Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense as openvpn client - unable to get local issuer certificate

    Scheduled Pinned Locked Moved OpenVPN
    9 Posts 2 Posters 6.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      senaka
      last edited by

      I am trying to connect my pfSense box to my OpenVPN server to forward all internet traffic through the VPN server. After setting everything, the connection fails with the following log from the server side. OpenVPN server is working fine with Tunnelblick.

      pid=1888 DATA len=945

      <IP address>:6375 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: O=pfSense webConfigurator Self-Signed Certificate, CN=pfSense-60e21b76c0db8

      openvpn[1235]: <IP address>:6375 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
      openvpn[1235]: <IP address>:6375 TLS_ERROR: BIO read tls_read_plaintext error
      openvpn[1235]: <IP address>:6375 TLS Error: TLS object -> incoming plaintext read error
      openvpn[1235]: <IP address>:6375 TLS Error: TLS handshake failed
      openvpn[1235]: <IP address>:6375 SIGUSR1[soft,tls-error] received, client-instance restarting

      client. ovpn:
      client
      dev tun
      proto udp
      remote 94.237.74.248 1194
      resolv-retry infinite
      nobind
      persist-key
      persist-tun
      remote-cert-tls server
      auth SHA512
      cipher AES-256-CBC
      ignore-unknown-option block-outside-dns
      block-outside-dns
      verb 3
      <ca>
      -----BEGIN CERTIFICATE-----
      xxxxxx
      -----END CERTIFICATE-----
      </cert>
      <key>
      -----BEGIN PRIVATE KEY-----
      xxxxxx
      -----END PRIVATE KEY-----
      </key>
      <tls-crypt>
      -----BEGIN OpenVPN Static key V1-----
      xxxxxx
      -----END OpenVPN Static key V1-----
      </tls-crypt>

      sever.conf
      local <IP address>
      port 1194
      proto udp
      dev tun
      ca ca.crt
      cert server.crt
      key server.key
      dh dh.pem
      auth SHA512
      tls-crypt tc.key
      topology subnet
      server <IP address> 255.255.255.0
      ifconfig-pool-persist ipp.txt
      push "redirect-gateway def1 bypass-dhcp"
      push "dhcp-option DNS <IP address>"
      push "dhcp-option DNS <IP address>"
      keepalive 10 120
      cipher AES-256-CBC
      user nobody
      group nogroup
      persist-key
      persist-tun
      status openvpn-status.log
      verb 6
      crl-verify crl.pem
      explicit-exit-notify

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @senaka
        last edited by

        @senaka said in pfSense as openvpn client - unable to get local issuer certificate:

        O=pfSense webConfigurator Self-Signed Certificate

        Seems you have select the wrong certificate in the client settings.

        Did you already import the CA cert and the client cert on pfSense?

        S 1 Reply Last reply Reply Quote 0
        • S
          senaka @viragomann
          last edited by senaka

          @viragomann said in pfSense as openvpn client - unable to get local issuer certificate:

          @senaka said in pfSense as openvpn client - unable to get local issuer certificate:

          O=pfSense webConfigurator Self-Signed Certificate

          Seems you have select the wrong certificate in the client settings.

          Did you already import the CA cert and the client cert on pfSense?

          I just copied certificates (CA cert and the client cert) from "client.ovpn" file and pasted the content at pfSense. Is there any water to import them from client.ovpn?

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @senaka
            last edited by

            @senaka
            So you will have set a distinct name for the client certificate, which you have to select on the client config page.

            S 1 Reply Last reply Reply Quote 0
            • S
              senaka @viragomann
              last edited by

              @viragomann

              b11e2260-5e12-400b-acf5-67b48c3d615d-image.png

              I added them properly as you see in the above image.

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @senaka
                last edited by

                @senaka
                Using a server certificat for a client seems not evident to me at all.

                S 1 Reply Last reply Reply Quote 0
                • S
                  senaka @viragomann
                  last edited by

                  @viragomann
                  I am not sure what step I have missed. Is there any good step by step guide for this in Internet to follow?

                  Really appreciate your time.

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @senaka
                    last edited by

                    @senaka
                    Dude! Again, you are using a wrong client certificate!

                    76953929-f65a-460f-a365-e0694206ff77-grafik.png

                    As you can read, that's a server certificate, but you need a client cert.

                    You have to import the CA cert from the OpenVPN file (public key) and the client cert (public and private key).
                    pfSense should recognize it correctly as client cert:

                    c183a354-f50a-49e2-a8bb-e3e488a6d882-grafik.png

                    You might also find a TLS key in the file. This section you have to put into the TLS key box in the client settings:

                    dea482ce-0b83-4eb0-9dba-70da42b76a17-grafik.png

                    The client cert has to match to the used CA.

                    S 1 Reply Last reply Reply Quote 0
                    • S
                      senaka @viragomann
                      last edited by senaka

                      @viragomann

                      Thanks a million! You have done a great job by marking all the places to check. I have used a wrong client.ovpn file. With your help, the hard work of 3 days ended with a success. 😊

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.