OpenVPN generates error "Private Key Password"

TSO2 · Mar 20, 2025, 7:54 PM

OpenVPN generates error "Private Key Password" required
There is no password, It has worked fine for years, then suddenly this morning I get this error when trying to login
OpenVPN Client v2.6x
pfSense 2.7.2
Can anyone help please, I have spent hours trying to figure it out

viragomann · Mar 20, 2025, 8:41 PM

@TSO2 said in OpenVPN generates error "Private Key Password":

OpenVPN generates error "Private Key Password" required

I guess, that you're talking about a client software, but not the OpenVPN in pfSense.
So probably the private key is password protected.

TSO2 · Mar 20, 2025, 9:08 PM

@viragomann
Yes, Its the client that throws the error,
However there is no password, there never was
It has been working for years without change without the password

viragomann · Mar 20, 2025, 9:15 PM

@TSO2
Which Client?
Which OS?

What does the certificate line in the client config looks like?

TSO2 · Mar 20, 2025, 9:32 PM

@viragomann
OpenVPN 2.6.7 - OpenVPN GUI v 11.45.0.0
Windows 11

Not sure what you mean certificate line
pkcs12 XXXX.p12
tls-auth XXXX.key 1

XXXX is the file name

viragomann · Mar 20, 2025, 9:46 PM

@TSO2
The private key is inside the .p12 file. You can try to install it in Windows to see if it is password protected. If so Windows will request it.

But it's also possible that you have updated the client software and the new one works only with private key password?

If you need a .p12 with a password can export it from the pfSense certificate manager.
The password can be stored in the OpenVPN GUI, so it is not requested any further.
Also you can export a new config archive from the client export utility. Here you can also select to use the Windows certificate store. Then you only need to password (if set), when you import it. But this require a new config file as well.

nanathlor

Just in case anyone else is losing hair over this for me with pfsense + 24.11 OpenSUSE 15.6 (I'm sure other distros are similar) and OpenVPN client 2.6.8 though NetworkManager.

No edit of /etc/ss/openssl.conf was needed
No hacking of OpenVPN conf files was needed.
No exporting user certs from System-Certificates was needed.

In VPN-OpenVPN Client Export
Microsoft Certificate Storate - Untick (We are using Linux)
Password Protect Certificate - Tick
Certificate Password - Add something meaningful.

Download from Bundled Configuration - Archive (Inline did not work)
Extract somewhere sensible

In NetworkManager:
Client on "+" Add New Connection in bottom left
Scroll down to bottom
Import VPN Connection & choose the .ovpn from the extracted archive zip.

Optional but sensible: fill in the certificate password
Change to save password for user only (not system-wide)

Make sure you fill in the username (required) and password (optional) or client login fails
Change to save password for user only (not system-wide)

Really could have used this in the pfsense documentation!