Openvpn fails to start on pfsense firewall
I installed pfsense nano 2G on a flash card. Openvpn is giving me some serious problems. I put in all my certs and keys then was informed my server key was invalid. I adjusted the header and footer tags to include "RSA" – Begin RSA Private key--. That gave me the ability to save the openvpn connection information. The service will not start as per error below.
Apr 22 12:57:42 openvpn: Cannot load private key file /var/etc/openvpn_server0.key: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag: error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error: error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
Apr 22 12:57:42 openvpn: Error: private key password verification failed
I find it peculiar that I had to change the tags just to get the server info to save. Any ideas??? thank you in advance :-)
It's basically saying it can't parse the right data out of the key you gave it. Are you really sure that you are pasting in exactly what it asks for? The headers should already match if you are using the proper key/cert.
I am pretty certain that I'm using the correct information. I took the output of 'cat server.key'. I am generating these keys with openvpn 2.1.1. I'm not sure if that would be a problem. Not one of the keys or certificates that were generated contain a header with "RSA" in it.
You must not be generating the right files then, because both my server and client key files have an RSA header.
Are you using EasyRSA to generate these files?
kpa last edited by
Is the key protected with a password? You need a key with no password set (or use the –askpass option of openvpn to supply the password at daemon startup).
I am using easy-rsa 2.0… I will should try 1.0 and see if I get the same results. To my knowledge I have not password protected the files.
using easy-rsa/1.0 failed to yield any headers with RSA in them. I've set up openvpn successfully using computers and using dd-wrt… I don't understand why this is giving me such a problem.
Try it this way:
Success!! much thanks Jimp!
Unfortunately since my file system is read only, I could not work from /root. I had to download the zipped file directly to /tmp and create the keys there. A little less automated but still got the job done! sweeeet!
Be sure you download all of that before you reboot that box, or else you'll not be able to make any more keys!
If you're on nanobsd, you can still work in /root, you just have to run a command before:
And then a command after
To switch between read/write and read-only states on the storage media.
I used scp to copy the keys directory off. Thanks!
kazino last edited by
Thanks for the tip. I had the same problem and effectively just changing the boundaries does not solve the issue.
What you must do is to convert your pem key file into a old RSA format.
Use the following command and specify the path to the key file you want to convert:
openssl rsa -in /path/server_key.pem
Then copy the output into your webGUI text box including the boundaries "–---BEGIN RSA PRIVATE KEY-----" / "-----END RSA PRIVATE KEY-----"