IPCOP to Pfsense OpenVPN



  • Hey guys,

    I'm new to pfSense and I'm having some trouble trying to pull the generated certificates and keys from my ipcop's openvpn to use with pfsense. Can anyone point me in the right direction? Where can I find the information for the client key, client cert and ca cert (and the client key apparently needs to be in rsa format)?

    Using ipcop to ipcop, all you have to do is upload the generated package and it takes care of the rest. I hope pfsense eventually adoptes a similar gui. Thanks.



  • What is the content of the "generated package" ?



  • a .conf file and a .p12 file.


  • Rebel Alliance Developer Netgate

    You should be able to unpack a .p12 file by using OpenSSL like so:

    openssl pkcs12 -in blah.p12 -out stuff.pem
    

    And then you can edit what you need out of the .pem and paste it into the proper boxes.

    You should be able to tell based on the starting headers of each section what is what. The client certificate should have the CN you expect, the CA certificate should show the CA name, and the key is labeled as the key.



  • That got what I needed, thank you very much.



  • Hmm… Well I can get a client-server connection working but it seems I'm going to have to research a little more before I can get the server-server to work.



  • I have been using IPCop and OpenVPN and now that I have moved over to pfsense I am unable to get a road warrior connection even when following the stickied tutorial for windows dummies. I did notice that if I password protect the file it is impossible to copy and paste that file into the servers webgui. I did manage to copy them over by using the edit command at the command prompt and copying the key and saving it to a different named file so that I could open it in notepad and then copy and paste to the webgui. But I still cant get a connection…It just hangs and I get a TLS failure to connect in 60sec. Also I would thihnk that I would get password prompted to connect since some of the certs were password protected. ??? 
    I guess I will try without password protecting the certificate....I'm a little concerned about the security implication of not password protecting them. I'm beginning to think IPcop is more secure


  • Rebel Alliance Developer Netgate

    It's of no use to password protect the certificates on the firewall.

    The firewall would need to store the password to decrypt the certificates to use them at all, which is just as (in)secure as using them without a password.



  • but if someone were to get a hold of the client cert and key without password protection they have full access to your network. At least with password protection someone cant just copy your keys/crt and connect  :)


  • Rebel Alliance Developer Netgate

    They are unlikely to get the client cert/key off of a firewall box, and even so, if they can get the keys they can get the config file, which would have to contain the password.

    You can password protect the certificate/key that goes on your road warrior clients, as they will be prompted by the OpenVPN client on connect. You just don't put a password on the certificates that go onto the firewall.



  • So I decided to go ahead and try setting up OpenVPN without password protecting the server key and only password protecting the client key. I have followed your stickied tutorial "OVPN for windows dummies" But I still am not prompted for a password when I go to connect.
    I guess I'm not sure how to setup OpenVPN on pfsense. When using embcop I was able to get the addon Zerina which created a pkcs12 package that was password protected. I simply imported the package to either windows or gentoo and I was able to have several roadwarrior connections that required a password to connect. I am actually using a pc-engines wrap and so I am trying out pfsense-nanobsd but it is setup as read-only so I am really unable to do anything except paste the keys to the gui. How can I set it up so that I am prompted for a password before I can connect. I dont require a user, separate client key pairs will do but I really need a password prompt to be secure. By the way the client config file will never has the password. So if someone were to get a hold of your key pair that you store on say a flash drive. They will be worthless because they wont have your key password :-) I have heard wonderful things about pfsense and love how it is setup but I am unwilling to give up password protection. I hope someone on the forum can help me out. Otherwise I guess I'll be going back to embcop.


  • Rebel Alliance Developer Netgate

    That is all part of the client certificates, which really have nothing to do with the pfSense GUI in 1.2.x

    Whatever you generate the certificates with should be able to password protect them and your client software should prompt you for that. That will be the same regardless of what server you are using.

    In pfSense 2.0 there is a certificate manager which can produce a pk12 package for you also.



  • Is there a tls-auth option with the pfsense 1.2.3 image. Remember since I am using a wrap image it is a read only file system….why do they do that? Also I have been succesful at connecting using the latest windows OVPN gui but still no pass word prompt. Is there an option I have to set in the config file on the client or server? I don't want to setup usernames. I just want to have to be prompted for a password to connect. I have done a lot of googleing but haven't had much luck. Also by password I mean have to enter the pem passphrase.


  • Rebel Alliance Developer Netgate

    The embedded image is read only to protect the integrity of the CF over time. It is switched to read/write when needed for working with the config or other system files.

    You can change it by hand by running:

    /etc/rc.conf_mount_rw

    And then when you are done, run

    /etc/rc.conf_mount_ro

    As for the prompting, I don't think you need to do anything in the client config (it would not be on the server) you just need to give it a password when you first generate the certificate.



  • I haven't tried it on my windows client yet but on my linux client…using kvpnc I get an options error "No client-side authentication method is specified. Use either --cert/--key, --pkcs12, or --auth-user-pass." I created the client crt and key using the ./build-key-pass client* command. It promps for pem pass phrase which is what I want. Do you know the option in the client config file that will set this up. I have seen auth-user-pass in a config file but is the actual command auth-key ? Does that sound right to you?



  • I was testing openvpn on Pfsense, yesterday and stumbled across you post….
    I had previously worked with Openvpn using the Openvpn how-to which specifies using .crt, .key, and dh.pem files

    Like you, I was not sure how to use certs generated by IPCOP on pfsense openvpn....

    It turned out that I was able to past the IPCOP PEM files into the PFSense openvpn config (I had wondered if I needed to convert to .crt file)
    Then I was able to use the downloaded IPCOP client package as it was.
    There was no need to convert pk12 to pem or crt.


Locked