OpenVPN Client to Server requiring user/passw not working.
-
Hello,
I have pfsense as OpenVPN Client.
The other side is an OpenVPN server at "vpntunnel.se".
But the connection, when used from OpenVPN Windows version on a PC-client,
requires user/password and can't get that to work on pfSense.It is similar to the following thread
http://forum.pfsense.org/index.php/topic,5733.0.htmlI get the following in the log
Apr 9 06:32:56 openvpn[62207]: Exiting
Apr 9 06:32:56 openvpn[62207]: Error: private key password verification failed
Apr 9 06:32:56 openvpn[62207]: Cannot load private key file /var/etc/openvpn_client1.key: error:0906A068:PEM routines:PEM_do_header:bad password read: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
Apr 9 06:32:56 openvpn[62207]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Apr 9 06:32:56 openvpn[62207]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Dec 4 2009The config from the OpenVPN Windows version is:
–-
#vpntunnel.se config
float
client
dev tap
proto udp
; Cert
ca ..\keys\ca.crt
ns-cert-type server
cipher BF-CBC
;Host
remote-random
remote melissa.vpntunnel.se 1194
remote melissa.vpntunnel.se 10010
remote melissa.vpntunnel.se 10020resolv-retry infinite
;auth
auth-user-pass
persist-key
persist-tuncomp-lzo
verb 2And I have tried to create a working client keyfile using
cd /root/easyrsa4pfsense/
source vars
./build-key mrzaz
./build-key-pass mrzazusing CN=mrzaz ("mrzaz" is the username for the service I used to login)
and the "Enter PEM pass phrase:" is set to the password supplied by "vpntunnel.se".
(Used in the PC-client to login)I tried to use PKI in pfSense filling in the
- CA (from ..\keys\ca.crt),
- Client cert (from mrzaz.crt),
- Client key (from mrzaz.key)
But it doesn't work.
Does anyone have a clue what I'm doing wrong ?
I have searched the forums but haven't found any good solutions for this problem.
When using it from the windows client it connects OK without problem. (using user/passw)
//Dan Lundqvist
-
No one who can help on this ?
-
I never set up a config where i require a password.
But since this is more a OpenVPN problem and less a pfSense problem i suggest you ask on their forum/mailinglist. -
Somehow (though I don't know the specific config options) you have to supply the username and password in the custom options for that openvpn instance. The GUI doesn't have a place for them or a way to ask.
-
Somehow (though I don't know the specific config options) you have to supply the username and password in the custom options for that openvpn instance. The GUI doesn't have a place for them or a way to ask.
For this to work, the client must be compiled with the "–enable-password-save" option enabled.
Then you could specify a file with the user/psw using the "--auth-user-pass passfile.txt"
in the custom options for this VPN-client profile.
Else you will only get "Sorry, 'Auth' password cannot be read from a file"The compilation with the flag must be done from the pfSense team.
Don't have the skill to do it myself.However, the Client certificate and Client key field is mandatory in 1.2.3
so it must be filled in even if it may be not be used when using user/pass.
But i can live with that.From OpenVPN manual
--auth-user-pass [up]
Authenticate with server using username/password.
up is a file containing username/password on 2 lines
(Note: OpenVPN will only read passwords from a file
if it has been built with the –enable-password-save
configure option, or on Windows by defining
ENABLE_PASSWORD_SAVE in config-win32.h).If up is omitted, username/password will be prompted
from the console. The server configuration must
specify an --auth-user-pass-verify script to verify
the username/password provided by the client. -
Hello!
Have you tried this on pfsense 2.0?I am struggling to get this to work, so please let me know if you found a way.
-
Check out this post. Haven't had the time to test it out but it looks promising.
It seems to have the thing that was missing on 1.2.3.http://forum.pfsense.org/index.php/topic,24435.0.html
//Dan Lundqvist