OVPN Client asks for Password
-
Hi guys!
I recently did an upgrade to Debian 12 (Bookworm) on a remote server which is connected through OpenVPN to my pfSense box. This worked really fine and reliable.
My OVPN-server is configured to SSL/TLS authentication and thus no user credentails needed:Since the upgrade I am getting ask about a password and I do not have a clue what is going on there:
Broadcast message from root@piholedns (Mon 2023-06-12 14:06:02 CEST): Password entry required for 'Enter Private Key Password:' (PID 1948). Please enter password with the systemd-tty-ask-password-agent tool.
I tried several things like disabling the
systemd-tty-ask-password-agent
or reconfiguring openssl in some way.I do not remember having set a password for the key file.
Anyone an idea how to solve?
Thanks a lot!
/KNEBB
-
@knebb said in OVPN Client asks for Password:
I do not remember having set a password for the key file.
Maybe you have to set one now, however.
At least the Network Manager OpenVPN plugin requires a password for the private key, even if you don't have stated one.
So you will have to reexport the P12 file as encrypted. -
@viragomann
Thanks, yes I might need a password. Just a really dumb question arises:
How to set a password?I went to "System -> Cert. Manager", set a password on the client certificate. Then I wen to "VPN -> OpenVPN -> Cleint Export" and downloaded the bundled package which contains:
- *.ovpn configuration file
- *.p12 file
- *-tls.key
I added to the .conf a line:
askpass /etc/openvpn/auth.txt
created the auth.txt containing a single line with the password I set above:
password
followed by
chmod 0600 auth.txt
and restarted the openvn-client:
systemctl restart openvpn@router-UDP4-1234-pihole.ovpn.service
which brings me errors insyslog
:OpenSSL: error:0308010C:digital envelope routines::unsupported OpenSSL: error:11800071:PKCS12 routines::mac verify failure Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption Error: private key password verification failed Exiting due to fatal error
So there seems to be some ssl misconfiguration (as the password is now correct).
Any further idea?
Thanks!
/KNEBB -
@knebb
You have to pull the pkcs12 file from the client export utility.Check "Password Protect Certificate" and enter a password below.
Then download the bundled archive.Note that the pkcs12 file contains the client certificate and the private key and also the CA certificate.
-
@viragomann
Hi again,well, indeed I was not aware of this option and did as suggested:
Used the same password as written in/etc/openvpn/auth.txt
and exported the configuration again to my client.
But the issue still persists:OpenSSL: error:11800071:PKCS12 routines::mac verify failure OpenSSL: error:0308010C:digital envelope routines::unsupported Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption Error: private key password verification failed Exiting due to fatal error
Just for references the ovpn.conf file:
dev tun persist-tun persist-key data-ciphers AES-128-CBC data-ciphers-fallback AES-128-CBC auth SHA256 tls-client client resolv-retry infinite remote pfsense.domain.public 1193 udp4 nobind verify-x509-name "pfsense.domain.local" name pkcs12 router-UDP4-1194-client.domain.local.p12 tls-auth router-UDP4-1194-client.domain.local-tls.key 1 remote-cert-tls server explicit-exit-notify
Any further ideas?
/KNEBB
-
I am a little bit unsure with ssl but I tried to get information about the p12 file I got through client export.
Is the following to be expected?root@client:/etc/openvpn# openssl pkcs12 -export -in pfsense-UDP4-1192-client.domain.local.p12 Could not read private key from -in file from pfsense-UDP4-1192-client.domain.local.p12
As openssl doe not prompt me for a password it appears there is no one set?
Sorry, I have no clue what is going on here....
/KNEBB
-
Hi to myself ;)
Reading again the above screenshot mentions:
Use a password to protect the pkcs12 file contents or key in Viscosity bundlle.
I guess I am not getting a password becaus my client is a Linux client and I do not download the Viscosoty bundle.
So looks like this is not the place to add a password to the p12 file...Where else to set? And why does it not even work with
openssl
?Totally confused meanwhile....
/KNEBB -
@knebb said in OVPN Client asks for Password:
root@client:/etc/openvpn# openssl pkcs12 -export -in pfsense-UDP4-1192-client.domain.local.p12
Could not read private key from -in file from pfsense-UDP4-1192-client.domain.local.p12I guess, this is a wrong usage of the "openssl pkcs12 -export" command.
Not clear, what you intend to do here. The command is meant to create a pkcs12 file.
To look into the file run "openssl pkcs12 -in yourpcs12file.p12 -info".Reading again the above screenshot mentions:
Use a password to protect the pkcs12 file contents or key in Viscosity bundlle.
I guess I am not getting a password becaus my client is a Linux client and I do not download the Viscosoty bundle.
If you check the mentioned option and enter a password in the client export, the private key in the exported pkcs12 file is encrypted.
I'm using a Linux OpenVPN client with an encrypted pkcs12 as well, however this is the Network Manager plugin.Which OpenSSL version is the client using?
As far as I know, v 3 is not compatible with pfSense OpenVPN. -
@viragomann said in OVPN Client asks for Password:
Not clear, what you intend to do here. The command is meant to create a pkcs12 file.
To look into the file run "openssl pkcs12 -in yourpcs12file.p12 -info".Thanks, this is what I was trying to do. Read the file by openssl itself to see if it asks for a password. And yes, it does. Even though it asks for a pem password.... anyways, openssl can read. At least somehow...
Which OpenSSL version is the client using?
As far as I know, v 3 is not compatible with pfSense OpenVPN.Oh man! Looks like I got into this trap.
root@client:~# dpkg -l| grep openssl ii openssl 3.0.9-1 amd64 Secure Sockets Layer toolkit - cryptographic utility
:(
Giving up now. Reverted to the Debian11 snapshot. Thanks for your support anyways!
/KNEBB
-
@knebb
You can stay on Debian 12 and even upgrade later.
Just use OpenVPN client from Debian 11.
The default:
dpkg -l | grep openvpn ii openvpn 2.6.3-1 amd64 virtual private network daemon dpkg -l | grep openssl ii openssl 3.0.9-1 amd64 Secure Sockets Layer toolkit - cryptographic utility
Steps:
sudo apt purge openvpn sudo apt autoremove sudo sed -i 's/bookworm/bullseye/g' /etc/apt/sources.list sudo apt update sudo apt install openvpn dpkg -l | grep openvpn ii openvpn 2.5.1-3
Lock openvpn package so it doesn't upgrade automatically in the future:
sudo apt-mark hold openvpn openvpn set on hold.
Remember to revert to the default distro repositories:
sudo sed -i 's/bullseye/bookworm/g' /etc/apt/sources.list sudo apt update