Where to put information from `key` entry of OpenVPN config file in pfSense?
-
I have the following config file which works well with native OpenVPN client
client dev tap proto udp port 1198 remote myhost.com 1194 persist-key persist-tun tls-client ca my-ca.crt cert my-client.crt key my-client.key verb 3
I don't understand, where to put
key
file content? I putcrt
files into appropriate section fromSystem/Certificate Manager
.In client config page I see
Cryptographic Settings/Key
section with subnotePaste the shared key here
. This section doesn't exist initially, but appears only after config saved once. When it appears, it contain some key. If I paste content ofkey
file there, I get an errorThe field 'TLS Authentication Key' does not appear to be valid
How to enter this file information?
-
If I make autogeneration, it creates
# # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- ... small amount of HEX symbols ... -----END OpenVPN Static key V1-----
while my own key is
-----BEGIN PRIVATE KEY----- ... large amount of random chars... -----END PRIVATE KEY-----
I have checked my own key with
openssl
and it said it is 2048 bit. How it can be larger than autogenerated key, which is also entitled as 2048 bit?If I leave autogenerated key, it saves in GUI, but I have the following messages in log
TLS Error: cannot locate HMAC in incoming packet from
If I disable TLS authentication - Enable authentication of TLS packets then it also saves, but I have
Mar 16 22:25:39 openvpn 47325 Exiting due to fatal error Mar 16 22:25:39 openvpn 47325 FreeBSD ifconfig failed: external program exited with error status: 1 Mar 16 22:25:39 openvpn 47325 /sbin/ifconfig ovpnc5 XX.XX.XX.XX netmask 255.255.255.0 mtu 1500 up Mar 16 22:25:39 openvpn 47325 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Mar 16 22:25:39 openvpn 47325 TUN/TAP device /dev/tap5 opened
In both case my key file info remains just unused.
If I prepend the my key text with
-----BEGIN OpenVPN Static key V1-----
line (and end with same), then GUI accepts the key, but in log I get the following error
Non-Hex character ('M') found at line 2 in key file '/var/etc/openvpn/client5.tls-auth' (0/128/256 bytes found/min/max)
so, it wants very specific key, but doesn't inform about it and document it.
-
I don't have the actual answer for you, but to at least explain what you've seen.
ca.crt (my-ca.crt)
ta.key
user.crt (my-client.crt in your case)
user.key (my-client.key in your case)ca.crt > Main CA cert. Added under System > Cert Manager > CAs
ta.key > Used on the OpenVPN > Client page.
These two are added at the same time as a cert / key pair.
user.crt > User/client cert. Added under system > Cert Manager > Certs > Cert Data
user.key > User/ciient private key. Added under system > Cert Manager > Certs > Private key data. -
Thanks, this helped me to understand, that key should be entered in the certificates section along with client certificate.
This means that my problem is different. OpenVPN log says that (from bottom to top):
Exiting due to fatal error FreeBSD ifconfig failed: external program exited with error status: 1 /sbin/ifconfig ovpnc5 10.11.0.34 netmask 255.255.255.0 mtu 1500 up do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 TUN/TAP device /dev/tap5 opened TUN/TAP device ovpnc5 exists previously, keep at program end OPTIONS IMPORT: route-related options modified OPTIONS IMPORT: --ifconfig/up options modified OPTIONS IMPORT: timers and/or timeouts modified Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS]) PUSH: Received control message: 'PUSH_REPLY,route 10.10.0.0 255.255.255.0,route-gateway 10.11.0.1,ping 10,ping-restart 120,ifconfig 10.11.0.34 255.255.255.0' SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) [server] Peer Connection Initiated with [AF_INET]XX.XX.XX.XX:1194
as far as I understood, server pushes
ifconfig
command, which fails. When I try to execute it manually, it also fails>/sbin/ifconfig ovpnc5 10.11.0.34 netmask 255.255.255.0 ifconfig: ioctl (SIOCAIFADDR): Destination address required
does this mean that server sends command with incorrect FreeBSD syntax? Or this incorrect syntax comes from OpenVPN?
How to configure OpenVPN client to ignore such commands?