfoto 2023-06-12 um 20.14.04.png
Used the same password as written in /etc/openvpn/auth.txt and exported the configuration again to my client.
But the issue still persists:

OpenSSL: error:11800071:PKCS12 routines::mac verify failure
OpenSSL: error:0308010C:digital envelope routines::unsupported
Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
Error: private key password verification failed
Exiting due to fatal error

Just for references the ovpn.conf file:

dev tun
persist-tun
persist-key
data-ciphers AES-128-CBC
data-ciphers-fallback AES-128-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote pfsense.domain.public 1193 udp4
nobind
verify-x509-name "pfsense.domain.local" name
pkcs12 router-UDP4-1194-client.domain.local.p12
tls-auth router-UDP4-1194-client.domain.local-tls.key 1
remote-cert-tls server
explicit-exit-notify

Any further ideas?

/KNEBB

A Former User

I am a little bit unsure with ssl but I tried to get information about the p12 file I got through client export.
Is the following to be expected?

root@client:/etc/openvpn# openssl pkcs12 -export -in pfsense-UDP4-1192-client.domain.local.p12  
Could not read private key from -in file from pfsense-UDP4-1192-client.domain.local.p12

As openssl doe not prompt me for a password it appears there is no one set?

Sorry, I have no clue what is going on here....

/KNEBB

A Former User

Hi to myself ;)

Reading again the above screenshot mentions:

Use a password to protect the pkcs12 file contents or key in Viscosity bundlle.

I guess I am not getting a password becaus my client is a Linux client and I do not download the Viscosoty bundle.
So looks like this is not the place to add a password to the p12 file...

Where else to set? And why does it not even work with openssl?

Totally confused meanwhile....
/KNEBB

viragomann

@knebb said in OVPN Client asks for Password:

root@client:/etc/openvpn# openssl pkcs12 -export -in pfsense-UDP4-1192-client.domain.local.p12
Could not read private key from -in file from pfsense-UDP4-1192-client.domain.local.p12

I guess, this is a wrong usage of the "openssl pkcs12 -export" command.

Not clear, what you intend to do here. The command is meant to create a pkcs12 file.
To look into the file run "openssl pkcs12 -in yourpcs12file.p12 -info".

Reading again the above screenshot mentions:

Use a password to protect the pkcs12 file contents or key in Viscosity bundlle.

I guess I am not getting a password becaus my client is a Linux client and I do not download the Viscosoty bundle.

If you check the mentioned option and enter a password in the client export, the private key in the exported pkcs12 file is encrypted.
I'm using a Linux OpenVPN client with an encrypted pkcs12 as well, however this is the Network Manager plugin.

Which OpenSSL version is the client using?
As far as I know, v 3 is not compatible with pfSense OpenVPN.

A Former User

@viragomann said in OVPN Client asks for Password:

Not clear, what you intend to do here. The command is meant to create a pkcs12 file.
To look into the file run "openssl pkcs12 -in yourpcs12file.p12 -info".

Thanks, this is what I was trying to do. Read the file by openssl itself to see if it asks for a password. And yes, it does. Even though it asks for a pem password.... anyways, openssl can read. At least somehow...

Which OpenSSL version is the client using?
As far as I know, v 3 is not compatible with pfSense OpenVPN.

Oh man! Looks like I got into this trap.

root@client:~# dpkg -l| grep openssl
ii  openssl                         3.0.9-1                              amd64        Secure Sockets Layer toolkit - cryptographic utility

:(

Giving up now. Reverted to the Debian11 snapshot. Thanks for your support anyways!

/KNEBB

adamw

@knebb

You can stay on Debian 12 and even upgrade later.

Just use OpenVPN client from Debian 11.

The default:

dpkg -l | grep openvpn
ii  openvpn                                 2.6.3-1                         amd64        virtual private network daemon

dpkg -l | grep openssl
ii  openssl                                 3.0.9-1                         amd64        Secure Sockets Layer toolkit - cryptographic utility

Steps:

sudo apt purge openvpn
sudo apt autoremove

sudo sed -i 's/bookworm/bullseye/g' /etc/apt/sources.list
sudo apt update
sudo apt install openvpn

dpkg -l | grep openvpn
ii  openvpn                                 2.5.1-3

Lock openvpn package so it doesn't upgrade automatically in the future:

sudo apt-mark hold openvpn
openvpn set on hold.

Remember to revert to the default distro repositories:

sudo sed -i 's/bullseye/bookworm/g' /etc/apt/sources.list
sudo apt update