• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN Client export has private key in it.

Scheduled Pinned Locked Moved OpenVPN
7 Posts 3 Posters 1.4k Views 3 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S Offline
    shoulders
    last edited by Mar 29, 2023, 7:32 PM

    When exporting Android or 'OpenVPN Connect' inline configurations with 'Client Export' for OpenVPN they include the private key.
    -----BEGIN PRIVATE KEY-----

    I was under the assumption that a private key should stay private on the server. Am I correct or is there a use of the private key I do not know?

    thanks

    V 1 Reply Last reply Mar 29, 2023, 7:40 PM Reply Quote 0
    • V Offline
      viragomann @shoulders
      last edited by Mar 29, 2023, 7:40 PM

      @shoulders
      No, it's the client's private key.

      The servers private key stays stored on pfSense. But you can export it from the cert manager if you want.

      The private key is needed on the device, which has to provide its certificate to the remote device.

      J 1 Reply Last reply Mar 29, 2023, 7:41 PM Reply Quote 2
      • J Online
        johnpoz LAYER 8 Global Moderator @viragomann
        last edited by Mar 29, 2023, 7:41 PM

        @viragomann you beat me too it ;)

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

        S 1 Reply Last reply Mar 29, 2023, 7:43 PM Reply Quote 1
        • S Offline
          shoulders @johnpoz
          last edited by Mar 29, 2023, 7:43 PM

          Thanks, I would of thought i would of been called a public key or something else. At least it is supposed to be there.

          V J 2 Replies Last reply Mar 29, 2023, 7:45 PM Reply Quote 0
          • V Offline
            viragomann @shoulders
            last edited by Mar 29, 2023, 7:45 PM

            @shoulders
            The certificate is a kind of public key. It's handed out, when you establish a connection.

            1 Reply Last reply Reply Quote 0
            • J Online
              johnpoz LAYER 8 Global Moderator @shoulders
              last edited by Mar 29, 2023, 9:29 PM

              @shoulders it has your cert and then you have your private key for that cert..

              Now I might mess up the steps here, its been forever since have looked into the specific of openvpn auth method. Or for that matter just ssl/tls in general, keep in might your also prob using the tls key which is also encrypting or signing or both depending on method of auth or auth and encryption of the control channel info - in general openvpn uses the static tls key to throw away bad traffic, etc. Like said its been a while..

              But in a nutshell this should be somewhat close to the process.. And why you need the private key to your cert..

              You might want to look up how the session key is exchanged in ssl, the server cert and client cert are not actually used for encryption of the data that will be exchanged they are used for auth and exchange of the symmetric key..

              So you have the CA of the server cert, so you can validate that a cert the server sends is signed by the CA.. Just like how you validate that somewhere.domain.tld cert they present to you is signed by the CA.. And with the cert they send you and them signing it with their private key you can validate.. Look up how signing works.

              You then use the cert they hand you that you know is signed by the CA, You then send your cert to them via this cert encryption, they know your cert has been signed by the same CA.. And they have their key to decrypt that traffic that you sent them.

              Your signature on what you sent them is done with the private key you have. They can validate this with just the public, and anything they send to your public cert you would need the private key to decrypt, but it might only be used for you to sign what your sending. Like I said it has been a long while ;)

              Short version is you validate that your talking to the correct server, and the server validates you are a valid client. And you exchange a session or symmetrical key that is used for the actual encryption and decryption of actual data you will send over the vpn.

              You do need that private key, but I don't recall if they ever send you traffic that you need to decrypt with it - I believe its only used for the signing of the session key the client sends.. The server can validate your signature via your cert.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

              S 1 Reply Last reply Mar 29, 2023, 9:34 PM Reply Quote 1
              • S Offline
                shoulders @johnpoz
                last edited by Mar 29, 2023, 9:34 PM

                @johnpoz thanks for all of the info. I have read it, but it is late here in Blighty (UK) so it might take me a while to mull this over. Information like this helps us newbies (i.e. me) a lot and is appreciated.

                1 Reply Last reply Reply Quote 0
                7 out of 7
                • First post
                  7/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received