Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Migrating standalone OpenVPN keys/certificates to pfSense

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 3 Posters 4.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fafaforza
      last edited by

      Hi there,

      replacing an old FreeBSD system running OpenVPN and looking to perform the upgrade without affecting the end users as far as certificates.

      Has anyone done this, or can point me to a document that was verified to work?

      I've followed one that did not work for me, and I'm having trouble figuring out which of the three places one could enter a client certificate is what I want.

      I thought I could just paste in my CA and server certs, then go to Cert Manager and enter certificates there, but I was met with a few issues there.  I also tried going through User Manager, which looks promising, and created a user 'client' and imported its certificate.  But connecting, I am asked for a username and password, whereas the live system only requires a password.

      Thanks for any pointers.

      Edit: to add some detail:

      1. I import my existing CA and server cert under System -> Cert Manager
      2. I copied over one client certificate under "System -> Cert Manager -> Certificates" tab
      3. I created an OpenVPN server under VPN -> OpenVPN, using CA and server certs made above
      4. I created an OpenVPN client under the "Client" tab.  The interesting part is that the certificate 'common name' is 'client1' but the files pfSense created under /var/etc/openvpn are client2.*.  Is this expected?

      When I try to connect, and supply the password for client1 (that I tested on the current OpenVPN server), I get:

      Cannot load private key file /var/etc/openvpn/client2.key: error:0906A068:PEM routines:PEM_do_header:bad password read: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib

      I am, however, able to authenticate against the key, so I suspect I'm adding these certs in the wrong place/way.

      [2.0.1-RELEASE][root@pfSense.localdomain]/var/etc/openvpn(29): openssl rsa -in client2.key -out deleteme.pem
      Enter pass phrase for client2.key:
      writing RSA key
      [2.0.1-RELEASE][root@pfSense.localdomain]/var/etc/openvpn(30):

      1 Reply Last reply Reply Quote 0
      • T
        thermo
        last edited by

        Might not solve your problem, but step (4) is for an openvpn client connecting to a remote openvpn server/site-to-site, you shouldn't need this step for road warriors. You also don't need to create a user under user manager, openvpn just needs the client certificates and key (without passphrase) entered in the cert manager, along with the server cert and CA (+chain if appropriate).
        The end users may choose to protect their key with a passphrase.

        1 Reply Last reply Reply Quote 0
        • F
          fafaforza
          last edited by

          @thermo:

          The end users may choose to protect their key with a passphrase.

          Meaning that in pfSense, I'd be using a key without a password, but the roadwarrior (roaming) clients could be using a password protected key?

          Edit: OK, with key password removed on server, but password protected on the client side, the client gets asked for the pass and the connection is made.

          The thing I was missing was removing the key password on the key I copied into pfSense.  The VPN seems to be working now.  Thanks for the pointers!

          1 Reply Last reply Reply Quote 0
          • T
            thermo
            last edited by

            Glad you got it working.
            Strictly speaking, the pfsense openvpn server doesn't require the RW private key, it's just the UI in the cert manager forces you to enter it.

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              FYI- We have some of that procedure documented here:
              http://doc.pfsense.org/index.php/Using_EasyRSA_Certificates_in_2.x

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.