atarione last edited by
so.. despite having not much experience w/ VPNs (been running m0n0wall w/ a PPTP server /w radius authentication for about 1yr…. pretty dang easy to set up)
I recently started messing w/ pfsense to try it out vs m0n0wall... I was kinda excited by the OpenVPN capabilities and wanted to have a go with securing my wifi over OpenVPN
using the outbound NAT and push "redirect-gateway def1"; i know seem to have succeded in getting OpenVPN up and running and routing everything over the VPN
(along with pushing DNS and WINS to my win2k3 server... i have access to the LAN from the Wifi interface)
I'm pretty happy w/ myself for getting this much working after messing w/ it for a "few" hours :)
BUT... there is something I can't for the life of me figure out
the documentation has been apparently not enough for my "limited" understanding of CAs / keys... the Windows CA store... to get this going
I imported my client key to the "Local Computer / Personal" and my .ovpn client config looks like this
float port 1194 dev tun dev-node monkeybase proto tcp-client remote XXXX.com 1194 ping 10 persist-tun persist-key tls-client ca ca.crt cryptoapicert "THUMB:05 28 ......" #key client2.key ns-cert-type server comp-lzo pull verb 4
but it gets a error message
Sun Oct 21 17:13:07 2007 us=188717 Cannot load certificate "THUMB:05 28 ....." from Microsoft Certificate Store: error:C5066064:microsoft cryptoapi:CryptAcquireCertificatePrivateKey:Cannot find the certificate and private key for decryption. Sun Oct 21 17:13:07 2007 us=408817 Exiting
sooo... I'm apparently doing something wrong w/ importing the ca to the windows store... can anyone expand on this process as it is pretty "vague" in the documentation... (maybe the "rightfully" expect u to have more of an idea what you are doing if you are trying this.... :) but i don't so .... if someone could possibly help me out that would be super and most appriciated.
best regards and thank you for taking the time to read this.
NEVER MIND FIGURED IT OUT
I was apparently not aware i need to use openSSL to make a PKCS12 file for the ca /key
anyways in case anyone else is searching later and confused about the cryptoapicert thing
is the article that got me going.