Openvpn fails to start on pfsense firewall
-
It's basically saying it can't parse the right data out of the key you gave it. Are you really sure that you are pasting in exactly what it asks for? The headers should already match if you are using the proper key/cert.
-
I am pretty certain that I'm using the correct information. I took the output of 'cat server.key'. I am generating these keys with openvpn 2.1.1. I'm not sure if that would be a problem. Not one of the keys or certificates that were generated contain a header with "RSA" in it.
-
You must not be generating the right files then, because both my server and client key files have an RSA header.
Are you using EasyRSA to generate these files?
-
Is the key protected with a password? You need a key with no password set (or use the –askpass option of openvpn to supply the password at daemon startup).
-
I am using easy-rsa 2.0… I will should try 1.0 and see if I get the same results. To my knowledge I have not password protected the files.
-
using easy-rsa/1.0 failed to yield any headers with RSA in them. I've set up openvpn successfully using computers and using dd-wrt… I don't understand why this is giving me such a problem.
-
Try it this way:
http://doc.pfsense.org/index.php/Easyrsa_for_pfSense
-
Success!! much thanks Jimp!
Unfortunately since my file system is read only, I could not work from /root. I had to download the zipped file directly to /tmp and create the keys there. A little less automated but still got the job done! sweeeet!
-
Be sure you download all of that before you reboot that box, or else you'll not be able to make any more keys!
If you're on nanobsd, you can still work in /root, you just have to run a command before:
/etc/rc.conf_mount_rw
And then a command after
/etc/rc.conf_mount_ro
To switch between read/write and read-only states on the storage media.
-
I used scp to copy the keys directory off. Thanks!
-
Hi,
Thanks for the tip. I had the same problem and effectively just changing the boundaries does not solve the issue.
What you must do is to convert your pem key file into a old RSA format.
Use the following command and specify the path to the key file you want to convert:
openssl rsa -in /path/server_key.pemThen copy the output into your webGUI text box including the boundaries "–---BEGIN RSA PRIVATE KEY-----" / "-----END RSA PRIVATE KEY-----"
