Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Where to put information from `key` entry of OpenVPN config file in pfSense?

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dims
      last edited by

      I have the following config file which works well with native OpenVPN client

      client
      dev tap
      
      proto udp
      port 1198
      
      remote myhost.com 1194
      
      persist-key
      persist-tun
      
      tls-client
      
      ca   my-ca.crt
      cert my-client.crt
      key  my-client.key
      
      verb 3
      

      I don't understand, where to put key file content? I put crt files into appropriate section from System/Certificate Manager.

      In client config page I see Cryptographic Settings/Key section with subnote Paste the shared key here. This section doesn't exist initially, but appears only after config saved once. When it appears, it contain some key. If I paste content of key file there, I get an error

      The field 'TLS Authentication Key' does not appear to be valid

      How to enter this file information?

      1 Reply Last reply Reply Quote 0
      • D
        dims
        last edited by

        If I make autogeneration, it creates

        #
        # 2048 bit OpenVPN static key
        #
        -----BEGIN OpenVPN Static key V1-----
        ... small amount of HEX symbols ...
        -----END OpenVPN Static key V1-----
        

        while my own key is

        -----BEGIN PRIVATE KEY-----
        ... large amount of random chars...
        -----END PRIVATE KEY-----
        
        

        I have checked my own key with openssl and it said it is 2048 bit. How it can be larger than autogenerated key, which is also entitled as 2048 bit?

        If I leave autogenerated key, it saves in GUI, but I have the following messages in log

        TLS Error: cannot locate HMAC in incoming packet from
        

        If I disable TLS authentication - Enable authentication of TLS packets then it also saves, but I have

        Mar 16 22:25:39 openvpn 47325   Exiting due to fatal error
        Mar 16 22:25:39 openvpn 47325   FreeBSD ifconfig failed: external program exited with error status: 1
        Mar 16 22:25:39 openvpn 47325   /sbin/ifconfig ovpnc5 XX.XX.XX.XX netmask 255.255.255.0 mtu 1500 up
        Mar 16 22:25:39 openvpn 47325   do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
        Mar 16 22:25:39 openvpn 47325   TUN/TAP device /dev/tap5 opened
        
        

        In both case my key file info remains just unused.

        If I prepend the my key text with

         -----BEGIN OpenVPN Static key V1-----
        

        line (and end with same), then GUI accepts the key, but in log I get the following error

        Non-Hex character ('M') found at line 2 in key file '/var/etc/openvpn/client5.tls-auth' (0/128/256 bytes found/min/max)
        

        so, it wants very specific key, but doesn't inform about it and document it.

        1 Reply Last reply Reply Quote 0
        • T
          Turfrider
          last edited by

          I don't have the actual answer for you, but to at least explain what you've seen.

          ca.crt (my-ca.crt)
          ta.key
          user.crt (my-client.crt in your case)
          user.key (my-client.key in your case)

          ca.crt > Main CA cert. Added under System > Cert Manager > CAs

          ta.key > Used on the OpenVPN > Client page.

          These two are added at the same time as a cert / key pair.

          user.crt > User/client cert. Added under system > Cert Manager > Certs > Cert Data
          user.key > User/ciient private key. Added under system > Cert Manager > Certs > Private key data.

          1 Reply Last reply Reply Quote 0
          • D
            dims
            last edited by

            Thanks, this helped me to understand, that key should be entered in the certificates section along with client certificate.

            This means that my problem is different. OpenVPN log says that (from bottom to top):

                Exiting due to fatal error
                FreeBSD ifconfig failed: external program exited with error status: 1
                /sbin/ifconfig ovpnc5 10.11.0.34 netmask 255.255.255.0 mtu 1500 up
                do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
                TUN/TAP device /dev/tap5 opened
                TUN/TAP device ovpnc5 exists previously, keep at program end
                OPTIONS IMPORT: route-related options modified
                OPTIONS IMPORT: --ifconfig/up options modified
                OPTIONS IMPORT: timers and/or timeouts modified
                Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
                PUSH: Received control message: 'PUSH_REPLY,route 10.10.0.0 255.255.255.0,route-gateway 10.11.0.1,ping 10,ping-restart 120,ifconfig 10.11.0.34 255.255.255.0'
                SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
                [server] Peer Connection Initiated with [AF_INET]XX.XX.XX.XX:1194
            
            

            as far as I understood, server pushes ifconfig command, which fails. When I try to execute it manually, it also fails

                >/sbin/ifconfig ovpnc5 10.11.0.34 netmask 255.255.255.0
                ifconfig: ioctl (SIOCAIFADDR): Destination address required
            
            

            does this mean that server sends command with incorrect FreeBSD syntax? Or this incorrect syntax comes from OpenVPN?

            How to configure OpenVPN client to ignore such commands?

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.