1. Home
  2. pfSense® Software
  3. OpenVPN
  4. Where to put information from `key` entry of OpenVPN config file in pfSense?

Where to put information from `key` entry of OpenVPN config file in pfSense?

  • D

    I have the following config file which works well with native OpenVPN client

    client
dev tap

proto udp
port 1198

remote myhost.com 1194

persist-key
persist-tun

tls-client

ca   my-ca.crt
cert my-client.crt
key  my-client.key

verb 3

    I don't understand, where to put key file content? I put crt files into appropriate section from System/Certificate Manager.

    In client config page I see Cryptographic Settings/Key section with subnote Paste the shared key here. This section doesn't exist initially, but appears only after config saved once. When it appears, it contain some key. If I paste content of key file there, I get an error

    The field 'TLS Authentication Key' does not appear to be valid

    How to enter this file information?

    0
  • D

    If I make autogeneration, it creates

    #
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
... small amount of HEX symbols ...
-----END OpenVPN Static key V1-----

    while my own key is

    -----BEGIN PRIVATE KEY-----
... large amount of random chars...
-----END PRIVATE KEY-----

    I have checked my own key with openssl and it said it is 2048 bit. How it can be larger than autogenerated key, which is also entitled as 2048 bit?

    If I leave autogenerated key, it saves in GUI, but I have the following messages in log

    TLS Error: cannot locate HMAC in incoming packet from

    If I disable TLS authentication - Enable authentication of TLS packets then it also saves, but I have

    Mar 16 22:25:39 openvpn 47325   Exiting due to fatal error
Mar 16 22:25:39 openvpn 47325   FreeBSD ifconfig failed: external program exited with error status: 1
Mar 16 22:25:39 openvpn 47325   /sbin/ifconfig ovpnc5 XX.XX.XX.XX netmask 255.255.255.0 mtu 1500 up
Mar 16 22:25:39 openvpn 47325   do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mar 16 22:25:39 openvpn 47325   TUN/TAP device /dev/tap5 opened

    In both case my key file info remains just unused.

    If I prepend the my key text with

     -----BEGIN OpenVPN Static key V1-----

    line (and end with same), then GUI accepts the key, but in log I get the following error

    Non-Hex character ('M') found at line 2 in key file '/var/etc/openvpn/client5.tls-auth' (0/128/256 bytes found/min/max)

    so, it wants very specific key, but doesn't inform about it and document it.

    0
  • T

    I don't have the actual answer for you, but to at least explain what you've seen.

    ca.crt (my-ca.crt)
    ta.key
    user.crt (my-client.crt in your case)
    user.key (my-client.key in your case)

    ca.crt > Main CA cert. Added under System > Cert Manager > CAs

    ta.key > Used on the OpenVPN > Client page.

    These two are added at the same time as a cert / key pair.

    user.crt > User/client cert. Added under system > Cert Manager > Certs > Cert Data
    user.key > User/ciient private key. Added under system > Cert Manager > Certs > Private key data.

    0
  • D

    Thanks, this helped me to understand, that key should be entered in the certificates section along with client certificate.

    This means that my problem is different. OpenVPN log says that (from bottom to top):

        Exiting due to fatal error
    FreeBSD ifconfig failed: external program exited with error status: 1
    /sbin/ifconfig ovpnc5 10.11.0.34 netmask 255.255.255.0 mtu 1500 up
    do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    TUN/TAP device /dev/tap5 opened
    TUN/TAP device ovpnc5 exists previously, keep at program end
    OPTIONS IMPORT: route-related options modified
    OPTIONS IMPORT: --ifconfig/up options modified
    OPTIONS IMPORT: timers and/or timeouts modified
    Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    PUSH: Received control message: 'PUSH_REPLY,route 10.10.0.0 255.255.255.0,route-gateway 10.11.0.1,ping 10,ping-restart 120,ifconfig 10.11.0.34 255.255.255.0'
    SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    [server] Peer Connection Initiated with [AF_INET]XX.XX.XX.XX:1194

    as far as I understood, server pushes ifconfig command, which fails. When I try to execute it manually, it also fails

        >/sbin/ifconfig ovpnc5 10.11.0.34 netmask 255.255.255.0
    ifconfig: ioctl (SIOCAIFADDR): Destination address required

    does this mean that server sends command with incorrect FreeBSD syntax? Or this incorrect syntax comes from OpenVPN?

    How to configure OpenVPN client to ignore such commands?

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy