• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Reverse engineer openVPN connection

Scheduled Pinned Locked Moved OpenVPN
11 Posts 3 Posters 1.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    matvrix
    last edited by Jul 30, 2018, 6:38 PM

    Trying to use a OVPN :

    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote xxx.xxx.xxx 1198 tcp-client
    verify-x509-name "Pfsene-Server1" name
    pkcs12 pfSense-TCP-1198-Us-Client.p12
    remote-cert-tls server
    comp-lzo adaptive

    Having imported this VPN in Fedora network manager, I get a certificate pwd prompt. How to retrieve the pwd from pfsense server, which is acting as the OpenVPN server. Same OVPN imports in mac/Tunnelblick..without any issues.

    Couple of screen shots..
    0_1532975786388_Screenshot from 2018-07-30 14-23-53.png

    1 Reply Last reply Reply Quote 0
    • P
      Pippin
      last edited by Jul 30, 2018, 7:13 PM

      "The password is not required" ?

      I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
      Halton Arp

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by Jul 30, 2018, 7:38 PM

        Network Manager requieres a password when using a p12 file.

        To apply a pw to the pks12, use the OVPN client export utility to export the config and certs, check "Password Protect Certificate" and enter a pw before exporting.

        1 Reply Last reply Reply Quote 0
        • M
          matvrix
          last edited by Aug 1, 2018, 1:01 AM

          I'm afraid, there's nothing like what you just mentioned..Pfsense>OVPN allows exporting user certs in crt, key and p12 format...none of that prompts for pwd whilst exporting.

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by Aug 1, 2018, 8:02 AM

            Install the package openvpn-client-export.

            Then go to VPN > OpenVPN > Client Export Utility, configure all needed settings, also check "Password Protect Certificate" and enter a password below.
            Go down and hit export bundled config as archive.

            M 1 Reply Last reply Aug 1, 2018, 8:17 PM Reply Quote 0
            • M
              matvrix @viragomann
              last edited by Aug 1, 2018, 8:17 PM

              Here's the logs from networkmanager :

              Aug 01 15:51:18 works-mobi NetworkManager[876]: <info>  [1533153078.8369] vpn-connection[0x55cb8b1fc220,4fc09d1a-0976-48e3-9177-9c603a4c29c8,"pfSense-TCP-1198-Us-Client",0]: Saw the service appear; activating >
Aug 01 15:51:18 works-mobi NetworkManager[876]: <info>  [1533153078.9788] vpn-connection[0x55cb8b1fc220,4fc09d1a-0976-48e3-9177-9c603a4c29c8,"pfSense-TCP-1198-Us-Client",0]: VPN plugin: state changed: starting>
Aug 01 15:51:18 works-mobi NetworkManager[876]: <info>  [1533153078.9789] vpn-connection[0x55cb8b1fc220,4fc09d1a-0976-48e3-9177-9c603a4c29c8,"pfSense-TCP-1198-Us-Client",0]: VPN connection: (ConnectInteractive>
Aug 01 15:51:18 works-mobi nm-openvpn[3510]: WARNING: file '/home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12' is group or others accessible
Aug 01 15:51:18 works-mobi nm-openvpn[3510]: OpenVPN 2.4.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
Aug 01 15:51:18 works-mobi nm-openvpn[3510]: library versions: OpenSSL 1.1.0h-fips  27 Mar 2018, LZO 2.08
Aug 01 15:51:18 works-mobi nm-openvpn[3510]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 01 15:51:18 works-mobi nm-openvpn[3510]: Error opening file /home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12
Aug 01 15:51:18 works-mobi nm-openvpn[3510]: Exiting due to fatal error
Aug 01 15:51:18 works-mobi NetworkManager[876]: <warn>  [1533153078.9890] vpn-connection[0x55cb8b1fc220,4fc09d1a-0976-48e3-9177-9c603a4c29c8,"pfSense-TCP-1198-Us-Client",0]: VPN plugin: failed: connect-failed >
Aug 01 15:51:18 works-mobi NetworkManager[876]: <warn>  [1533153078.9891] vpn-connection[0x55cb8b1fc220,4fc09d1a-0976-48e3-9177-9c603a4c29c8,"pfSense-TCP-1198-Us-Client",0]: VPN plugin: failed: connect-failed >
Aug 01 15:51:18 works-mobi NetworkManager[876]: <info>  [1533153078.9891] vpn-connection[0x55cb8b1fc220,4fc09d1a-0976-48e3-9177-9c603a4c29c8,"pfSense-TCP-1198-Us-Client",0]: VPN plugin: state changed: stopping>
lines 1443-1493/1495 1

              There doesn't seem to be any permission issues :
              -rw-r--r--. 1 works works 3957 Aug 1 15:42 /home/gworks/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12

              We were able to find the 'Password..ate" checkbox and set the pwd :

              0_1533154661760_Screenshot from 2018-08-01 16-11-51.png

              M 1 Reply Last reply Aug 1, 2018, 8:36 PM Reply Quote 0
              • M
                matvrix @matvrix
                last edited by Aug 1, 2018, 8:36 PM

                It's actually..
                @matvrix said in Reverse engineer openVPN connection:

                -rw-r--r--. 1 works works 3957 Aug 1 15:42 /home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12

                There was a typo..again, the p12 is at /home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12

                1 Reply Last reply Reply Quote 0
                • V
                  viragomann
                  last edited by Aug 1, 2018, 11:21 PM

                  No idea, what causes that error.
                  For me the described method work with Network Manager 1.10.6, openvpn plugin 1.8.2 and OpenVPN 2.4.3. However, it also work with the former 2.3.18.

                  pw correct?

                  1 Reply Last reply Reply Quote 0
                  • M
                    matvrix
                    last edited by Aug 2, 2018, 2:12 AM

                    Same ovpn installs properly in a mac/TunnelBlick with the same pwd as this.

                    Where do you have your p12 and OVPN file ?

                    1 Reply Last reply Reply Quote 0
                    • V
                      viragomann
                      last edited by Aug 2, 2018, 7:50 AM

                      The file are stored in a sub of my home, the .ovpn (but I think that isn't used anymore after import in NW, the .p12 and the TLS key.
                      The permissions are '-rw-------'

                      1 Reply Last reply Reply Quote 0
                      • M
                        matvrix
                        last edited by Aug 2, 2018, 7:10 PM

                        Hence opened a bug - https://bugzilla.redhat.com/show_bug.cgi?id=1611812

                        1 Reply Last reply Reply Quote 0
                        1 out of 11
                        • First post
                          1/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received