Where to put information from `key` entry of OpenVPN config file in pfSense?

  • I have the following config file which works well with native OpenVPN client

    dev tap
    proto udp
    port 1198
    remote myhost.com 1194
    ca   my-ca.crt
    cert my-client.crt
    key  my-client.key
    verb 3

    I don't understand, where to put key file content? I put crt files into appropriate section from System/Certificate Manager.

    In client config page I see Cryptographic Settings/Key section with subnote Paste the shared key here. This section doesn't exist initially, but appears only after config saved once. When it appears, it contain some key. If I paste content of key file there, I get an error

    The field 'TLS Authentication Key' does not appear to be valid

    How to enter this file information?

  • If I make autogeneration, it creates

    # 2048 bit OpenVPN static key
    -----BEGIN OpenVPN Static key V1-----
    ... small amount of HEX symbols ...
    -----END OpenVPN Static key V1-----

    while my own key is

    -----BEGIN PRIVATE KEY-----
    ... large amount of random chars...
    -----END PRIVATE KEY-----

    I have checked my own key with openssl and it said it is 2048 bit. How it can be larger than autogenerated key, which is also entitled as 2048 bit?

    If I leave autogenerated key, it saves in GUI, but I have the following messages in log

    TLS Error: cannot locate HMAC in incoming packet from

    If I disable TLS authentication - Enable authentication of TLS packets then it also saves, but I have

    Mar 16 22:25:39 openvpn 47325   Exiting due to fatal error
    Mar 16 22:25:39 openvpn 47325   FreeBSD ifconfig failed: external program exited with error status: 1
    Mar 16 22:25:39 openvpn 47325   /sbin/ifconfig ovpnc5 XX.XX.XX.XX netmask mtu 1500 up
    Mar 16 22:25:39 openvpn 47325   do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Mar 16 22:25:39 openvpn 47325   TUN/TAP device /dev/tap5 opened

    In both case my key file info remains just unused.

    If I prepend the my key text with

     -----BEGIN OpenVPN Static key V1-----

    line (and end with same), then GUI accepts the key, but in log I get the following error

    Non-Hex character ('M') found at line 2 in key file '/var/etc/openvpn/client5.tls-auth' (0/128/256 bytes found/min/max)

    so, it wants very specific key, but doesn't inform about it and document it.

  • I don't have the actual answer for you, but to at least explain what you've seen.

    ca.crt (my-ca.crt)
    user.crt (my-client.crt in your case)
    user.key (my-client.key in your case)

    ca.crt > Main CA cert. Added under System > Cert Manager > CAs

    ta.key > Used on the OpenVPN > Client page.

    These two are added at the same time as a cert / key pair.

    user.crt > User/client cert. Added under system > Cert Manager > Certs > Cert Data
    user.key > User/ciient private key. Added under system > Cert Manager > Certs > Private key data.

  • Thanks, this helped me to understand, that key should be entered in the certificates section along with client certificate.

    This means that my problem is different. OpenVPN log says that (from bottom to top):

        Exiting due to fatal error
        FreeBSD ifconfig failed: external program exited with error status: 1
        /sbin/ifconfig ovpnc5 netmask mtu 1500 up
        do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
        TUN/TAP device /dev/tap5 opened
        TUN/TAP device ovpnc5 exists previously, keep at program end
        OPTIONS IMPORT: route-related options modified
        OPTIONS IMPORT: --ifconfig/up options modified
        OPTIONS IMPORT: timers and/or timeouts modified
        Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
        PUSH: Received control message: 'PUSH_REPLY,route,route-gateway,ping 10,ping-restart 120,ifconfig'
        SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
        [server] Peer Connection Initiated with [AF_INET]XX.XX.XX.XX:1194

    as far as I understood, server pushes ifconfig command, which fails. When I try to execute it manually, it also fails

        >/sbin/ifconfig ovpnc5 netmask
        ifconfig: ioctl (SIOCAIFADDR): Destination address required

    does this mean that server sends command with incorrect FreeBSD syntax? Or this incorrect syntax comes from OpenVPN?

    How to configure OpenVPN client to ignore such commands?

Log in to reply