Openvpn fails to start on pfsense firewall

  • I installed pfsense nano 2G on a flash card.  Openvpn is giving me some serious problems.  I put in all my certs and keys then was informed my server key was invalid.  I adjusted the header and footer tags to include "RSA" – Begin RSA Private key--.  That gave me the ability to save the openvpn connection information.  The service will not start as per error below.

    Apr 22 12:57:42 openvpn[353]: Cannot load private key file /var/etc/openvpn_server0.key: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag: error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error: error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
    Apr 22 12:57:42 openvpn[353]: Error: private key password verification failed

    I find it peculiar that I had to change the tags just to get the server info to save.  Any ideas??? thank you in advance :-)

  • Rebel Alliance Developer Netgate

    It's basically saying it can't parse the right data out of the key you gave it. Are you really sure that you are pasting in exactly what it asks for? The headers should already match if you are using the proper key/cert.

  • I am pretty certain that I'm using the correct information.  I took the output of 'cat server.key'.  I am generating these keys with openvpn 2.1.1.  I'm not sure if that would be a problem.  Not one of the keys or certificates that were generated contain a header with "RSA" in it.

  • Rebel Alliance Developer Netgate

    You must not be generating the right files then, because both my server and client key files have an RSA header.

    Are you using EasyRSA to generate these files?

  • Is the key protected with a password? You need a key with no password set (or use the –askpass option of openvpn to supply the password at daemon startup).

  • I am using easy-rsa 2.0… I will should try 1.0 and see if I get the same results.  To my knowledge I have not password protected the files.

  • using easy-rsa/1.0 failed to yield any headers with RSA in them.  I've set up openvpn successfully using computers and using dd-wrt… I don't understand why this is giving me such a problem.

  • Rebel Alliance Developer Netgate

  • Success!! much thanks Jimp!

    Unfortunately since my file system is read only, I could not work from /root.  I had to download the zipped file directly to /tmp and create the keys there.  A little less automated but still got the job done! sweeeet!

  • Rebel Alliance Developer Netgate

    Be sure you download all of that before you reboot that box, or else you'll not be able to make any more keys!

    If you're on nanobsd, you can still work in /root, you just have to run a command before:


    And then a command after


    To switch between read/write and read-only states on the storage media.

  • I used scp to copy the keys directory off.  Thanks!

  • Hi,

    Thanks for the tip. I had the same problem and effectively just changing the boundaries does not solve the issue.

    What you must do is to convert your pem key file into a old RSA format.

    Use the following command and specify the path to the key file you want to convert:

    openssl rsa -in /path/server_key.pem

    Then copy the output into your webGUI text box including the boundaries "–---BEGIN RSA PRIVATE KEY-----" / "-----END RSA PRIVATE KEY-----"

Log in to reply