Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Reverse engineer openVPN connection

    Scheduled Pinned Locked Moved OpenVPN
    11 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      matvrix
      last edited by

      Trying to use a OVPN :

      dev tun
      persist-tun
      persist-key
      cipher AES-256-CBC
      auth SHA1
      tls-client
      client
      resolv-retry infinite
      remote xxx.xxx.xxx 1198 tcp-client
      verify-x509-name "Pfsene-Server1" name
      pkcs12 pfSense-TCP-1198-Us-Client.p12
      remote-cert-tls server
      comp-lzo adaptive

      Having imported this VPN in Fedora network manager, I get a certificate pwd prompt. How to retrieve the pwd from pfsense server, which is acting as the OpenVPN server. Same OVPN imports in mac/Tunnelblick..without any issues.

      Couple of screen shots..
      0_1532975786388_Screenshot from 2018-07-30 14-23-53.png

      1 Reply Last reply Reply Quote 0
      • PippinP
        Pippin
        last edited by

        "The password is not required" ?

        I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
        Halton Arp

        1 Reply Last reply Reply Quote 0
        • V
          viragomann
          last edited by

          Network Manager requieres a password when using a p12 file.

          To apply a pw to the pks12, use the OVPN client export utility to export the config and certs, check "Password Protect Certificate" and enter a pw before exporting.

          1 Reply Last reply Reply Quote 0
          • M
            matvrix
            last edited by

            I'm afraid, there's nothing like what you just mentioned..Pfsense>OVPN allows exporting user certs in crt, key and p12 format...none of that prompts for pwd whilst exporting.

            1 Reply Last reply Reply Quote 0
            • V
              viragomann
              last edited by

              Install the package openvpn-client-export.

              Then go to VPN > OpenVPN > Client Export Utility, configure all needed settings, also check "Password Protect Certificate" and enter a password below.
              Go down and hit export bundled config as archive.

              M 1 Reply Last reply Reply Quote 0
              • M
                matvrix @viragomann
                last edited by

                Here's the logs from networkmanager :

                Aug 01 15:51:18 works-mobi NetworkManager[876]: <info>  [1533153078.8369] vpn-connection[0x55cb8b1fc220,4fc09d1a-0976-48e3-9177-9c603a4c29c8,"pfSense-TCP-1198-Us-Client",0]: Saw the service appear; activating >
Aug 01 15:51:18 works-mobi NetworkManager[876]: <info>  [1533153078.9788] vpn-connection[0x55cb8b1fc220,4fc09d1a-0976-48e3-9177-9c603a4c29c8,"pfSense-TCP-1198-Us-Client",0]: VPN plugin: state changed: starting>
Aug 01 15:51:18 works-mobi NetworkManager[876]: <info>  [1533153078.9789] vpn-connection[0x55cb8b1fc220,4fc09d1a-0976-48e3-9177-9c603a4c29c8,"pfSense-TCP-1198-Us-Client",0]: VPN connection: (ConnectInteractive>
Aug 01 15:51:18 works-mobi nm-openvpn[3510]: WARNING: file '/home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12' is group or others accessible
Aug 01 15:51:18 works-mobi nm-openvpn[3510]: OpenVPN 2.4.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
Aug 01 15:51:18 works-mobi nm-openvpn[3510]: library versions: OpenSSL 1.1.0h-fips  27 Mar 2018, LZO 2.08
Aug 01 15:51:18 works-mobi nm-openvpn[3510]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 01 15:51:18 works-mobi nm-openvpn[3510]: Error opening file /home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12
Aug 01 15:51:18 works-mobi nm-openvpn[3510]: Exiting due to fatal error
Aug 01 15:51:18 works-mobi NetworkManager[876]: <warn>  [1533153078.9890] vpn-connection[0x55cb8b1fc220,4fc09d1a-0976-48e3-9177-9c603a4c29c8,"pfSense-TCP-1198-Us-Client",0]: VPN plugin: failed: connect-failed >
Aug 01 15:51:18 works-mobi NetworkManager[876]: <warn>  [1533153078.9891] vpn-connection[0x55cb8b1fc220,4fc09d1a-0976-48e3-9177-9c603a4c29c8,"pfSense-TCP-1198-Us-Client",0]: VPN plugin: failed: connect-failed >
Aug 01 15:51:18 works-mobi NetworkManager[876]: <info>  [1533153078.9891] vpn-connection[0x55cb8b1fc220,4fc09d1a-0976-48e3-9177-9c603a4c29c8,"pfSense-TCP-1198-Us-Client",0]: VPN plugin: state changed: stopping>
lines 1443-1493/1495 1

                There doesn't seem to be any permission issues :
                -rw-r--r--. 1 works works 3957 Aug 1 15:42 /home/gworks/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12

                We were able to find the 'Password..ate" checkbox and set the pwd :

                0_1533154661760_Screenshot from 2018-08-01 16-11-51.png

                M 1 Reply Last reply Reply Quote 0
                • M
                  matvrix @matvrix
                  last edited by

                  It's actually..
                  @matvrix said in Reverse engineer openVPN connection:

                  -rw-r--r--. 1 works works 3957 Aug 1 15:42 /home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12

                  There was a typo..again, the p12 is at /home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12

                  1 Reply Last reply Reply Quote 0
                  • V
                    viragomann
                    last edited by

                    No idea, what causes that error.
                    For me the described method work with Network Manager 1.10.6, openvpn plugin 1.8.2 and OpenVPN 2.4.3. However, it also work with the former 2.3.18.

                    pw correct?

                    1 Reply Last reply Reply Quote 0
                    • M
                      matvrix
                      last edited by

                      Same ovpn installs properly in a mac/TunnelBlick with the same pwd as this.

                      Where do you have your p12 and OVPN file ?

                      1 Reply Last reply Reply Quote 0
                      • V
                        viragomann
                        last edited by

                        The file are stored in a sub of my home, the .ovpn (but I think that isn't used anymore after import in NW, the .p12 and the TLS key.
                        The permissions are '-rw-------'

                        1 Reply Last reply Reply Quote 0
                        • M
                          matvrix
                          last edited by

                          Hence opened a bug - https://bugzilla.redhat.com/show_bug.cgi?id=1611812

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.