OpenVPN Client to Server requiring user/passw not working.



  • Hello,

    I have pfsense as OpenVPN Client.
    The other side is an OpenVPN server at "vpntunnel.se".
    But the connection, when used from OpenVPN Windows version on a PC-client,
    requires user/password and can't get that to work on pfSense.

    It is similar to the following thread
    http://forum.pfsense.org/index.php/topic,5733.0.html

    I get the following in the log
    Apr 9 06:32:56 openvpn[62207]: Exiting
    Apr 9 06:32:56 openvpn[62207]: Error: private key password verification failed
    Apr 9 06:32:56 openvpn[62207]: Cannot load private key file /var/etc/openvpn_client1.key: error:0906A068:PEM routines:PEM_do_header:bad password read: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
    Apr 9 06:32:56 openvpn[62207]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Apr 9 06:32:56 openvpn[62207]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Dec 4 2009

    The config from the OpenVPN Windows version is:
    –-
    #vpntunnel.se config
    float
    client
    dev tap
    proto udp
    ; Cert
    ca ..\keys\ca.crt
    ns-cert-type server
    cipher BF-CBC
    ;Host
    remote-random
    remote melissa.vpntunnel.se 1194
    remote melissa.vpntunnel.se 10010
    remote melissa.vpntunnel.se 10020

    resolv-retry infinite
    ;auth
    auth-user-pass
    persist-key
    persist-tun

    comp-lzo
    verb 2

    And I have tried to create a working client keyfile using

    cd /root/easyrsa4pfsense/
    source vars
    ./build-key mrzaz
    ./build-key-pass mrzaz

    using CN=mrzaz ("mrzaz" is the username for the service I used to login)
    and the "Enter PEM pass phrase:" is set to the password supplied by "vpntunnel.se".
    (Used in the PC-client to login)

    I tried to use PKI in pfSense filling in the

    • CA (from ..\keys\ca.crt),
    • Client cert (from mrzaz.crt),
    • Client key (from mrzaz.key)

    But it doesn't work.

    Does anyone have a clue what I'm doing wrong ?

    I have searched the forums but haven't found any good solutions for this problem.

    When using it from the windows client it connects OK without problem. (using user/passw)

    //Dan Lundqvist



  • No one who can help on this ?



  • I never set up a config where i require a password.
    But since this is more a OpenVPN problem and less a pfSense problem i suggest you ask on their forum/mailinglist.


  • Rebel Alliance Developer Netgate

    Somehow (though I don't know the specific config options) you have to supply the username and password in the custom options for that openvpn instance. The GUI doesn't have a place for them or a way to ask.



  • @jimp:

    Somehow (though I don't know the specific config options) you have to supply the username and password in the custom options for that openvpn instance. The GUI doesn't have a place for them or a way to ask.

    For this to work, the client must be compiled with the "–enable-password-save" option enabled.
    Then you could specify a file with the user/psw using the "--auth-user-pass passfile.txt"
    in the custom options for this VPN-client profile.
    Else you will only get "Sorry, 'Auth' password cannot be read from a file"

    The compilation with the flag must be done from the pfSense team.  
    Don't have the skill to do it myself.

    However, the Client certificate and Client key field is mandatory in 1.2.3
    so it must be filled in even if it may be not be used when using user/pass.
    But i can live with that.

    From OpenVPN manual
    --auth-user-pass [up]
    Authenticate with server using username/password.
    up is a file containing username/password on 2 lines
    (Note: OpenVPN will only read passwords from a file
    if it has been built with the –enable-password-save
    configure option, or on Windows by defining
    ENABLE_PASSWORD_SAVE in config-win32.h).

    If up is omitted, username/password will be prompted
    from the console.  The server configuration must
    specify an --auth-user-pass-verify script to verify
    the username/password provided by the client.



  • Hello!
    Have you tried this on pfsense 2.0?

    I am struggling to get this to work, so please let me know if you found a way.



  • Check out this post. Haven't had the time to test it out but it looks promising.
    It seems to have the thing that was missing on 1.2.3.

    http://forum.pfsense.org/index.php/topic,24435.0.html

    //Dan Lundqvist


Log in to reply