Reverse engineer openVPN connection



  • Trying to use a OVPN :

    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote xxx.xxx.xxx 1198 tcp-client
    verify-x509-name "Pfsene-Server1" name
    pkcs12 pfSense-TCP-1198-Us-Client.p12
    remote-cert-tls server
    comp-lzo adaptive

    Having imported this VPN in Fedora network manager, I get a certificate pwd prompt. How to retrieve the pwd from pfsense server, which is acting as the OpenVPN server. Same OVPN imports in mac/Tunnelblick..without any issues.

    Couple of screen shots..
    0_1532975786388_Screenshot from 2018-07-30 14-23-53.png



  • "The password is not required" ?



  • Network Manager requieres a password when using a p12 file.

    To apply a pw to the pks12, use the OVPN client export utility to export the config and certs, check "Password Protect Certificate" and enter a pw before exporting.



  • I'm afraid, there's nothing like what you just mentioned..Pfsense>OVPN allows exporting user certs in crt, key and p12 format...none of that prompts for pwd whilst exporting.



  • Install the package openvpn-client-export.

    Then go to VPN > OpenVPN > Client Export Utility, configure all needed settings, also check "Password Protect Certificate" and enter a password below.
    Go down and hit export bundled config as archive.



  • Here's the logs from networkmanager :

    Aug 01 15:51:18 works-mobi NetworkManager[876]: <info>  [1533153078.8369] vpn-connection[0x55cb8b1fc220,4fc09d1a-0976-48e3-9177-9c603a4c29c8,"pfSense-TCP-1198-Us-Client",0]: Saw the service appear; activating >
    Aug 01 15:51:18 works-mobi NetworkManager[876]: <info>  [1533153078.9788] vpn-connection[0x55cb8b1fc220,4fc09d1a-0976-48e3-9177-9c603a4c29c8,"pfSense-TCP-1198-Us-Client",0]: VPN plugin: state changed: starting>
    Aug 01 15:51:18 works-mobi NetworkManager[876]: <info>  [1533153078.9789] vpn-connection[0x55cb8b1fc220,4fc09d1a-0976-48e3-9177-9c603a4c29c8,"pfSense-TCP-1198-Us-Client",0]: VPN connection: (ConnectInteractive>
    Aug 01 15:51:18 works-mobi nm-openvpn[3510]: WARNING: file '/home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12' is group or others accessible
    Aug 01 15:51:18 works-mobi nm-openvpn[3510]: OpenVPN 2.4.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
    Aug 01 15:51:18 works-mobi nm-openvpn[3510]: library versions: OpenSSL 1.1.0h-fips  27 Mar 2018, LZO 2.08
    Aug 01 15:51:18 works-mobi nm-openvpn[3510]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 01 15:51:18 works-mobi nm-openvpn[3510]: Error opening file /home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12
    Aug 01 15:51:18 works-mobi nm-openvpn[3510]: Exiting due to fatal error
    Aug 01 15:51:18 works-mobi NetworkManager[876]: <warn>  [1533153078.9890] vpn-connection[0x55cb8b1fc220,4fc09d1a-0976-48e3-9177-9c603a4c29c8,"pfSense-TCP-1198-Us-Client",0]: VPN plugin: failed: connect-failed >
    Aug 01 15:51:18 works-mobi NetworkManager[876]: <warn>  [1533153078.9891] vpn-connection[0x55cb8b1fc220,4fc09d1a-0976-48e3-9177-9c603a4c29c8,"pfSense-TCP-1198-Us-Client",0]: VPN plugin: failed: connect-failed >
    Aug 01 15:51:18 works-mobi NetworkManager[876]: <info>  [1533153078.9891] vpn-connection[0x55cb8b1fc220,4fc09d1a-0976-48e3-9177-9c603a4c29c8,"pfSense-TCP-1198-Us-Client",0]: VPN plugin: state changed: stopping>
    lines 1443-1493/1495 1
    

    There doesn't seem to be any permission issues :
    -rw-r--r--. 1 works works 3957 Aug 1 15:42 /home/gworks/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12

    We were able to find the 'Password..ate" checkbox and set the pwd :

    0_1533154661760_Screenshot from 2018-08-01 16-11-51.png



  • It's actually..
    @matvrix said in Reverse engineer openVPN connection:

    -rw-r--r--. 1 works works 3957 Aug 1 15:42 /home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12

    There was a typo..again, the p12 is at /home/works/Documents/vpn/pfSense-TCP-1198-Us-Client/pfSense-TCP-1198-Us-Client.p12



  • No idea, what causes that error.
    For me the described method work with Network Manager 1.10.6, openvpn plugin 1.8.2 and OpenVPN 2.4.3. However, it also work with the former 2.3.18.

    pw correct?



  • Same ovpn installs properly in a mac/TunnelBlick with the same pwd as this.

    Where do you have your p12 and OVPN file ?



  • The file are stored in a sub of my home, the .ovpn (but I think that isn't used anymore after import in NW, the .p12 and the TLS key.
    The permissions are '-rw-------'