Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Openvpn fails to start on pfsense firewall

    OpenVPN
    4
    12
    14512
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bjh4 last edited by

      I installed pfsense nano 2G on a flash card.  Openvpn is giving me some serious problems.  I put in all my certs and keys then was informed my server key was invalid.  I adjusted the header and footer tags to include "RSA" – Begin RSA Private key--.  That gave me the ability to save the openvpn connection information.  The service will not start as per error below.

      Apr 22 12:57:42 openvpn[353]: Cannot load private key file /var/etc/openvpn_server0.key: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag: error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error: error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
      Apr 22 12:57:42 openvpn[353]: Error: private key password verification failed

      I find it peculiar that I had to change the tags just to get the server info to save.  Any ideas??? thank you in advance :-)

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        It's basically saying it can't parse the right data out of the key you gave it. Are you really sure that you are pasting in exactly what it asks for? The headers should already match if you are using the proper key/cert.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • B
          bjh4 last edited by

          I am pretty certain that I'm using the correct information.  I took the output of 'cat server.key'.  I am generating these keys with openvpn 2.1.1.  I'm not sure if that would be a problem.  Not one of the keys or certificates that were generated contain a header with "RSA" in it.

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            You must not be generating the right files then, because both my server and client key files have an RSA header.

            Are you using EasyRSA to generate these files?

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • K
              kpa last edited by

              Is the key protected with a password? You need a key with no password set (or use the –askpass option of openvpn to supply the password at daemon startup).

              1 Reply Last reply Reply Quote 0
              • B
                bjh4 last edited by

                I am using easy-rsa 2.0… I will should try 1.0 and see if I get the same results.  To my knowledge I have not password protected the files.

                1 Reply Last reply Reply Quote 0
                • B
                  bjh4 last edited by

                  using easy-rsa/1.0 failed to yield any headers with RSA in them.  I've set up openvpn successfully using computers and using dd-wrt… I don't understand why this is giving me such a problem.

                  1 Reply Last reply Reply Quote 0
                  • jimp
                    jimp Rebel Alliance Developer Netgate last edited by

                    Try it this way:

                    http://doc.pfsense.org/index.php/Easyrsa_for_pfSense

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • B
                      bjh4 last edited by

                      Success!! much thanks Jimp!

                      Unfortunately since my file system is read only, I could not work from /root.  I had to download the zipped file directly to /tmp and create the keys there.  A little less automated but still got the job done! sweeeet!

                      1 Reply Last reply Reply Quote 0
                      • jimp
                        jimp Rebel Alliance Developer Netgate last edited by

                        Be sure you download all of that before you reboot that box, or else you'll not be able to make any more keys!

                        If you're on nanobsd, you can still work in /root, you just have to run a command before:

                        /etc/rc.conf_mount_rw

                        And then a command after

                        /etc/rc.conf_mount_ro

                        To switch between read/write and read-only states on the storage media.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • B
                          bjh4 last edited by

                          I used scp to copy the keys directory off.  Thanks!

                          1 Reply Last reply Reply Quote 0
                          • K
                            kazino last edited by

                            Hi,

                            Thanks for the tip. I had the same problem and effectively just changing the boundaries does not solve the issue.

                            What you must do is to convert your pem key file into a old RSA format.

                            Use the following command and specify the path to the key file you want to convert:

                            openssl rsa -in /path/server_key.pem
                            

                            Then copy the output into your webGUI text box including the boundaries "–---BEGIN RSA PRIVATE KEY-----" / "-----END RSA PRIVATE KEY-----"

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post