Migrating standalone OpenVPN keys/certificates to pfSense



  • Hi there,

    replacing an old FreeBSD system running OpenVPN and looking to perform the upgrade without affecting the end users as far as certificates.

    Has anyone done this, or can point me to a document that was verified to work?

    I've followed one that did not work for me, and I'm having trouble figuring out which of the three places one could enter a client certificate is what I want.

    I thought I could just paste in my CA and server certs, then go to Cert Manager and enter certificates there, but I was met with a few issues there.  I also tried going through User Manager, which looks promising, and created a user 'client' and imported its certificate.  But connecting, I am asked for a username and password, whereas the live system only requires a password.

    Thanks for any pointers.

    Edit: to add some detail:

    1. I import my existing CA and server cert under System -> Cert Manager
    2. I copied over one client certificate under "System -> Cert Manager -> Certificates" tab
    3. I created an OpenVPN server under VPN -> OpenVPN, using CA and server certs made above
    4. I created an OpenVPN client under the "Client" tab.  The interesting part is that the certificate 'common name' is 'client1' but the files pfSense created under /var/etc/openvpn are client2.*.  Is this expected?

    When I try to connect, and supply the password for client1 (that I tested on the current OpenVPN server), I get:

    Cannot load private key file /var/etc/openvpn/client2.key: error:0906A068:PEM routines:PEM_do_header:bad password read: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib

    I am, however, able to authenticate against the key, so I suspect I'm adding these certs in the wrong place/way.

    [2.0.1-RELEASE][root@pfSense.localdomain]/var/etc/openvpn(29): openssl rsa -in client2.key -out deleteme.pem
    Enter pass phrase for client2.key:
    writing RSA key
    [2.0.1-RELEASE][root@pfSense.localdomain]/var/etc/openvpn(30):



  • Might not solve your problem, but step (4) is for an openvpn client connecting to a remote openvpn server/site-to-site, you shouldn't need this step for road warriors. You also don't need to create a user under user manager, openvpn just needs the client certificates and key (without passphrase) entered in the cert manager, along with the server cert and CA (+chain if appropriate).
    The end users may choose to protect their key with a passphrase.



  • @thermo:

    The end users may choose to protect their key with a passphrase.

    Meaning that in pfSense, I'd be using a key without a password, but the roadwarrior (roaming) clients could be using a password protected key?

    Edit: OK, with key password removed on server, but password protected on the client side, the client gets asked for the pass and the connection is made.

    The thing I was missing was removing the key password on the key I copied into pfSense.  The VPN seems to be working now.  Thanks for the pointers!



  • Glad you got it working.
    Strictly speaking, the pfsense openvpn server doesn't require the RW private key, it's just the UI in the cert manager forces you to enter it.


  • Rebel Alliance Developer Netgate

    FYI- We have some of that procedure documented here:
    http://doc.pfsense.org/index.php/Using_EasyRSA_Certificates_in_2.x


Locked