Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using MS cert on Linux

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      imrazor
      last edited by

      I created a user and successfully exported the installer to two Windows laptops. Connects fine, no problem. However, when I try to use the "standard" export button and use them on a Linux laptop (Fedora 27) I get the following:

      $ openvpn –config ./pfSense-udp-1365-<user>.ovpn
      Options error: Unrecognized option or missing or extra parameter(s) in ./pfSense-udp-1365-<user>.ovpn:13: cryptoapicert (2.4.4)

      From what I can gather, this is because I selected the MS certificate option when I set up the user. Is there anyway to get this to work from Linux, or do I need to create a whole new user just for Linux?</user></user>

      1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott
        last edited by

        As I recall, I exported the same key etc. twice.  Once for Windows and again with Inline.  I then imported it into the network manager in Linux.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • A
          AndrewZ
          last edited by

          cryptoapicert is purely Windows thing
          For Linux I believe you can generate a new config (.tar) or manually remove cryptoapicert reference, then import, then manually select a cert (.p12) from the GUI.

          1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott
            last edited by

            ^^^
            As I said, I just exported twice, once for Windows and once for Linux.  Works fine.  I use this on a notebook where I can boot into Linux or Windows 10, but only one at a time.  Same key used for both and it works fine.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • I
              imrazor
              last edited by

              When I try to export with the "inline" option I get a message that MS certificates are not supported with Inline configurations.

              If I remove the cryptoapicert line from the .ovpn config file, openvpn will start but never connect with the following errors:

              Sat Jan  6 16:52:24 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
              Sat Jan  6 16:52:24 2018 TLS Error: TLS handshake failed
              
              

              If I attempt to import the "Standard" configuration I exported earlier into the Settings/VPN GUI, I get a message that

              Error: Key file contains line "PK<weird symbol=""><weird symbol="">" which is not a key-value pair, group or comment.</weird></weird>

              1 Reply Last reply Reply Quote 0
              • JKnottJ
                JKnott
                last edited by

                ^^^^
                I just tried it again.  I clicked on the Inline - Most clients button and generated an ovpn file and then clicked on the Current Windows Installer and generated the exe file, just as I did when I first set up my VPN.  There were no errors.  The exe is used to install the OpenVPN client on Windows and the ovpn file is imported into the network manager in Linux.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • I
                  imrazor
                  last edited by

                  I got the Inline config to export by unchecking the MS certificate storage option. I then ran openvpn –config pfSense-blah-blah.ovpn from the command line as root, and it worked. I was afraid I'd kill my Windows clients' ability to connect by unchecking the MS cert option, but at least one still appears to be functioning.

                  My remaining difficulty involves configuring the Fedora 27 VPN GUI. Using it from the command line works, but requires a few extra steps and a root password to complete the connection. I've tried configuring the GUI several ways, but none of them seem to work. Probably need to post in a Fedora or OpenVPN forum, but if anyone here knows I'd appreciate your input.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.